Computer Hacking Forensic Investigator CHFI (CHFI) — Questions 601675

1000 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
Multi-Selectmedium

Which TWO of the following are essential components of a proper chain of custody documentation? (Select TWO)

Select 2 answers
A.The IP address of the forensic workstation
B.Backup location of the evidence
C.Date and time of evidence collection
D.Signature of the person handling the evidence
E.The forensic tool used to analyze the evidence
AnswersC, D

The exact date and time when evidence was collected is a fundamental part of chain of custody.

Why this answer

Chain of custody must include who handled the evidence, when (date/time), and what was done. Access control and backup procedures, while important, are not typically part of the chain of custody form itself.

602
MCQmedium

A malware analyst is using a tool to monitor registry and file system changes during the execution of a suspicious binary. Which tool is specifically designed to take snapshots of the registry and file system before and after execution to identify changes?

A.Regshot
B.Cuckoo Sandbox
C.Process Explorer
D.Process Monitor
AnswerA

Regshot creates before/after snapshots of the registry and file system.

Why this answer

Regshot is a lightweight open-source tool designed specifically to compare registry hives and file system snapshots taken before and after executing a binary. It generates a detailed report of added, modified, or deleted keys and files, making it ideal for malware analysis to quickly identify persistence mechanisms or configuration changes.

Exam trap

Cisco often tests the distinction between snapshot-based comparison tools (Regshot) and real-time monitoring tools (Process Monitor), leading candidates to confuse Process Monitor's live logging capability with the before-and-after snapshot functionality required by the question.

How to eliminate wrong answers

Option B is wrong because Cuckoo Sandbox is an automated dynamic malware analysis environment that executes binaries in a virtual machine and logs system calls, network traffic, and memory dumps, but it does not specialize in taking before-and-after registry and file system snapshots like Regshot does. Option C is wrong because Process Explorer is a task manager and process analysis tool from Sysinternals that shows detailed process information, handles, and DLLs, but it does not capture registry or file system snapshots for comparison. Option D is wrong because Process Monitor (Procmon) is a real-time monitoring tool that logs registry, file system, process, and thread activity as it happens, but it does not provide a before-and-after snapshot comparison; it requires manual filtering and analysis of a continuous event stream.

603
Multi-Selectmedium

Which two of the following are characteristics of the ext4 file system? (Choose TWO.)

Select 2 answers
A.Uses a Master File Table ($MFT) to store file metadata
B.Uses a file allocation table (FAT) to track clusters
C.Uses a journal to maintain file system consistency
D.Stores directory entries in a B-tree structure
E.Supports extents for contiguous block allocation
AnswersC, E

Correct: ext4 has a journal.

Why this answer

ext4 uses extents for efficient space management and a journal for metadata consistency.

604
MCQeasy

An analyst recovers a hard drive from a suspect's computer. The drive has a partition table that uses a 32-bit identifier and a maximum partition size of 2 TB. Which partition table type is present?

A.HFS+
B.GPT
C.APFS
D.MBR
AnswerD

MBR uses 32-bit partition table entries with a maximum partition size of 2 TB.

Why this answer

MBR uses 32-bit partition table entries and supports up to 2 TB partitions. GPT uses 64-bit entries and supports larger disks.

605
Multi-Selecthard

A security analyst is investigating a potential data breach in a GCP environment. The analyst reviews the GCP audit logs and finds the following events: (1) A service account was granted the 'roles/storage.objectAdmin' role on a storage bucket containing sensitive data, (2) The service account then listed objects in the bucket, (3) The service account downloaded several objects. Which THREE actions should the analyst take immediately?

Select 3 answers
A.Analyze the IAM policy change that granted the role to identify the source
B.Revoke the service account's excessive permissions
C.Contact law enforcement immediately
D.Preserve the audit logs by exporting them to a secure location
E.Delete the storage bucket to prevent further access
AnswersA, B, D

Understanding how the grant occurred is crucial.

Why this answer

The analyst should revoke access to prevent further exfiltration, preserve the logs for investigation, and examine the source of the role grant (IAM changes).

