Computer Hacking Forensic Investigator CHFI (CHFI) — Questions 451525

1000 questions total · 14pages · All types, answers revealed

Page 6

Page 7 of 14

Page 8
451
MCQeasy

During a mobile forensic examination of an iPhone, the examiner wants to acquire the most data possible, including deleted files and unallocated space. Which acquisition type should be used?

A.File system acquisition
B.Logical acquisition
C.Physical acquisition
D.Manual acquisition
AnswerC

Physical acquisition creates a bit-for-bit image of the device's storage, including deleted and unallocated areas.

Why this answer

Physical acquisition creates a bit-for-bit copy of the entire flash storage, including unallocated space and deleted file remnants. This is the only method that captures the raw NAND memory, allowing recovery of data from unallocated blocks and slack space that logical and file system acquisitions skip.

Exam trap

Cisco often tests the misconception that logical acquisition (Option B) captures deleted data because it includes the iTunes backup, but backups exclude unallocated space and deleted file remnants.

How to eliminate wrong answers

Option A is wrong because file system acquisition only retrieves allocated files and metadata visible to the operating system, ignoring unallocated space and deleted data. Option B is wrong because logical acquisition extracts files and directories via the iOS API (e.g., iTunes backup), which excludes unallocated space and deleted file remnants. Option D is wrong because manual acquisition involves physically interacting with the device screen to capture visible data, providing no access to the underlying storage or deleted content.

452
MCQhard

You are a first responder for a medium-sized company with 500 employees. The incident response team has been alerted to a possible data breach involving the CEO's laptop, which is a Windows 10 system. The CEO reports that the laptop has been acting strangely, with unusual pop-ups and slow performance. The laptop is currently powered on and connected to the corporate network via Wi-Fi. The CEO is logged in and has several applications open, including email and a web browser. The security team suspects malware may be exfiltrating sensitive documents. As the first responder, you must decide the best course of action to preserve evidence and contain the threat while minimizing impact on business operations. Which action should you take FIRST?

A.Capture a full memory dump using a forensic tool like FTK Imager or WinPmem.
B.Disconnect the laptop from the corporate network immediately to stop any ongoing data exfiltration.
C.Create a forensic image of the hard drive using a write blocker.
D.Shut down the laptop to prevent further damage and preserve the disk.
AnswerA

Memory capture preserves the most volatile evidence and should be the first step.

Why this answer

The correct first action is to capture a full memory dump using a forensic tool like FTK Imager or WinPmem. Since the laptop is powered on and malware is suspected, volatile data (including running processes, network connections, and encryption keys) is at risk of being lost. Preserving RAM is the highest priority in live incident response because it contains evidence of active malware and ongoing exfiltration that would be lost upon shutdown or disconnection.

Exam trap

EC-Council often tests the principle of 'order of volatility' (RFC 3227), where candidates mistakenly prioritize network disconnection or disk imaging over capturing volatile memory, which is the most fragile and time-sensitive evidence.

How to eliminate wrong answers

Option B is wrong because disconnecting the network immediately may alert the attacker, cause the malware to trigger anti-forensic routines (e.g., wiping memory or encrypting files), and does not preserve volatile evidence. Option C is wrong because creating a forensic image of the hard drive with a write blocker is a disk-focused step that should occur after memory capture; it does not address the immediate need to preserve volatile data and may be hindered by active malware. Option D is wrong because shutting down the laptop destroys all volatile data (RAM, network state, running processes) and may cause the malware to lose its persistence mechanism or trigger destructive actions, making forensic analysis impossible.

453
MCQmedium

An analyst examining Apache access logs finds the following entry: 192.168.1.10 - - [10/Oct/2023:13:55:36 -0400] "GET /search.php?q=1'%20OR%20'1'='1 HTTP/1.1" 200 5324 "-" "Mozilla/5.0". Which of the following attacks is MOST likely occurring?

A.SQL injection
B.Cross-site scripting (XSS)
C.Remote file inclusion
D.Path traversal
AnswerA

The payload contains SQL code trying to manipulate the query.

Why this answer

The log shows a URI parameter containing SQL injection syntax (1' OR '1'='1). The single quote and OR condition are classic indicators of SQL injection attempts.

454
Multi-Selecteasy

Which TWO of the following are valid reasons for using a hardware write blocker during disk acquisition? (Choose two.)

Select 2 answers
A.It compresses the acquired data to save storage space
B.It increases the speed of data acquisition
C.It allows the source drive to be connected to a forensic workstation without risking modification
D.It prevents any accidental writes to the source drive
E.It creates a forensic image of the drive
AnswersC, D

The write blocker presents the drive as read-only to the host system.

Why this answer

A hardware write blocker is a device that sits between the source drive and the forensic workstation, intercepting and blocking any write commands from the host operating system. This ensures that the source drive is connected in a read-only state, preventing any accidental modifications to the evidence during acquisition. Option C correctly identifies this core function of preserving the integrity of the source drive.

Exam trap

EC-Council often tests the distinction between the function of a hardware write blocker (write prevention) and the function of forensic imaging software (image creation and compression), leading candidates to incorrectly attribute software features to the hardware device.

455
Multi-Selecteasy

During a cloud forensic investigation of an AWS EC2 instance, which TWO sources should be preserved to capture volatile data before instance termination?

Select 2 answers
A.Memory dump of the instance
B.VPC flow logs
C.Disk snapshot (EBS snapshot)
D.S3 server access logs
E.AWS CloudTrail logs
AnswersA, C

Volatile data captured from RAM.

Why this answer

A memory dump of the EC2 instance captures RAM contents, including running processes, network connections, encryption keys, and other volatile data that is lost when the instance is terminated. This is critical for forensic analysis of live system state. An EBS snapshot preserves the root and data volumes, providing a point-in-time copy of the file system and persistent storage, which is also lost upon termination.

Exam trap

EC-Council often tests the distinction between volatile data (lost on termination) and persistent logs (stored externally), leading candidates to mistakenly include VPC flow logs or CloudTrail logs as sources of volatile data.

456
Multi-Selectmedium

During a mobile forensics investigation of an Android device, the examiner finds that the user's Google account data is stored locally. Which TWO of the following artefacts are typically stored in the device's /data/system/ or /data/data/ directories related to Google account information?

Select 2 answers
A.accounts.db
B.GoogleLoginService.java
C.contacts.db
D.SMS.db
E.GoogleLoginService accounts and tokens
AnswersA, E

Accounts.db contains account credentials and sync settings.

Why this answer

The accounts.db file in /data/system/ is the SQLite database that stores all Google account credentials, including email addresses and authentication tokens used by the Android Account Manager. This is a primary artifact for identifying which Google accounts were configured on the device and their sync status.

Exam trap

EC-Council often tests the distinction between source code files (like .java) and compiled runtime artifacts, leading candidates to confuse AOSP source code with actual device-stored data.

457
MCQhard

A forensic investigator analyzing a RAID 5 array of three disks notices that one disk has failed. Can the investigator still reconstruct the data?

A.Yes, using the parity information from the remaining disks
B.No, RAID 5 requires all disks to be present
C.Yes, but only if the failed disk is the parity disk
D.No, because RAID 5 does not support hot swapping
AnswerA

RAID 5 uses parity to reconstruct data from a single failed disk.

Why this answer

RAID 5 uses distributed parity. With one disk failure, data can be reconstructed using the parity information on the remaining two disks.

458
MCQeasy

In a macOS forensic investigation, which log system provides a timeline of high-level system events such as application launches and user logins?

A.syslog
B.FSEvents
C..plist files
D.Unified logging
AnswerB

FSEvents logs file system events, useful for timeline analysis on macOS.

Why this answer

FSEvents is a macOS logging system that records changes to the file system, including application launches and user logins, providing a timeline of system activity.

459
MCQhard

An analyst performs forensic imaging using the command: dcfldd if=/dev/sda of=image.dd hash=sha256 hashlog=hash.txt bs=4096 conv=noerror,sync. What is the PRIMARY purpose of the 'hash=sha256' and 'hashlog=hash.txt' parameters?

A.To encrypt the image file to prevent unauthorized access.
B.To compress the image to save disk space.
C.To ensure the image is an exact bit-for-bit copy and provide an integrity check.
D.To split the image into smaller chunks for easier transport.
AnswerC

Hashing calculates a digital fingerprint. If the hash matches later, the image has not been altered.

Why this answer

The `hash=sha256` parameter instructs dcfldd to compute a SHA-256 hash of the input data as it is read, and `hashlog=hash.txt` writes that hash value to a separate file. This allows the analyst to later verify that the forensic image (`image.dd`) is an exact bit-for-bit copy of the source (`/dev/sda`) by recomputing the hash and comparing it to the stored value, ensuring data integrity and admissibility in court.

Exam trap

EC-Council often tests the distinction between hashing (integrity) and encryption (confidentiality), so the trap here is that candidates confuse the purpose of a hash algorithm with that of an encryption cipher, leading them to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because hashing (SHA-256) is a one-way cryptographic function used for integrity verification, not encryption; it does not protect the image from unauthorized access. Option B is wrong because dcfldd does not compress data; the `conv=noerror,sync` parameter handles error recovery, and hashing adds no compression—disk space is not saved. Option D is wrong because dcfldd does not split the output into chunks; the `of=image.dd` writes a single contiguous file, and splitting would require additional parameters like `split=...` or a separate tool.

460
MCQhard

In a Google Cloud Platform (GCP) environment, a forensic investigator needs to determine who deleted a Cloud Storage bucket and when. Which log type should be queried to obtain this information?

A.Cloud Monitoring metrics
B.VPC flow logs
C.Cloud Storage access logs
D.Cloud Audit Logs (Admin Activity)
AnswerD

Admin Activity audit logs capture all API calls that modify configuration or metadata, including bucket deletion.

Why this answer

GCP Cloud Audit Logs record admin activities like bucket deletion. Cloud Storage logs (access logs) record object-level operations but not bucket deletion by IAM users.

461
MCQhard

You are investigating a network breach at a financial institution. The perimeter firewall logs show an inbound connection from IP 203.0.113.5 to the internal web server (192.168.1.10) on TCP port 443 at 02:34:12 UTC. At 02:34:15, an outbound connection from the web server to an external IP 198.51.100.20 on TCP port 80 is logged. Simultaneously, a network intrusion detection system (NIDS) detected a SQL injection payload in the inbound HTTP request. The web server's access logs show a successful login to the admin panel at 02:34:18 from the same external IP 203.0.113.5. The database server (192.168.1.20) logs show a query execution at 02:34:20 that exported customer records. The company uses a jump box for administrative access, and all admin sessions are logged. The jump box logs show no activity during the incident. The web server hosts a public-facing application and is in a DMZ. The database server is in the internal network, with a firewall rule allowing only the web server to connect to it on TCP port 3306. Which course of action is MOST appropriate to determine the root cause and scope?

A.Correlate the database server logs with the web server logs to identify which records were queried and verify if they were exfiltrated via the outbound HTTP connection.
B.Immediately isolate the web server from the network to prevent further data exfiltration, then perform memory forensics to find any malware.
C.Check the NTP logs to see if the timestamps are accurate, as the attack may be a time-based SQL injection.
D.Extract and analyze the full packet capture from the firewall to identify the SQL injection payload and any encrypted traffic.
AnswerA

This directly determines the scope of data loss and confirms exfiltration.

Why this answer

Option A is correct because correlating the database server logs with the web server logs allows you to identify exactly which customer records were queried and then cross-reference that with the outbound HTTP connection (from the web server to 198.51.100.20 on TCP port 80) to determine if the data was exfiltrated. This approach directly addresses both the root cause (SQL injection via the inbound request) and the scope (which records were stolen and how they left the network).

Exam trap

EC-Council often tests the misconception that immediate containment (Option B) is always the first step, but in forensic investigations, preserving evidence and correlating logs to determine scope takes precedence over reactive isolation.

How to eliminate wrong answers

Option B is wrong because immediately isolating the web server would destroy volatile evidence (e.g., memory, active connections) and prevent further forensic analysis of the ongoing exfiltration; the priority is to preserve logs and correlate data, not to blindly contain. Option C is wrong because NTP log accuracy is irrelevant to the attack vector—SQL injection is a code injection technique, not a time-based attack that relies on timestamp manipulation; the timestamps are already consistent across logs. Option D is wrong because while packet capture could reveal the SQL injection payload, the traffic to port 443 (HTTPS) is encrypted, so the payload would not be visible in plaintext; moreover, the outbound connection on port 80 is unencrypted, but the focus should be on log correlation to determine scope, not just payload extraction.

462
Multi-Selecteasy

Which TWO of the following are essential requirements for a computer forensics lab according to best practices?

Select 2 answers
A.Uninterruptible power supply (UPS) and surge protectors
B.Offsite cloud storage for all case files
C.Shared workstations to reduce hardware costs
D.Restricted access with visitor logs and biometric authentication
E.Open wireless network for flexibility
AnswersA, D

Clean power is critical to protect forensic equipment and prevent data loss.

Why this answer

A is correct because a UPS provides temporary power during outages to prevent data loss or corruption during forensic imaging, while surge protectors guard against voltage spikes that could damage sensitive lab equipment. Best practices require both to ensure chain of custody integrity and hardware reliability.

Exam trap

EC-Council often tests the misconception that cloud storage is acceptable for forensic labs, but candidates must remember that chain of custody and jurisdictional control require local, encrypted storage with strict access logging.

463
Multi-Selectmedium

A forensic investigator is examining a Linux system compromised via a web application. Which THREE artifacts should the investigator prioritize to determine the attacker's entry point and post-exploitation activities?

Select 3 answers
A./home/compromised_user/.bash_history
B./etc/shadow
C./var/log/auth.log
D.Cron job entries in /etc/crontab
E.Web server access logs (e.g., /var/log/apache2/access.log)
AnswersA, C, E

Bash history shows commands executed by the attacker after gaining access.

Why this answer

The web server logs (access.log) can show the initial exploit request. auth.log may show authentication events if credentials were used. bash_history can reveal commands executed after compromise. cron jobs are persistence mechanisms but not entry point. /etc/shadow stores password hashes, not attack details.

464
MCQmedium

During a forensic examination of a Mac system, an investigator needs to recover historical record of file system events, such as file modifications and deletions. Which artifact should they examine?

A..plist files
B.Unified logging
C.Syslog
D.FSEvents
AnswerD

FSEvents is a Mac feature that records changes to the file system, including modifications and deletions.

Why this answer

FSEvents logs file system changes on macOS, recording events like file creation, modification, and deletion in a binary log.

465
MCQmedium

A forensic examiner is analyzing an Android device that has been factory reset. Which artefact is MOST likely to persist after a factory reset, providing potential evidence of prior usage?

A.Google account artefacts
B.App installation logs
C.Deleted SMS messages
D.Wi-Fi passwords
AnswerA

Google account credentials may be stored in the Google backup and could be restored after reset, or remnants may exist in the cloud.

Why this answer

Google account artefacts, such as the Google Services Framework (GSF) ID and the device's Google Account (GAIA) ID, are stored in the /data/system/ partition and are often retained even after a factory reset because the reset does not always wipe the cryptographic keys or the persistent data blocks used by Google's sync services. This allows forensic tools to recover the previously synced account details, providing evidence of prior usage.

Exam trap

The trap here is that candidates assume a factory reset wipes all user data completely, but EC-Council often tests the nuance that certain system-level identifiers like Google account artefacts persist because they are stored in areas not fully erased by a standard reset, unlike user-generated data such as SMS or Wi-Fi passwords.

How to eliminate wrong answers

Option B is wrong because app installation logs are stored in /data/log/ or /data/system/packages.xml, which are cleared during a factory reset that reformats the /data partition, leaving no persistent trace. Option C is wrong because deleted SMS messages reside in the /data/data/com.android.providers.telephony/databases/mmssms.db file, which is fully wiped when the /data partition is reformatted during a factory reset, and they are not backed up to Google servers by default. Option D is wrong because Wi-Fi passwords are stored in /data/misc/wifi/wpa_supplicant.conf, which is deleted when the /data partition is wiped, and while some devices may retain them in a separate persist partition, a standard factory reset removes them.

466
MCQmedium

A forensic investigator uses the 'dd' command to create a forensic image. The original drive has a SHA-256 hash of a1b2c3... and the image produces the same hash. Which rule of evidence does this satisfy?

A.Reliability
B.Authenticity
C.Completeness
D.Admissibility
AnswerB

Authenticity verifies that the evidence has not been altered; identical hashes demonstrate integrity.

Why this answer

Authenticity means evidence is what it purports to be. Matching hashes confirms the image is an exact copy, thus authentic.

467
MCQmedium

During a forensic investigation of a compromised Linux server, an investigator needs to recover deleted files from an ext4 filesystem. Which method should the investigator use to maximize recovery of file content, considering the filesystem may have been partially overwritten?

A.Use 'foremost' to carve files based on file headers and footers.
B.Use 'grep -a' to search the raw disk for file signatures.
C.Use 'scalpel' to perform a deep scan of the filesystem.
D.Use 'extundelete' to recover files from the ext4 filesystem.
AnswerA

Foremost is a file carving tool that recovers files by scanning for known headers/footers, making it effective for partially overwritten filesystems.

Why this answer

Foremost is the correct choice because it performs file carving based on headers and footers, which can recover file content even when the filesystem metadata (such as inodes) is damaged or partially overwritten. Unlike undelete tools that rely on intact filesystem structures, foremost scans the raw disk blocks for known file signatures, making it effective for recovering files from an ext4 filesystem that has experienced partial overwriting.