606
Multi-Selectmedium

An analyst is examining a memory dump using Volatility and wants to identify network connections. Which TWO Volatility plugins can be used to list network connections?

Select 2 answers
A.netscan
B.dlllist
C.pstree
D.connscan
E.pslist
AnswersA, D

netscan scans for network connections.

Why this answer

netscan and connscan are Volatility plugins that list network connections. pslist lists processes, not connections. pstree lists process trees. dlllist lists loaded DLLs.

607
Multi-Selectmedium

Which THREE of the following are commonly used network forensic data sources?

Select 3 answers
A.NetFlow logs
B.Prefetch files
C.IDS/IPS alerts
D.Packet captures (PCAP)
E.Windows registry hives
AnswersA, C, D

NetFlow provides metadata about network flows.

Why this answer

Packet captures (PCAP), NetFlow logs, and IDS/IPS logs are all standard network forensic data sources that provide detail on network traffic.

608
MCQeasy

In an email header, which field typically contains the IP address of the original sending client?

A.Return-Path
B.Message-ID
C.Received
D.DKIM-Signature
AnswerC

The Received header includes the IP address of the server that received the email. The bottommost Received header typically shows the originating client IP.

Why this answer

The 'Received' field in an email header is added by each mail transfer agent (MTA) that processes the message, and the first 'Received' header (at the bottom of the header block) typically contains the IP address of the original sending client (the SMTP client that initiated the connection). This field records the 'from' IP and the 'by' host, making it the definitive source for tracing the origin of the email.

Exam trap

EC-Council often tests the misconception that the 'Return-Path' field contains the sender's IP address, when in fact it only holds the email address for bounce handling, not any network-layer information.

How to eliminate wrong answers

Option A is wrong because the 'Return-Path' field contains the envelope sender (the bounce address), not the IP address of the sending client; it is used for non-delivery reports, not for tracing the original source IP. Option B is wrong because the 'Message-ID' field is a unique identifier string generated by the sending MUA or MTA, but it does not contain any IP address information; it is used for message tracking and threading. Option D is wrong because the 'DKIM-Signature' field contains a cryptographic signature and associated domain information (e.g., d=domain), but it does not include the sending client's IP address; it is used for email authentication, not origin IP tracing.

609
Multi-Selectmedium

Which THREE of the following are essential steps in the forensic analysis of a compromised web application that uses a MySQL backend?

Select 3 answers
A.Restore the database from the latest backup to ensure data integrity
B.Immediately change all database user passwords to prevent further access
C.Check for suspicious stored procedures, triggers, or user-defined functions
D.Analyze web server access logs to identify SQL injection attempts
E.Preserve the MySQL binary logs for timeline analysis
AnswersC, D, E

Attackers may create malicious objects for persistence.

Why this answer

Option C is correct because stored procedures, triggers, and user-defined functions (UDFs) in MySQL can be maliciously created or modified by an attacker to execute arbitrary code, escalate privileges, or maintain persistence. Forensic analysis must inspect these objects for unauthorized changes, as they are often overlooked but can contain backdoor logic that survives database restarts and backups.

Exam trap

Cisco often tests the principle of evidence preservation versus remediation — candidates mistakenly choose immediate corrective actions (like password changes or restores) instead of forensic preservation steps, confusing incident response with forensic analysis.

610
MCQmedium

A forensic analyst is examining a Windows 10 system for evidence of USB device usage. Which registry hive and key path should she check to find a list of USB devices that have been connected to the system?

A.HKLM\SAM\SAM\Domains\Account\Users
B.HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
C.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
D.NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRU
AnswerB

This registry key stores information about all USB storage devices ever connected.

Why this answer

USB device history is stored in the SYSTEM hive under CurrentControlSet\Enum\USBSTOR. This key lists all USB storage devices that have been connected.

611
Multi-Selectmedium

A forensic examiner is analyzing an Android device for potential evidence of a specific app’s data. Which TWO locations within the device’s file system would MOST likely contain application-specific data?