Exam trap

EC-Council often tests the distinction between file carving tools (like foremost) and filesystem-specific recovery tools (like extundelete), trapping candidates who assume that a filesystem utility is always the best choice for recovery, even when the filesystem metadata is compromised.

How to eliminate wrong answers

Option B is wrong because 'grep -a' treats the raw disk as text and searches for patterns, but it does not reconstruct files based on headers and footers, so it cannot reliably recover complete file content. Option C is wrong because 'scalpel' is a file carving tool similar to foremost, but it is not the best choice here as it is less actively maintained and may not support as many file types out of the box; foremost is the more standard and recommended tool for this scenario. Option D is wrong because 'extundelete' relies on the ext4 filesystem's journal and inode metadata to recover deleted files, and if the filesystem has been partially overwritten, this metadata may be corrupted or missing, leading to incomplete or failed recovery.

468
Multi-Selectmedium

Which TWO of the following are tools commonly used for network forensics analysis? (Select two.)

Select 2 answers
A.tcpdump
B.Autopsy
C.Volatility
D.dd
E.Wireshark
AnswersA, E

tcpdump is a command-line packet capture tool used in network forensics.

Why this answer

Wireshark and tcpdump are standard tools for capturing and analyzing network packets. Volatility is for memory forensics, Autopsy is for disk forensics, and dd is for disk imaging.

469
MCQmedium

A forensic analyst is examining browser history from a Chrome installation on a Windows system. Where is the Chrome history database typically stored?

A.%APPDATA%\Mozilla\Firefox\Profiles\
B.%WINDIR%\System32\config\
C.%USERPROFILE%\Favorites\
D.%LOCALAPPDATA%\Google\Chrome\User Data\Default\History
AnswerD

This is the default location for Chrome's history database.

Why this answer

Chrome stores history in an SQLite database file named 'History' located in the user's default profile directory under %LOCALAPPDATA%\Google\Chrome\User Data\Default\.

470
MCQeasy

A security analyst reviews Windows Security Event Log and finds multiple Event ID 4625 entries for a single user account within a few seconds. What does this pattern MOST likely indicate?

A.Service installation
B.Account creation
C.Brute-force password attack
D.Successful logon by the user
AnswerC

Multiple rapid 4625 events indicate repeated failed logins typical of brute force.

Why this answer

Event ID 4625 indicates a failed logon attempt. Multiple rapid failures suggest a brute-force password guessing attack.

471
Drag & Dropmedium

Drag and drop the steps to recover deleted files using Recuva into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

File recovery involves selecting type, location, scanning, and saving to a different drive.

472
MCQmedium

During a forensic acquisition of a suspect's SSD, the analyst notices that the drive supports TRIM. Which of the following is the most important consideration when acquiring the drive to preserve deleted data?

A.Perform a full format of the SSD before acquisition to clear any TRIM-related issues
B.Use a hardware write-blocker and acquire the drive immediately to minimize TRIM interference
C.Enable TRIM in the forensic tool to ensure the drive is optimized before imaging
D.The SSD should be powered on for several hours to allow TRIM to complete before imaging
AnswerB

Correct: Immediate acquisition with write-blocker prevents further TRIM commands from destroying data.

Why this answer

TRIM causes the SSD to erase deleted blocks immediately, making recovery impossible. Imaging the drive as soon as possible and using a write-blocker can prevent further TRIM commands.

473
MCQhard

A forensic analyst is investigating a network breach and finds that the attacker used a technique that bypasses Network Access Control (NAC). Which of the following methods is commonly used to evade 802.1X authentication?

A.MAC address spoofing
B.VLAN hopping using double tagging
C.DNS tunneling to exfiltrate data
D.ARP poisoning to redirect traffic
AnswerA

Spoofing the MAC of an authorized device can allow the attacker to authenticate via 802.1X.

Why this answer

MAC address spoofing is commonly used to bypass 802.1X authentication because 802.1X typically authenticates devices based on their MAC address after the EAP (Extensible Authentication Protocol) handshake. By spoofing the MAC address of an already-authenticated device, the attacker can impersonate that device and gain network access without valid credentials, effectively bypassing the NAC enforcement.

Exam trap

The trap here is that candidates often confuse MAC address spoofing with ARP poisoning or VLAN hopping, thinking that any network-layer attack can bypass NAC, but 802.1X specifically relies on MAC-based port security after authentication, making MAC spoofing the direct bypass method.

How to eliminate wrong answers

Option B is wrong because VLAN hopping using double tagging is a technique to gain unauthorized access to traffic on a different VLAN by manipulating 802.1Q tags, but it does not bypass 802.1X authentication itself; it exploits switch configuration after authentication. Option C is wrong because DNS tunneling is a data exfiltration method that encodes data in DNS queries and responses, not a technique to evade NAC or 802.1X authentication. Option D is wrong because ARP poisoning is a man-in-the-middle attack that redirects traffic by corrupting ARP caches, but it does not bypass the initial 802.1X authentication process; it operates after the attacker has already gained network access.

474
Multi-Selectmedium

A forensic analyst is examining an iOS device backup and wants to extract call history records. Which SQLite databases and/or files contain relevant call history data? (Select TWO.)

Select 2 answers
A.Notes.sqlite
B.SMS.db
C.AddressBook.db
D.Calendar.sqlite
E.call_history.db
AnswersC, E

Contains contact names and phone numbers that can be correlated with call records.

Why this answer

Option C is correct because the AddressBook.db (or Contacts.sqlitedb on newer iOS versions) stores contact information, and call history records are linked to contacts via the `call_history.db` file. The `call_history.db` database contains the actual call log entries, including timestamps, durations, and associated contact identifiers. Together, these two databases allow an analyst to reconstruct call history with contact names.

Exam trap

EC-Council often tests the misconception that SMS.db contains call logs because both involve communication records, but SMS.db is strictly for text messages and iMessages, not voice call history.

475
MCQeasy

During a forensic analysis of an NTFS volume, an investigator finds a file that appears to be hidden. Which NTFS feature allows data to be stored in a file without affecting the file's visible size in the directory listing?

A.Alternate Data Streams (ADS)
B.Volume Shadow Copy
C.USN Journal
D.Master File Table ($MFT)
AnswerA

ADS are NTFS features that allow multiple data streams to be associated with a file, often used to hide data.

Why this answer

Alternate Data Streams (ADS) in NTFS allow data to be attached to a file, and the size is not shown in the main directory listing.

476
MCQhard

During a forensic investigation of a Microsoft SQL Server, you find the transaction log contains the following: LOP_BEGIN_XACT, LOP_INSERT_ROWS, LOP_COMMIT_XACT for a table named 'CreditCards', with a timestamp just before a known data breach. The log also shows a bulk insert operation. What does this indicate?

A.A scheduled backup
B.Data exfiltration via the transaction log
C.A SQL injection attack on the database
D.Normal database maintenance
AnswerB

The INSERT operations on a sensitive table, especially bulk, indicate data theft.

Why this answer

A transaction log showing INSERT operations on a sensitive table, especially with bulk insert, is strong evidence of data exfiltration. The timing and table name suggest unauthorized copying of credit card data.

477
MCQmedium

An analyst runs 'foremost -i disk.dd -o output' and recovers several JPEG files. However, some files are corrupted or incomplete. What is the most likely cause?

A.The files were fragmented across the disk, and foremost did not reassemble fragments
B.The files were stored in a journaling file system that overwrites deleted data quickly
C.The output directory had insufficient space to store the recovered files
D.The disk image contains bad sectors that could not be read
AnswerA

Foremost typically stops at the first footer or maximum file size; it doesn't handle fragmentation.

Why this answer

Foremost uses file headers/footers for carving. If the file was fragmented, the tool may only recover the first fragment, leading to corruption.

478
MCQhard

A Windows system has been compromised. The analyst finds a registry run key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run with value name 'UpdateService' pointing to C:\Users\Public\svchost.exe. Why is this particularly suspicious?

A.The path is not typical for svchost.exe, which resides in System32
B.Run keys are only for startup programs, not services
C.The run key is disabled in Windows 10
D.The registry value name 'UpdateService' is too generic
AnswerA

Correct. Svchost should never be in a user profile folder.

Why this answer

The legitimate svchost.exe runs from C:\Windows\System32, not from C:\Users\Public. This is a common masquerading technique where malware uses a system process name in a user‑writable location.

479
MCQhard

An analyst suspects a Windows executable is packed. They run `strings` on the file and see few readable strings, and PEiD reports 'UPX 0.89.6 - 1.02 / 1.05 - 1.24'. Which static analysis technique should the analyst use NEXT to extract the original code?

A.Use UPX with the -d flag to decompress the executable
B.Search for known YARA rules matching UPX
C.Run the executable in Cuckoo Sandbox to obtain dynamic analysis
D.Load the file into IDA Pro and attempt to disassemble directly
AnswerA

UPX can decompress its own packed files. Running `upx -d file.exe` will restore the original code for further analysis.