Select 2 answers
A./data/data/<package_name>/
B./recovery/
C./ (root directory)
D./sdcard/Android/data/<package_name>/
E./system/app/
AnswersA, D

This directory contains private app data, databases, and shared preferences.

Why this answer

Option A is correct because `/data/data/<package_name>/` is the primary internal storage directory for an Android app's private data, including databases, shared preferences, and cached files. This directory is sandboxed per app and requires root access or a backup to read, making it a key forensic target for application-specific evidence.

Exam trap

EC-Council often tests the misconception that `/system/app/` contains user app data, when in fact it only holds pre-installed APK files, not runtime or user-generated data.

612
Multi-Selecteasy

Which TWO of the following are indicators of a webshell attack found in web server logs? (Select TWO)

Select 2 answers
A.Abnormal HTTP methods like OPTIONS or TRACE
B.High volume of traffic from a single IP
C.Requests to a .asp or .php file with parameters like cmd or exec
D.Frequent 404 errors for non-existent pages
E.POST requests to a script file in an upload directory
AnswersC, E

Common webshells accept commands via such parameters.

Why this answer

Webshells often involve file uploads to directories like uploads, and subsequent requests to that file with parameters indicating command execution (e.g., cmd=).

613
MCQhard

A forensic analyst is examining a PST file extracted from a suspect's computer. The analyst wants to recover deleted emails that are no longer visible in the Outlook folder hierarchy. Which approach is most effective?

A.Perform file carving on the PST file using a forensic tool
B.Open the PST in Outlook and check the 'Recoverable Items' folder
C.Use a hex editor to manually reconstruct deleted emails
D.Use a PST viewer to read the file directly
AnswerB

Outlook has a Recoverable Items folder that holds deleted items until the retention period expires.

Why this answer

Deleted items in PST files may still reside in the 'Deleted Items' folder or be recoverable from the Recoverable Items folder (dumpster) before permanent deletion.

614
MCQmedium

A forensic examiner uses a hardware write blocker when imaging a suspect's hard drive. What is the primary function of a hardware write blocker?

A.To encrypt the data on the suspect drive
B.To prevent any data from being written to the suspect drive
C.To connect the suspect drive via USB
D.To increase the speed of data acquisition
AnswerB

Correct. This preserves the original evidence.

Why this answer

A hardware write blocker is a device placed between the suspect drive and the forensic workstation that intercepts and blocks any write commands from the host system. Its primary function is to ensure that no data—such as file system metadata, temporary files, or operating system writes—can be written to the suspect drive, thereby preserving the original evidence in a forensically sound manner. This is critical for maintaining the integrity of the evidence and ensuring it is admissible in court.

Exam trap

EC-Council often tests the distinction between the function of a write blocker (preventing writes) and its physical interface (e.g., USB), leading candidates to mistakenly choose the interface option as the primary function.

How to eliminate wrong answers

Option A is wrong because encrypting the data on the suspect drive would alter the evidence and is not the function of a write blocker; encryption is a separate process typically applied to the forensic image, not the original drive. Option C is wrong because while many hardware write blockers do connect via USB or other interfaces, that is a means of connection, not the primary function; the core purpose is write protection, not the interface type. Option D is wrong because hardware write blockers do not increase acquisition speed; in fact, they may introduce a slight latency, and speed is determined by the drive interface and imaging software, not the blocker itself.

615
Multi-Selecthard

In ext3/ext4 file systems, which THREE of the following are key structures used for file metadata and recovery?

Select 3 answers
A.Journal
B.Superblock
C.Master File Table ($MFT)
D.File Allocation Table (FAT)
E.Inode table
AnswersA, B, E

Why this answer

The inode table stores metadata about each file (except name), superblock contains filesystem parameters, and journal records metadata changes for recovery.

616
Drag & Dropmedium

Drag and drop the steps to perform a forensic analysis of a PDF file for hidden data or malicious content into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

PDF forensics involves parsing objects, checking for scripts, and sandbox analysis.

617
MCQmedium

A first responder arrives at a scene where a computer is on and logged in. There is a suspicion that the system contains volatile data that may be crucial to the investigation. According to best practices, what should the first responder do?