Why this answer

Option A is correct because UPX (Ultimate Packer for Executables) is a common packer that compresses Windows executables. The PEiD output 'UPX 0.89.6 - 1.02 / 1.05 - 1.24' confirms the file is packed with UPX. Running `upx -d` (decompress) reverses the packing, restoring the original executable code for static analysis.

This is the standard next step before attempting disassembly or dynamic analysis.

Exam trap

Cisco often tests the distinction between detection (YARA), dynamic analysis (sandbox), and direct disassembly (IDA) versus the correct unpacking step, trapping candidates who think any analysis tool can handle packed files without prior decompression.

How to eliminate wrong answers

Option B is wrong because searching for YARA rules matching UPX would only confirm the packer's presence, not extract the original code; it's a detection step, not a decompression technique. Option C is wrong because running the executable in Cuckoo Sandbox is dynamic analysis, which risks executing potentially malicious code and does not directly extract the original packed code for static analysis. Option D is wrong because loading a UPX-packed executable directly into IDA Pro results in disassembly of the UPX stub, not the original program code; the stub must be decompressed first.

480
MCQmedium

In Docker forensics, which of the following commands would you use to inspect the history of an image, including the commands that created each layer?

A.docker image ls
B.docker history
C.docker logs
D.docker inspect
AnswerB

'docker history' displays the image's layer history with build commands.

Why this answer

The 'docker history' command shows the history of an image, listing each layer and the command that created it.

481
MCQmedium

In the context of the UK Police and Criminal Evidence Act (PACE), which of the following is a key requirement for the admissibility of digital evidence?

A.The evidence must be stored on a write-protected medium
B.The evidence must be reviewed by an independent third party
C.The evidence must be encrypted at all times
D.The evidence must be obtained lawfully and without oppression
AnswerD

PACE emphasizes lawful acquisition and prohibits oppression to ensure evidence is admissible.

Why this answer

PACE requires that evidence is not obtained through oppression or in violation of legal procedures, ensuring reliability and fairness.

482
Multi-Selecthard

A security team is investigating a suspected Advanced Persistent Threat (APT) intrusion. They have identified several IoCs. Which THREE of the following are considered standard types of Indicators of Compromise?

Select 3 answers
A.Employee badge number
B.IP address of a command and control server
C.MD5 hash of a malicious executable
D.Registry key path used for persistence
E.Email subject line from a phishing campaign
AnswersB, C, D

IP addresses are common network-based IoCs.

Why this answer

Option B is correct because IP addresses of command and control (C2) servers are a standard type of Indicator of Compromise (IoC). They represent network-based IoCs that allow defenders to identify and block communication between compromised hosts and attacker-controlled infrastructure, often used in conjunction with firewall logs or DNS queries.

Exam trap

EC-Council often tests the distinction between technical IoCs (like IP addresses, hashes, registry keys) and non-technical or variable indicators (like employee IDs or email subject lines), trapping candidates who confuse phishing campaign metadata with standard forensic IoCs.

483
MCQeasy

Which of the following is a primary challenge in cloud forensics due to the shared responsibility model?

A.Absence of forensic tools
B.Inability to perform network analysis
C.Lack of logging capabilities
D.Multi-tenancy and data segregation
AnswerD

Multi-tenancy makes it difficult to isolate a customer's data without affecting others.

Why this answer

Multi-tenancy means data from multiple customers may reside on the same physical hardware, complicating isolation and acquisition of evidence.

484
MCQmedium

During a forensic examination of an ext4 filesystem, the analyst discovers that a suspicious file was deleted but the inode still exists in the filesystem. Which of the following techniques would MOST likely recover the file's data?

A.Use the `debugfs` utility with the `undel` command
B.Analyze the USN journal in NTFS
C.Run PhotoRec to carve unallocated space
D.Mount the filesystem and copy the file
AnswerA

debugfs can recover deleted files if the inode is still intact.

Why this answer

In ext4, when a file is deleted, the inode is marked as free but data blocks may remain. Using the debugfs command with the lsdel or undel function can recover the inode and data.

485
MCQeasy

During a mobile forensic investigation of an iPhone, the examiner extracts data using a physical acquisition method. Which of the following BEST describes the level of data recovery achieved by this method?

A.It recovers the file system but not deleted files
B.It extracts data via the user interface by manually interacting with the device
C.It recovers only logical files visible to the operating system
D.It creates a bit-for-bit copy of the entire flash memory, including deleted files and unallocated space
AnswerD

This defines physical acquisition.

Why this answer

Physical acquisition creates a bit-for-bit copy of the entire flash memory, including deleted files and unallocated space, providing the most complete data recovery.

486
Multi-Selectmedium

During a macOS forensic investigation, which TWO artifacts would be MOST helpful in determining when a file was downloaded from the internet?

Select 2 answers
A.Kernel logs
B..plist files in ~/Library/Preferences
C.Quarantine database
D.FSEvents
E.Apple Unified Logging
AnswersC, E

Quarantine stores information about downloaded files, including timestamps and origin.

Why this answer

The unified logging system records download events, and the Quarantine database (com.apple.quarantine extended attribute or SQLite DB) tracks downloaded files with timestamps and source URLs.

487
MCQeasy

A forensic investigator needs to analyze the keychain data from an iOS device backup. Which tool is specifically designed to decrypt and display iOS keychain contents?

A.Elcomsoft Phone Breaker
B.Cellebrite UFED
C.Oxygen Forensic Detective
D.Magnet AXIOM
AnswerA

Elcomsoft Phone Breaker can decrypt iOS backups and keychain items, including passwords and tokens.

Why this answer

Elcomsoft Phone Breaker is specifically designed to decrypt and display iOS keychain contents from backups, including passwords, tokens, and cryptographic keys. It leverages techniques such as brute-force, dictionary attacks, and GPU acceleration to recover the backup password, then extracts and decrypts the keychain data using iOS's Keychain Services API.

Exam trap

Cisco often tests the misconception that general-purpose forensic tools like Cellebrite UFED or Magnet AXIOM can decrypt iOS keychain natively, when in fact only specialized tools like Elcomsoft Phone Breaker are designed for that specific task.

How to eliminate wrong answers

Option B (Cellebrite UFED) is wrong because it is a physical extraction and analysis tool for mobile devices, not specialized in decrypting iOS keychain data; it focuses on file system and logical extractions. Option C (Oxygen Forensic Detective) is wrong because it is a comprehensive forensic platform for mobile and cloud data, but it does not have native keychain decryption capabilities; it relies on third-party tools or manual extraction. Option D (Magnet AXIOM) is wrong because it is a digital forensic platform that processes artifacts from multiple sources, but it does not include a dedicated iOS keychain decryptor; it may import keychain data but cannot decrypt it natively.

488
MCQeasy

An analyst examines the following Apache access log entry: 192.168.1.10 - - [10/Jan/2023:13:45:22 +0000] "GET /search.php?q=1%27%20UNION%20SELECT%201,2,3-- HTTP/1.1" 200 1234 "-" "Mozilla/5.0". Which attack is MOST likely indicated?

A.Path Traversal
B.SQL Injection
C.Cross-Site Scripting (XSS)
D.Remote File Inclusion
AnswerB

The UNION SELECT statement in the query parameter is a SQL injection technique to extract data from the database.

Why this answer

The log shows a UNION SELECT statement in the query parameter, indicating a SQL injection attempt. The URL-encoded single quote (') and comment (--) are classic SQLi payloads.

489
Multi-Selectmedium

Which TWO of the following are indicators of a webshell on a web server? (Select TWO.)

Select 2 answers
A.A file named 'cmd.php' with a modification date matching other legitimate files
B.The file contains system commands executed via GET or POST parameters
C.A recently modified file with a timestamp different from other files in the same directory
D.The server's index.html file is missing
E.The file is over 1 MB in size
AnswersB, C

Webshells commonly execute commands from input parameters.

Why this answer

Webshells often have recent modification times out of sync with other files, and they typically accept command parameters in GET/POST requests. Large file size alone is not definitive, and missing index.html is unrelated.

490
MCQhard

A forensic tool parses the Windows registry and reveals that a USB device with VID_0781&PID_5583 was last connected on 2023-10-01. Which registry key is the MOST likely source of this information?

A.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
B.HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account
C.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
D.NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
AnswerA

USBSTOR contains entries for USB mass storage devices, with VID/PID and connection timestamps.

Why this answer

USB device history is stored in the USBSTOR registry key, which enumerates devices by their Vendor ID (VID) and Product ID (PID).

491
MCQmedium

During a database forensic investigation, a MSSQL transaction log analysis reveals a series of INSERT statements that added records to a customer table, followed by a TRUNCATE TABLE statement. What does this pattern most likely indicate?

A.A database backup and restore operation
B.A scheduled data archiving process
C.An attacker exfiltrating data and then clearing the table to hide evidence
D.A DBA testing a new schema
AnswerC

INSERT adds data (exfiltration target), TRUNCATE hides the activity.