A.Immediately pull the power cord to preserve the hard drive
B.Place the system in a Faraday bag and transport to lab
C.Take photos and then shut down normally
D.Collect volatile data using tools like FTK Imager or dd
AnswerD

Volatile memory collection should be done before powering off.

Why this answer

Option D is correct because volatile data (e.g., RAM contents, network connections, running processes) is lost when the system loses power. FTK Imager or dd can capture a bit-for-bit image of memory and live system state while the computer remains on, preserving evidence that would otherwise vanish. This aligns with the order of volatility (RFC 3227), which prioritizes capturing volatile data before any other action.

Exam trap

EC-Council often tests the misconception that preserving the hard drive is the top priority, but the trap here is that volatile data is more fragile and must be collected first, even if it means leaving the system powered on.

How to eliminate wrong answers

Option A is wrong because immediately pulling the power cord destroys volatile data (RAM, open network sockets, cached credentials) and can cause file system corruption or anti-forensic artifacts (e.g., unflushed journal entries). Option B is wrong because a Faraday bag is used to isolate a device from wireless signals, not to preserve volatile data; it does not prevent data loss from power loss or capture running memory. Option C is wrong because shutting down normally triggers the OS to write cached data to disk, overwriting evidence, and terminates all volatile data; taking photos does not capture memory contents.

618
Multi-Selecthard

A security analyst detects suspicious outbound traffic to multiple external IPs on port 443. Which THREE network forensic data sources should be examined to identify the infected host and the nature of the communication?

Select 3 answers
A.Proxy logs
B.IDS/IPS logs
C.Firewall logs
D.Packet captures (PCAP)
E.NetFlow data
AnswersA, B, C

Proxy logs capture HTTP/HTTPS requests, revealing URLs, user agents, and destinations.

Why this answer

Firewall logs, proxy logs, and IDS/IPS logs are essential: firewall logs show allowed/denied connections, proxy logs reveal HTTP/HTTPS traffic details, and IDS/IPS logs detect malicious payloads.

619
MCQeasy

Which file system artifact in NTFS records file system events such as file creation, deletion, and modification, and is often used to track attacker activities?

A.Event Logs
B.Prefetch files
C.USN Journal
D.Registry
AnswerC

The USN Journal records every change to files and directories on an NTFS volume.

Why this answer

The USN (Update Sequence Number) journal, also known as the change journal, records all changes to files on an NTFS volume. It is a valuable artifact for tracking file activity and forensic timeline analysis.

620
MCQmedium

A company receives a legal hold notice regarding a lawsuit. What immediate action should the company take to comply?

A.Delete all emails older than 30 days to free up storage
B.Immediately format the hard drives of all employees involved
C.Preserve all potentially relevant electronic documents and data
D.Ignore the notice because it is not a court order
AnswerC

The legal hold requires preservation of all data that might be relevant to the lawsuit.

Why this answer

Option C is correct because a legal hold notice triggers a duty to preserve all potentially relevant electronically stored information (ESI). Under the Federal Rules of Civil Procedure (FRCP) Rule 37(e), failure to preserve can lead to spoliation sanctions. The immediate action is to issue a litigation hold notice and suspend routine data deletion policies, ensuring that all relevant emails, documents, and logs are preserved in their current state.

Exam trap

EC-Council often tests the misconception that a legal hold notice is optional or that routine deletion policies can continue, but the trap is that preservation duties begin immediately upon anticipation of litigation, regardless of whether a formal court order has been served.

How to eliminate wrong answers

Option A is wrong because deleting emails older than 30 days violates the preservation obligation and constitutes spoliation, which can result in adverse inference instructions or monetary sanctions. Option B is wrong because formatting hard drives destroys all data, including potentially relevant evidence, and is a textbook example of intentional spoliation. Option D is wrong because a legal hold notice, even if not a formal court order, carries legal weight under FRCP and common law; ignoring it can lead to severe penalties for failure to preserve evidence.

621
MCQmedium

A forensic analyst finds a file with the .plist extension on a Mac system. What type of artifact is this?