Why this answer

TRUNCATE TABLE removes all rows and is often used by attackers to cover tracks after exfiltration, while INSERT adds data (possibly exfiltrated or planted).

492
MCQhard

During a forensic examination of a compromised Windows server, you find a registry key under HKLM\SYSTEM\CurrentControlSet\Services that points to a malicious DLL. Which event ID would have been generated when this service was installed?

A.7045
B.4648
C.4720
D.4624
AnswerA

7045 is service install.

Why this answer

Event ID 7045 is logged when a new service is installed on Windows.

493
Multi-Selectmedium

Which TWO of the following are valid methods to hide data on an NTFS volume? (Choose two.)

Select 2 answers
A.Storing data in the $Recycle.bin folder
B.Using the volume boot record
C.Using the MFT resident data area
D.Using Alternate Data Streams (ADS)
E.Using the USN journal
AnswersA, D

The $Recycle.bin folder can hide files by storing them in a special directory that is not easily visible.

Why this answer

Alternate Data Streams (ADS) allow data hiding in files, and the $Recycle.bin folder can be used to store deleted files that are not visible in normal browsing.

494
MCQmedium

During a forensic investigation, an analyst finds a file with a creation timestamp earlier than the volume's formatted timestamp. Which of the following is the most likely explanation?

A.The file is actually a link to another file, so its timestamps reflect the source
B.The file's timestamps were deliberately modified to mislead investigators
C.The system clock was incorrect at the time of file creation
D.The file was created on a different system and copied to this volume
AnswerB

Anti-forensics techniques like timestamp manipulation are used to confuse analysis.

Why this answer

File timestamps can be manipulated by anti-forensics tools. A creation time before the volume format is a strong indicator of timestamp manipulation.

495
MCQmedium

A forensic examiner is analyzing a Mac system and wants to review system logs that record various activities, including application launches and kernel events. Which logging system on macOS should be examined?

A..plist files
B.FSEvents
C.Unified logging (log command)
D.Console.app logs
AnswerC

Centralized logging system for macOS.

Why this answer

Unified logging (via log command) captures system and user activity in a centralized database, replacing traditional syslog.

496
MCQmedium

An analyst identifies an unknown binary running on a Linux server. Which /proc filesystem entry would provide the command-line arguments used to start the process?

A./proc/[pid]/maps
B./proc/[pid]/status
C./proc/[pid]/environ
D./proc/[pid]/cmdline
AnswerD

Contains the full command line of the process.

Why this answer

/proc/[pid]/cmdline contains the command-line arguments of the process, null-separated.

497
MCQmedium

A Linux system administrator notices that the /var/log/auth.log file shows many 'Failed password for root' entries from a single IP address within a short timeframe. Which tool would BEST help the administrator block further access from that IP?

A.nmap
B.iptables
C.tcpdump
D.Wireshark
AnswerB

iptables can add a rule to drop packets from the offending IP.

Why this answer

iptables is a Linux firewall that can block IP addresses. fail2ban can automate this but is not listed; iptables is the direct tool.

498
MCQhard

During an iOS forensic examination of an iCloud backup, an analyst finds that the SQLite database files for the Health app are encrypted. Which component is MOST likely responsible for encrypting this data, and what is required to decrypt it?

A.The data is encrypted with the device's hardware UID; decryption is impossible without Apple's assistance.
B.The data is encrypted using Apple's FileVault; decryption requires the user's iCloud password.
C.The data is encrypted using SQLCipher; decryption requires a 256-bit key stored in the Keychain.
D.The data is protected by iOS Data Protection using a key derived from the device passcode; decryption requires the passcode or a forensic bypass tool.
AnswerD

Health data is protected by Data Protection, requiring the passcode for decryption.

Why this answer

Option D is correct because iOS Health app data is protected by iOS Data Protection, which uses a class key derived from the user's device passcode. This key encrypts the SQLite database files in iCloud backups, and decryption requires either the passcode or a forensic bypass tool that can extract the key from the device's Secure Enclave.

Exam trap

EC-Council often tests the distinction between device-level encryption (hardware UID) and iCloud backup encryption (passcode-derived keys), and the trap here is confusing SQLCipher (a third-party tool) with Apple's proprietary iOS Data Protection framework.

How to eliminate wrong answers

Option A is wrong because the hardware UID is used for device-level encryption of files on the local device, not for iCloud backup encryption; iCloud backups use a different key hierarchy involving the user's iCloud account and passcode. Option B is wrong because FileVault is a macOS full-disk encryption technology, not used on iOS or for iCloud backup encryption. Option C is wrong because SQLCipher is a third-party encryption library that apps can use, but Apple's Health app uses iOS Data Protection (Apple's built-in encryption framework), not SQLCipher; the key is derived from the passcode and stored in the Secure Enclave, not in the Keychain as a 256-bit key.

499
MCQhard

You are a forensic investigator responding to an incident at a financial institution. The organization uses Microsoft SQL Server 2016 for its transaction processing system. The database is configured with full recovery model and transaction log backups are taken every 15 minutes. The incident response team has identified that an attacker gained access to the database server via compromised credentials and executed a series of malicious SQL statements, including data exfiltration and deletion of critical records. The time of the attack is estimated to be between 2:00 PM and 2:05 PM. The last full backup was taken at 12:00 AM (midnight) the same day. Transaction log backups are available for the entire day. The last transaction log backup before the attack was taken at 1:45 PM. The next transaction log backup after the attack was taken at 2:15 PM. The database is still online and being used by the business. Management wants to recover the database to a point just before the attack (2:00 PM) to minimize data loss, while preserving evidence for investigation. Which of the following actions should you take FIRST?

A.Perform a tail-log backup of the database using the NORECOVERY option to capture all transactions since the last log backup.
B.Immediately restore the full backup from midnight and all transaction log backups up to 1:45 PM to a separate server for forensic analysis.
C.Shut down the SQL Server service to prevent further changes and then restore the database from backup.
D.Restore the database to a point in time using the full backup and all transaction log backups up to 1:45 PM, then apply the 2:15 PM backup to recover lost data.
AnswerA

This captures the current state, enabling point-in-time recovery and preserving evidence.

Why this answer

Performing a tail-log backup with NORECOVERY captures all transactions committed after the last log backup (1:45 PM) up to the current point in time, including the attack period. This preserves the database in a restoring state, preventing further changes while allowing point-in-time recovery to just before 2:00 PM. It is the mandatory first step to minimize data loss and maintain forensic integrity before any restore operations.

Exam trap

Cisco often tests the misconception that you should immediately restore from the last known good backup or shut down the server, when the correct first action is always to secure the current transaction log via a tail-log backup to capture all recent changes and enable precise point-in-time recovery.

How to eliminate wrong answers

Option B is wrong because restoring backups to a separate server for forensic analysis is a valid subsequent step, but it should not be performed first; the immediate priority is to capture the tail of the transaction log from the live database to avoid losing transactions that occurred after the last log backup. Option C is wrong because shutting down the SQL Server service would abruptly terminate the database and could corrupt the transaction log, potentially losing the tail-log data needed for point-in-time recovery; a controlled tail-log backup is required instead. Option D is wrong because applying the 2:15 PM backup would include the attacker's malicious transactions and deletions, which would reintroduce the compromised data and fail to achieve recovery to just before the attack.

500
MCQmedium

A security analyst is reviewing output from a Cuckoo Sandbox analysis of a suspicious executable. The report shows that the process created a mutex named 'Global\GLOBAL_MUTEX_123' and modified the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\. Which behavioral indicator is MOST evident?

A.Command and control communication
B.Persistence mechanism
C.Anti-debugging technique
D.Privilege escalation
AnswerB

The 'Run' key is a common persistence location to launch malware at startup.

Why this answer

The modification of the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run is a classic persistence mechanism. This key is automatically processed by Windows Explorer at user logon, causing any executable listed there to run. Combined with the mutex creation (which prevents multiple instances), the behavioral indicator is clearly an attempt to establish persistence on the host.

Exam trap

EC-Council often tests the distinction between user-level persistence (HKCU Run) and system-level persistence (HKLM Run or services), and candidates may confuse the registry modification with privilege escalation or C2 activity because they see 'Run' and assume it implies higher privileges or network communication.

How to eliminate wrong answers

Option A is wrong because command and control communication typically involves network indicators such as DNS queries, HTTP/S connections to external IPs, or beaconing patterns, not registry modifications or mutex creation. Option C is wrong because anti-debugging techniques usually involve checking for the presence of a debugger via API calls like IsDebuggerPresent, NtQueryInformationProcess, or timing checks, not creating a mutex or writing to Run keys. Option D is wrong because privilege escalation involves gaining higher-level access rights, often via token manipulation, service exploitation, or UAC bypass; modifying the current user's Run key does not elevate privileges—it only runs code at the existing user's privilege level.