A.Log file
B.Executable binary
C.Email database
D.Property list file
AnswerD

.plist files are property lists used for storing configuration data.

Why this answer

.plist (Property List) files store configuration data for applications and system settings on macOS. They can contain user preferences, recent items, and other forensic artifacts.

622
MCQeasy

During a forensic investigation, you find an NTFS volume with a file that has an alternate data stream (ADS). Which command in Windows can be used to list all ADS on a file?

A.dir /r
B.dir /a
C.fsutil stream query
D.attrib /s
AnswerA

dir /r lists all streams (including alternate data streams) for each file.

Why this answer

The dir /r command in Windows lists all alternate data streams associated with files in a directory. This is a standard forensic technique to detect hidden data.

623
MCQmedium

In MySQL forensics, which log file is most commonly used to detect unauthorized data exfiltration or changes to database records?

A.Binary log
B.Slow query log
C.General query log
D.Error log
AnswerA

Binary log records all data changes in a compact format, ideal for identifying exfiltration or tampering.

Why this answer

The binary log (binlog) records all changes to database data and structure (INSERT, UPDATE, DELETE, DDL). It is essential for forensic analysis of data manipulation events.

624
MCQmedium

A security analyst notices that a log file on a Linux server shows repeated failed SSH login attempts from an external IP address, but no successful login from that IP. However, the /var/log/auth.log file has been recently truncated. Which type of evidence is the truncated log file?

A.Hearsay evidence
B.Best evidence
C.Circumstantial evidence
D.Direct evidence
AnswerD

The truncated log file is a direct artifact of an action (tampering) and can be directly observed.

Why this answer

The truncated log file is direct evidence because it is a tangible, physical artifact that, by its very state (having been truncated), directly indicates that an action was taken to alter or destroy log data. In computer forensics, direct evidence is evidence that, if believed, proves a fact without any inference or presumption. The truncation itself is a fact that can be observed and analyzed, and it directly supports the conclusion that someone tampered with the log file to conceal the failed SSH login attempts.

Exam trap

EC-Council often tests the distinction between direct and circumstantial evidence by presenting a scenario where the evidence (like a truncated log) seems to require inference, but the trap is that the physical state of the file is itself a directly observable fact, not an inference, making it direct evidence of tampering.

How to eliminate wrong answers

Option A is wrong because hearsay evidence is an out-of-court statement offered to prove the truth of the matter asserted, and a truncated log file is not a statement but a physical artifact; forensic examiners treat logs as real evidence, not hearsay. Option B is wrong because best evidence refers to the original document or recording when its content is at issue, but here the issue is the state of the log file (truncated), not the content of the log entries; the truncated file itself is the best evidence of tampering, but the term 'best evidence' is a legal rule about proving the content of a writing, not a classification of evidence type. Option C is wrong because circumstantial evidence requires an inference to connect the evidence to a fact (e.g., the truncation implies someone deleted logs), but the truncated log file is direct evidence of the act of truncation itself—no inference is needed to see that the file was truncated.

625
Multi-Selecthard

Which THREE of the following are valid memory forensic artifacts that can be extracted using the Volatility framework?

Select 3 answers
A.pstree
B.pslist
C.ls -l
D.netscan
E.dir /r
AnswersA, B, D

pstree displays the process tree.

Why this answer

Volatility can extract process lists (pslist), network connections (netscan), and process trees (pstree). These are standard plugins for memory analysis.

626
MCQmedium

An investigator is examining a FAT32 filesystem and needs to recover a deleted file. In FAT32, the directory entry for a deleted file has the first byte of the filename set to 0xE5. What does this indicate?

A.The file is a system file
B.The file is hidden
C.The file is encrypted
D.The file has been deleted
AnswerD

0xE5 is the deletion marker in FAT filesystems.

Why this answer

In FAT filesystems, a deleted file's directory entry is marked with 0xE5 as the first byte of the filename. The file's cluster chain in the File Allocation Table is also marked as free. This is the standard deletion marker.

627
MCQmedium

An investigator needs to recover a deleted partition from a disk that originally used an MBR partition table. Which tool can scan the disk for lost partitions and rebuild the partition table?

A.TestDisk
B.FTK Imager
C.Autopsy
D.PhotoRec
AnswerA

TestDisk is designed for partition recovery and can rebuild MBR and GPT partition tables.

Why this answer

TestDisk is a powerful tool designed to recover lost partitions and repair boot sectors. It can scan for partition tables and restore deleted partitions on MBR and GPT disks.

628
MCQeasy

A first responder is called to investigate a potential insider threat. The suspect's computer is turned off. What is the BEST procedure?

A.Compute a hash of the hard drive using a live CD.
B.Check the power cord and peripherals for tampering.
C.Seize the computer and transport it to a forensic lab for imaging.
D.Turn on the computer to see if it boots normally.
AnswerC

Proper procedure is to seize and preserve the system for controlled analysis.

Why this answer

When a suspect's computer is already turned off, the best procedure is to seize it and transport it to a forensic lab for imaging. This preserves the integrity of the evidence by preventing any accidental modification of the hard drive's contents, which could occur if the system is powered on or booted from a live CD. In forensic best practices, the first responder should never boot a suspect's computer, as doing so can alter critical system files, timestamps, and volatile data, compromising the chain of custody and admissibility of evidence.

Exam trap

EC-Council often tests the misconception that booting from a live CD is safe because it doesn't touch the hard drive, but in reality, even a live CD can modify the system's registry, page file, or metadata through normal operation, which is why seizing the computer for lab imaging is the only forensically sound option.

How to eliminate wrong answers

Option A is wrong because computing a hash of the hard drive using a live CD requires booting the suspect's computer, which alters the system state (e.g., writes to the page file, updates last access times) and violates the forensic principle of not modifying evidence. Option B is wrong because checking the power cord and peripherals for tampering is a physical inspection step that, while potentially useful, is not the best procedure; the priority is to secure the digital evidence by seizing the computer intact. Option D is wrong because turning on the computer to see if it boots normally will immediately alter the hard drive's contents (e.g., writing to the registry, updating logs, modifying file timestamps), destroying potential evidence and violating the forensic requirement to preserve the original state.

629
MCQmedium

Which of the following is the BEST description of Locard's exchange principle as applied to digital forensics?

A.Only original evidence is admissible in court
B.Digital evidence must be collected in a manner that preserves its integrity
C.Every contact leaves a trace; the perpetrator will leave digital traces on the crime scene
D.Evidence must be documented with a chain of custody
AnswerC

Locard's principle applied to digital evidence.

Why this answer

Locard's exchange principle states that every contact leaves a trace. In digital forensics, this means that when a perpetrator interacts with a system—whether by accessing files, running commands, or connecting to a network—they inevitably leave digital artifacts such as log entries, registry keys, metadata, or network connection records. Option C correctly captures this core concept of trace transfer in the digital domain.

Exam trap

EC-Council often tests whether candidates confuse Locard's exchange principle with general forensic procedures like chain of custody or evidence integrity, so the trap is picking a correct-sounding but non-specific option (B or D) instead of the precise definition of trace transfer.

How to eliminate wrong answers

Option A is wrong because it misstates admissibility rules; evidence does not have to be original to be admissible—duplicates or copies are often acceptable under rules like Federal Rule of Evidence 1003, provided they are accurate and authentic. Option B is wrong because it describes the general requirement for evidence integrity and proper collection procedures, which is a forensic best practice but not a description of Locard's exchange principle. Option D is wrong because chain of custody is a documentation process to track evidence handling, not a statement about the transfer of traces between a perpetrator and a crime scene.

630
Multi-Selecthard

A forensic analyst is recovering deleted files from an ext3 file system. Which TWO methods can be used to recover deleted inodes?

Select 2 answers
A.Using file carving tools like Foremost
B.Using dd to create a raw image
C.Analyzing the ext3 journal for deleted inode entries
D.Using debugfs to display the superblock
E.Scanning the inode table for orphan inodes
AnswersC, E

The journal may contain records of deleted inodes.