501
Multi-Selectmedium

A forensic analyst is investigating a Windows system for persistence mechanisms. Which TWO registry locations are commonly used by malware to achieve auto-start? (Select TWO.)

Select 2 answers
A.HKLM\SYSTEM\CurrentControlSet\Services
B.HKLM\SAM\SAM
C.HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
D.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
E.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AnswersD, E

This is the Run key for the current user.

Why this answer

Run keys under HKLM and HKCU are common autorun locations used by malware to start on boot or user login.

502
MCQmedium

A forensic examiner uses Oxygen Forensic Detective to acquire data from an Android device. The tool reports that it performed a 'full file system' extraction. Which of the following is a prerequisite for this type of extraction?

A.The bootloader must be unlocked
B.The device must be rooted
C.The device must be in recovery mode
D.USB debugging must be enabled
AnswerB

Root access is necessary to read the full file system, including app data and system partitions.

Why this answer

A full file system extraction in Oxygen Forensic Detective requires root access on the Android device because the tool must bypass the Linux kernel's permission model to read protected partitions (e.g., /data, /cache). Without root privileges, the extraction is limited to the logical or file-based scope, as the Android security model restricts user-space processes from accessing raw block devices or system files owned by root.

Exam trap

EC-Council often tests the misconception that USB debugging alone enables full file system extraction, but in reality, USB debugging only provides ADB shell access with limited (shell) user privileges, not the root-level access required for raw partition imaging.

How to eliminate wrong answers

Option A is wrong because an unlocked bootloader is a prerequisite for flashing custom recovery or rooting, but it is not directly required for a full file system extraction; the extraction itself can be performed on a device with a locked bootloader if root access is already obtained. Option C is wrong because recovery mode is used for flashing firmware or performing factory resets, not for forensic extraction; Oxygen Forensic Detective typically requires the device to be booted into Android with USB debugging enabled and root access granted. Option D is wrong because USB debugging is necessary for ADB communication and logical extractions, but it alone does not grant the elevated privileges needed to read the full file system; root access is the critical prerequisite.

503
MCQmedium

In the context of US Fourth Amendment protections, which of the following scenarios would likely require a search warrant for a forensic examiner to legally seize and analyze a computer?

A.The computer is located in a private residence and there is no exigent circumstance
B.The computer is in plain view in a public area and is suspected to contain evidence of a crime
C.The computer's owner gives voluntary consent to search the device
D.The computer is seized from a business during a regulatory inspection with statutory authority
AnswerA

Without consent, warrant, or exigency, seizing and searching a computer in a private home violates the Fourth Amendment.

Why this answer

The Fourth Amendment protects against unreasonable searches and seizures, and a computer located in a private residence generally falls under a heightened expectation of privacy. Without exigent circumstances (e.g., imminent destruction of evidence, hot pursuit), a forensic examiner must obtain a search warrant based on probable cause before seizing and analyzing the device. This ensures that the digital evidence is admissible under the exclusionary rule.

Exam trap

EC-Council often tests the misconception that 'plain view' in a public area automatically justifies seizure and forensic analysis of a computer, but the trap here is that plain view only allows seizure of the item itself, not a full forensic examination, which requires a separate warrant or exception.

How to eliminate wrong answers

Option B is wrong because the plain view doctrine applies only if the incriminating nature of the evidence is immediately apparent and the officer is lawfully present; however, a computer in plain view in a public area does not automatically authorize its seizure for forensic analysis—the Fourth Amendment still requires a warrant or an exception, and mere suspicion of evidence is insufficient. Option C is wrong because voluntary consent is a recognized exception to the warrant requirement; if the owner gives valid consent, a forensic examiner may legally seize and analyze the computer without a warrant. Option D is wrong because a regulatory inspection with statutory authority (e.g., OSHA, FDA) may allow seizure of business records under administrative warrants or specific statutes, but the computer itself is not automatically subject to forensic analysis without a warrant unless the inspection statute explicitly authorizes such searches and the scope is limited.

504
MCQhard

An organization uses Microsoft SQL Server 2019 with full recovery model. A database administrator accidentally executed a DROP TABLE statement. The transaction log was backed up immediately after the incident. Which forensic technique would allow the analyst to restore the dropped table?

A.Restore the transaction log backup taken after the DROP TABLE and apply it to the database.
B.Use the RESTORE LOG statement with the NO_TRUNCATE option to recover the table.
C.Perform a tail-log backup, then restore the full backup and all subsequent transaction log backups, stopping before the DROP TABLE.
D.Restore the most recent full backup and ignore subsequent transaction log backups.
AnswerC

Point-in-time restore allows recovery to just before the drop.

Why this answer

Option C is correct because, under the full recovery model, point-in-time recovery is required to undo the DROP TABLE. By performing a tail-log backup (to capture any transactions after the last log backup), then restoring the full backup and all subsequent transaction log backups with STOPAT or STOPBEFOREMARK to the moment just before the DROP TABLE, the analyst can recover the table without losing other transactions. This is the only method that preserves the dropped table's data while maintaining database consistency.

Exam trap

The trap here is that candidates often think a simple transaction log restore (Option A) or a full backup restore (Option D) will suffice, failing to recognize that point-in-time recovery with a tail-log backup and STOPAT is required to skip the destructive DDL statement.

How to eliminate wrong answers

Option A is wrong because restoring only the transaction log backup taken after the DROP TABLE would apply the DROP TABLE operation again, permanently removing the table. Option B is wrong because the NO_TRUNCATE option is used to back up a tail of the log when the database is damaged or offline, not to recover a dropped table; it does not provide point-in-time recovery to skip the DROP. Option D is wrong because restoring only the most recent full backup would lose all changes made after that backup, including the data that existed before the DROP, and would not recover the dropped table.

505
MCQhard

During a forensic investigation of a cloud environment, a forensic analyst discovers that the virtual machine (VM) used by a suspect was terminated three days prior. The cloud provider offers snapshots, backups, and instance metadata. Which of the following is the BEST course of action to recover forensic evidence?

A.Examine CloudTrail logs for disk contents.
B.Access the VM’s operating system via the cloud console’s serial console.
C.Use SSH credentials from the investigation to connect to the terminated instance.
D.Restore the VM from a recent snapshot or backup provided by the cloud provider.
AnswerD

Snapshots preserve the disk state and can be attached to a new instance for analysis.

Why this answer

Option D is correct because once a VM is terminated, its underlying instance store or ephemeral disks are destroyed, but persistent snapshots and backups retain the disk state at the time they were taken. Restoring from a recent snapshot or backup is the only reliable method to recover the VM's file system, application data, and user artifacts for forensic analysis in a cloud environment.

Exam trap

Cisco often tests the misconception that CloudTrail or similar audit logs contain disk-level data, leading candidates to choose option A, when in fact these logs only capture metadata and API activity, not the contents of virtual disks.

How to eliminate wrong answers

Option A is wrong because CloudTrail logs record API calls and management events, not the actual disk contents of a VM; they cannot provide file-level data or operating system artifacts. Option B is wrong because the serial console provides console output and limited troubleshooting access, but it cannot be used to access a terminated VM's operating system since the instance no longer exists. Option C is wrong because SSH credentials are useless for a terminated instance; the VM is no longer running and cannot accept network connections, so SSH cannot establish a session.

506
MCQeasy

Which file system journal is commonly used in Linux ext3/ext4 to record metadata changes before they are committed to the main file system?

A.$LogFile
B.Journal (JBD/JBD2)
C.Recycle Bin
D.USN Journal
AnswerB

ext3 and ext4 use the Journaling Block Device (JBD/JBD2) to maintain a metadata journal.

Why this answer

The journal in ext3/ext4 logs metadata changes (and optionally data) to ensure filesystem consistency after a crash. It is a circular log that is replayed during mount.

507
MCQmedium

An investigator extracts the SMS.db file from an iOS backup. Which table within this database would contain the actual message content for sent and received messages?

A.message
B.attachment
C.handle
D.chat
AnswerA

The message table stores the actual text and associated metadata.

Why this answer

The `message` table in iOS's SMS.db database stores the actual text content of each SMS and iMessage in its `text` column. This is the primary table queried to retrieve the body of sent and received messages, as it contains one row per message with fields like `is_from_me`, `date`, and `text`.

Exam trap

EC-Council often tests the distinction between where message content is stored versus where metadata (like attachment info or participant handles) resides, leading candidates to confuse the `chat` or `handle` tables as containing the message body.

How to eliminate wrong answers

Option B is wrong because the `attachment` table stores metadata about file attachments (e.g., file names, MIME types, transfer state), not the message text itself. Option C is wrong because the `handle` table maps phone numbers or email addresses to a unique identifier used for addressing, but does not contain message content. Option D is wrong because the `chat` table defines chat sessions (group chats, participants) and links to messages via the `chat_message_join` table, but does not hold the message body.

508
MCQmedium

An investigator needs to acquire data from a suspect's hard drive without altering any data. Which tool is MOST appropriate to ensure write-blocking at the hardware level?

A.Tableau Forensic Bridge (hardware write-blocker)
B.FTK Imager (software write-blocker)
C.dd command with 'iflag=noatime'
D.EnCase software acquisition module
AnswerA

Tableau is a well-known hardware write-blocker that prevents any write operations to the drive.

Why this answer

A hardware write-blocker like the Tableau Forensic Bridge sits between the suspect drive and the forensic workstation at the physical layer, intercepting and blocking any write commands (e.g., ATA WRITE DMA, SCSI WRITE) before they reach the drive. This ensures that no data—including metadata, timestamps, or file system artifacts—is altered during acquisition, which is critical for maintaining evidentiary integrity. Software-based blockers can be bypassed by the OS or a malicious driver, making hardware-level blocking the gold standard in forensic acquisition.

Exam trap

EC-Council often tests the misconception that a software write-blocker (like FTK Imager’s built-in blocker) provides the same level of protection as a hardware write-blocker, when in fact only hardware-level blocking can prevent all write operations—including those from the OS, BIOS, or malicious firmware—from reaching the drive.

How to eliminate wrong answers

Option B (FTK Imager software write-blocker) is wrong because software write-blockers operate at the OS or driver level and can be circumvented by a compromised kernel, a buggy driver, or a direct hardware access command (e.g., via ATA passthrough), so they do not guarantee true hardware-level write protection. Option C (dd command with 'iflag=noatime') is wrong because 'iflag=noatime' only prevents the OS from updating access timestamps on the source file during a dd read, but it does not block write commands at the hardware interface—any write issued by the OS or a misconfigured tool could still reach the drive. Option D (EnCase software acquisition module) is wrong because, while EnCase can use a hardware write-blocker, its software acquisition module alone relies on the OS’s read-only mount or driver-level filtering, which is not a hardware-level write-block and can be overridden by direct disk writes or firmware commands.

509
MCQmedium

An organization receives a legal hold notice regarding pending litigation. The IT department is instructed to preserve all relevant electronically stored information. What is the primary action the IT department should take?

A.Place a hold on relevant data and suspend routine deletion policies
B.Ignore the notice and continue normal operations
C.Create a forensic image of all servers immediately
D.Permanently delete all emails older than 30 days to reduce storage
AnswerA

This preserves the data as required by the legal hold.

Why this answer

The primary action is to place a legal hold on relevant data and suspend routine deletion policies. This ensures that all potentially relevant electronically stored information (ESI) is preserved in its current state, preventing spoliation and compliance with the legal hold notice. Suspending deletion policies stops automated processes like email purge jobs or document retention schedules from destroying evidence, which is a foundational step in the e-discovery process.

Exam trap

EC-Council often tests the misconception that the immediate response to a legal hold is to create forensic images of all systems, but the correct first step is to suspend deletion policies to prevent data loss before any imaging or collection occurs.

How to eliminate wrong answers

Option B is wrong because ignoring the notice and continuing normal operations would constitute spoliation of evidence, violating the legal hold and potentially leading to severe legal sanctions, including adverse inference instructions or monetary penalties. Option C is wrong because creating a forensic image of all servers immediately is an overreaction and not the first step; imaging is a preservation technique but should be targeted and performed after identifying the scope of relevant data, not indiscriminately across all servers, which is disruptive and unnecessary. Option D is wrong because permanently deleting all emails older than 30 days is the exact opposite of preservation; it would destroy potentially relevant ESI and directly violate the legal hold, risking spoliation charges.

510
MCQeasy

Which email header field is used to verify that an email was sent by the authorized mail server for the domain and has not been tampered with, using cryptographic signatures?

A.X-Mailer
B.Message-ID
C.Received-SPF
D.DKIM-Signature
AnswerD

DKIM uses a public-key signature to verify that the email was not altered and originated from the claimed domain.

Why this answer

DKIM (DomainKeys Identified Mail) uses a digital signature to verify the email's origin and integrity.

511
MCQeasy

A forensic analyst is examining a Windows malware sample using static analysis. Which tool is BEST suited for viewing the PE header structure, including sections, imports, and exports?

A.Strings
B.Ghidra
C.IDA Pro
D.PEiD
AnswerD

PEiD is a tool for analyzing PE files, detecting packers, and viewing header information.

Why this answer

PEiD is specifically designed to analyze PE (Portable Executable) headers, making it ideal for quickly viewing section tables, import/export tables, and detecting packers or compilers. It parses the IMAGE_NT_HEADERS structure directly, providing a concise summary of the PE layout without requiring disassembly or decompilation.

Exam trap

EC-Council often tests the distinction between a specialized PE header analysis tool (PEiD) and general-purpose reverse-engineering tools (Ghidra, IDA Pro), leading candidates to choose a more complex tool when a simpler, purpose-built one is correct.

How to eliminate wrong answers

Option A is wrong because Strings is a command-line tool that extracts readable ASCII/Unicode strings from a binary, not a PE header parser. Option B is wrong because Ghidra is a full reverse-engineering framework focused on disassembly and decompilation, not a lightweight PE header viewer. Option C is wrong because IDA Pro is a disassembler/debugger that can show PE headers but is overkill for this specific task and not the best tool for a quick header inspection.

512
MCQmedium

A forensic analyst examining a Windows machine finds a suspicious service named 'SrvMon' installed. The System event log shows Event ID 7045 at the time of compromise. What does this event indicate?

A.A logon attempt failed
B.A user account was created
C.A service was installed
D.A scheduled task was created
AnswerC

Event ID 7045 signals a new service installation.

Why this answer

Event ID 7045 indicates a new service was installed, which is a common persistence mechanism used by malware.

513
Multi-Selectmedium

Which TWO tools are specifically designed for file carving (recovering files based on signatures) and are commonly used in digital forensics?

Select 2 answers
A.Volatility
B.Scalpel
C.Foremost
D.EnCase
E.Autopsy
AnswersB, C

Scalpel is another file carving tool, originally based on Foremost.

Why this answer

Scalpel and Foremost are both purpose-built file carving tools that recover files by scanning raw data for known file headers and footers (signatures), without relying on filesystem metadata. Scalpel is a rewrite of Foremost with a more efficient configuration file, while Foremost was originally developed by the U.S. Air Force Office of Special Investigations.

Both are widely used in digital forensics for data recovery from damaged or unallocated disk space.

Exam trap

EC-Council often tests the distinction between dedicated file carving tools (Scalpel, Foremost) and broader forensic suites (EnCase, Autopsy) that include carving as a secondary feature, leading candidates to incorrectly select the more well-known commercial tools.

514
Multi-Selecthard

During a forensic analysis of an SSD, the analyst encounters challenges due to TRIM and wear-leveling. Which TWO statements accurately describe the impact of these features on data recovery?

Select 2 answers
A.TRIM immediately and permanently erases deleted file data at the block level
B.Wear-leveling can scatter fragments of a file across different NAND chips, complicating physical imaging
C.Both TRIM and wear-leveling are transparent to the operating system and have no impact on forensic analysis
D.Wear-leveling ensures that deleted files are overwritten with zeros to prevent forensic recovery
E.TRIM is only effective on HDDs, not SSDs
AnswersA, B

TRIM commands cause the SSD to erase blocks, preventing recovery.

Why this answer

TRIM causes the SSD to erase data blocks that are no longer in use, making recovery difficult. Wear-leveling distributes writes evenly, but also moves data around, complicating physical recovery.

515
Multi-Selectmedium

A forensic examiner is setting up a new lab. Which THREE of the following practices are essential for maintaining the integrity of digital evidence?

Select 3 answers
A.Perform regular backups of the forensic workstation’s operating system.
B.Disable write-blocking when imaging drives to improve speed.
C.Use write-blocking devices when acquiring data from suspect drives.
D.Implement a chain-of-custody procedure for all evidence.
E.Store evidence in a secure, access-controlled environment.
AnswersC, D, E

Correct: Write-blockers prevent alteration of original evidence.

Why this answer

Option C is correct because write-blocking devices (hardware or software) prevent any write operations to the source drive during acquisition, ensuring the original data remains unaltered. This is fundamental to maintaining the integrity of digital evidence, as any modification could render the evidence inadmissible in court. Forensic imaging tools like FTK Imager or dd rely on write-blockers to guarantee a bit-for-bit copy without contaminating the source.

Exam trap

EC-Council often tests the misconception that operational convenience (like faster imaging) can ever override the foundational forensic requirement of write protection, leading candidates to incorrectly choose Option B.

516
MCQeasy

In Android forensics, which of the following acquisition methods provides the most complete and forensically sound image of the device's internal storage?

A.Manual extraction through the user interface
B.Logical extraction via ADB
C.File system extraction
D.Physical extraction using a JTAG or chip-off technique
AnswerD

Physical extraction captures the entire flash memory, including deleted files and unallocated space.

Why this answer

Physical extraction using a JTAG or chip-off technique provides the most complete and forensically sound image because it accesses the raw NAND flash memory at the hardware level, bypassing the operating system and any software-based restrictions. This method captures deleted data, unallocated space, and the entire file system structure, including areas not accessible via logical or file system extractions, ensuring a bit-for-bit copy of the internal storage.

Exam trap

EC-Council often tests the misconception that logical extraction via ADB is sufficient for a complete forensic image, but candidates must recognize that only physical methods (JTAG/chip-off) capture the entire raw storage, including deleted and hidden data.

How to eliminate wrong answers

Option A is wrong because manual extraction through the user interface only captures data visible to the user through the device's screen and does not access underlying file systems, deleted data, or unallocated space, making it highly incomplete and not forensically sound. Option B is wrong because logical extraction via ADB (Android Debug Bridge) uses the Android operating system's APIs to retrieve only active files and directories, missing deleted data, slack space, and low-level system partitions. Option C is wrong because file system extraction, while more thorough than logical extraction, still relies on the device's kernel to parse the file system and cannot recover data from unallocated blocks or areas outside the mounted file system, unlike physical extraction.

517
MCQmedium

A security analyst reviews Windows Security Event Logs and finds multiple Event ID 4625 entries from a single source IP address targeting various usernames. Which type of attack is MOST likely occurring?

A.Password spraying attack
B.Brute-force attack on a single account
C.Pass-the-hash attack
D.Kerberoasting attack
AnswerA

Password spraying involves trying a small number of common passwords against many accounts, exactly matching the pattern of multiple usernames from one IP.

Why this answer

Event ID 4625 indicates a failed logon attempt. Multiple failed attempts from one source against different usernames is characteristic of a password spraying attack, where an attacker tries a few common passwords across many accounts.

518
Multi-Selecthard

Which TWO of the following are effective methods for detecting a man-in-the-middle attack on a network?

Select 2 answers
A.Analyze DNS amplification traffic
B.Check for SSL certificate mismatches
C.Implement port knocking for access control
D.Monitor for ARP cache poisoning
E.Detect ICMP flood attacks
AnswersB, D

MITM often uses forged certificates causing mismatches.

Why this answer

SSL certificate mismatches occur when a man-in-the-middle (MITM) attacker presents a forged or self-signed certificate that does not match the legitimate server's certificate. Browsers and security tools will flag this mismatch (e.g., different Common Name, invalid issuer, or expired validity), providing a clear indicator of an ongoing MITM attack. This is a direct detection method because the attacker cannot easily obtain a valid certificate for the target domain without the private key.

Exam trap

EC-Council often tests the distinction between attack detection methods and attack mitigation or unrelated attack types, so candidates mistakenly choose ICMP flood or DNS amplification as MITM detection techniques when they are actually indicators of different attack vectors.

519
MCQmedium

An investigator is analyzing a compromised MySQL database server. To determine the exact time and content of a suspect data exfiltration query, which MySQL log should be examined first, assuming it is enabled?

A.General query log
B.Error log
C.Binary log
D.Slow query log
AnswerA

The general query log records all SQL queries received from clients, including SELECT statements that exfiltrate data.

Why this answer

The general query log captures every SQL statement, including SELECT queries, making it ideal for identifying data exfiltration.

520
MCQmedium

During dynamic analysis of a malware sample, an analyst uses Process Monitor to capture registry and file system activity. Which filter would be MOST effective in identifying attempts to create a persistence mechanism?

A.Filter for 'WriteFile' events in System32
B.Filter for 'RegSetValue' events with path containing 'CurrentVersion\Run'
C.Filter for 'Process Create' events
D.Filter for 'RegSetValue' events with path containing 'RunOnce'
AnswerB

This captures modifications to common autorun locations, indicating persistence.

Why this answer

The 'CurrentVersion\Run' registry key is a standard persistence location where malware adds entries to execute automatically at user logon. Filtering for 'RegSetValue' events targeting this path directly captures the act of writing a new value to that key, which is a common persistence mechanism. Process Monitor's 'RegSetValue' operation specifically monitors registry value modifications, making it the most effective filter for this purpose.

Exam trap

The trap here is that candidates confuse 'RunOnce' with 'Run' — 'RunOnce' is for one-time execution and is less common for persistent malware, while 'CurrentVersion\Run' is the standard persistence key tested in CHFI.

How to eliminate wrong answers

Option A is wrong because 'WriteFile' events in System32 capture file write operations, not registry modifications, and while malware may drop files there, it does not directly indicate persistence creation. Option C is wrong because 'Process Create' events show when processes are started, not how they are configured to start automatically, so they miss the registry modification that establishes persistence. Option D is wrong because 'RunOnce' keys are used for one-time execution and are less commonly used for persistent malware compared to 'CurrentVersion\Run', which ensures execution on every boot.

521
Multi-Selecteasy

Which TWO of the following are typical sources of evidence for network forensics? (Select TWO.)

Select 2 answers
A.Windows registry hives
B.bash_history
C.Firewall logs
D.Prefetch files
E.Packet capture (pcap) files
AnswersC, E

Firewall logs record allowed/denied connections and are key network evidence.

Why this answer

Network forensics relies on capturing and analyzing network traffic. Packet captures (pcap) and firewall logs are primary sources. IDS logs and NetFlow are also used, but IDS logs are more security-specific, and NetFlow provides flow data.

However, the simplest direct sources are packet captures and firewall logs.

522
MCQhard

An organization receives a legal hold notice for a civil lawsuit. An employee later deletes relevant emails from their mailbox. Which legal principle is MOST likely violated?

A.Spoilation of evidence
B.Best evidence rule
C.Locard's exchange principle
D.Probable cause
AnswerA

Spoilation is the intentional or negligent destruction of evidence, which can lead to sanctions.

Why this answer

The legal hold notice imposes a duty to preserve relevant evidence. Deleting emails after receiving such notice constitutes intentional destruction of evidence, which is spoliation. This violates the legal principle of spoliation of evidence, as the organization had a duty to preserve the emails for the pending litigation.

Exam trap

Cisco often tests spoliation by pairing it with a legal hold scenario to see if candidates confuse it with evidence admissibility rules (Best Evidence Rule) or forensic principles (Locard's Exchange Principle) rather than recognizing the duty to preserve evidence.

How to eliminate wrong answers

Option B is wrong because the Best Evidence Rule requires the original document or a reliable duplicate to prove its content, but it does not address the destruction of evidence after a legal hold. Option C is wrong because Locard's Exchange Principle is a forensic concept stating that every contact leaves a trace, applicable to physical evidence transfer, not to legal duties or evidence preservation. Option D is wrong because Probable Cause is a Fourth Amendment standard for searches and seizures, not a principle governing the destruction of evidence subject to a legal hold.

523
Multi-Selectmedium

Which TWO of the following are appropriate techniques for identifying a webshell on a compromised web server?

Select 2 answers
A.Verifying SSL certificate validity
B.Searching for files with recent creation or modification timestamps in the web root
C.Running a full antivirus scan on the server
D.Analyzing web server logs for anomalous POST requests to script files that return 200 OK with large response sizes
E.Checking for open ports on the server
AnswersB, D

Webshells are often uploaded shortly before use, so recent timestamps are suspicious.

Why this answer

Webshells are often detected by recent file timestamps and anomalous POST requests in logs.

524
Multi-Selectmedium

During a forensic investigation of a Windows 10 system, you need to analyze the file system to recover deleted files. Which TWO file system artifacts would be most useful for this purpose?

Select 2 answers
A.$LogFile
B.$Boot file
C.$MFT (Master File Table)
D.$Volume
E.$Bitmap
AnswersA, C

The $LogFile records metadata changes, including deletions; can help reconstruct file history.

Why this answer

$LogFile (A) records metadata changes to the NTFS volume, including transactions that can be replayed to recover file names and directory entries for recently deleted files. $MFT (C) contains the master file table entries for every file and directory; even after deletion, the MFT entry often remains until overwritten, allowing recovery of file attributes and data runs.

Exam trap

EC-Council often tests the misconception that $Bitmap is the primary artifact for file recovery, but it only shows which clusters are free, not the file names or metadata needed to reconstruct deleted files.

525
MCQmedium

An incident responder finds a suspicious LNK file in a user's Startup folder on a Windows system. The LNK file's target is "C:\Windows\System32\rundll32.exe" with a command-line argument "javascript:" followed by encoded text. What is the most likely purpose of this shortcut?

A.A shortcut to a network resource that failed
B.Legitimate update mechanism for Microsoft Office
C.A user-created automation script for daily tasks
D.A malicious persistence mechanism to execute payload via script
AnswerD

Rundll32.exe with JavaScript is a known Living-off-the-Land (LotL) technique for malware.

Why this answer

Rundll32.exe executing JavaScript is a known technique for code execution, often used by malware to run scripts for persistence or payload delivery.

Page 6

Page 7 of 14

Page 8