Why this answer

In ext3, deleted inodes can be recovered by analyzing the journal (which records metadata changes) or by scanning the inode table for orphan inodes. File carving recovers file data without metadata. Using debugfs to view the superblock does not recover inodes.

631
Multi-Selectmedium

Which TWO artifacts are commonly used to identify USB device insertion history on a Windows system? (Select TWO.)

Select 2 answers
A.NTUSER.DAT
B.HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
C.prefetch files
D.setupapi.dev.log
E.Event ID 7045
AnswersB, D

USBSTOR enumerates USB storage devices that have been connected.

Why this answer

The USBSTOR registry key and setupapi.dev.log contain information about USB devices connected to the system, including device IDs and timestamps.

632
Multi-Selectmedium

Which THREE of the following are recommended practices for maintaining the integrity of digital evidence in a forensics lab?

Select 3 answers
A.Maintain a detailed chain of custody log
B.Generate cryptographic hashes of evidence files
C.Use hardware write-blockers during acquisition
D.Perform regular backups of all evidence
E.Run antivirus scans on evidence before analysis
AnswersA, B, C

Documents handling and prevents tampering.

Why this answer

Maintaining a detailed chain of custody log (Option A) is a recommended practice because it provides a verifiable, chronological record of every person who handled the evidence, the time and date of each transfer, and the purpose of each transfer. This ensures the evidence's integrity by demonstrating that it has not been tampered with or altered from the moment of seizure through analysis and presentation in court. Without a proper chain of custody, the evidence can be challenged as inadmissible under rules like Federal Rule of Evidence 901.

Exam trap

The trap here is that candidates often confuse general IT best practices (like backups and antivirus scans) with forensic-specific integrity practices, failing to recognize that backups can create chain-of-custody gaps and antivirus scans can actively modify evidence.

633
Multi-Selecteasy

Which TWO of the following hashing algorithms are commonly used to verify the integrity of forensic images? (Choose two.)

Select 2 answers
A.SHA-3
B.SHA-1
C.RSA
D.AES
E.MD5
AnswersB, E

SHA-1 is widely used in forensic imaging tools.

Why this answer

SHA-1 and MD5 are the two hashing algorithms most commonly used in forensic practice to verify the integrity of forensic images. They produce a fixed-size hash value (160-bit for SHA-1, 128-bit for MD5) that acts as a digital fingerprint; if the hash of the original image matches the hash of a copy, the data is considered unchanged. Despite known collision weaknesses, they remain the de facto standards in tools like FTK Imager, EnCase, and dd due to their speed and widespread tool support.

Exam trap

EC-Council often tests the distinction between hashing algorithms (integrity) and encryption algorithms (confidentiality), so the trap here is that candidates confuse RSA and AES as hashing algorithms because they are cryptographic primitives, but they serve entirely different purposes.

634
MCQmedium

During a forensic investigation, a lawyer objects to the admissibility of a log file on the grounds that it is hearsay. Which of the following is the BEST argument to overcome this objection?

A.The log file qualifies as a business record exception to the hearsay rule.
B.The log file is circumstantial evidence, not hearsay.
C.The log file is direct evidence of the intrusion.
D.The log file is the best evidence because it is an original record.
AnswerA

Business records that are regularly kept and relied upon are exceptions to hearsay (e.g., FRE 803(6)).

Why this answer

The log file is admissible under the business records exception to the hearsay rule (Federal Rule of Evidence 803(6)). This exception applies because logs are created automatically or by a person with knowledge, near the time of the event, in the regular course of business, and it is the regular practice to make such records. In digital forensics, system logs (e.g., Windows Event Logs, syslog) are routinely admitted under this exception, as they are generated by the system without the declarant's bias or memory issues.

Exam trap

EC-Council often tests the misconception that 'best evidence' or 'original record' automatically overcomes hearsay, but the trap here is that hearsay and best evidence are separate evidentiary rules, and only a specific exception like business records can defeat a hearsay objection.

How to eliminate wrong answers

Option B is wrong because circumstantial evidence is still subject to hearsay rules; the log file is an out-of-court statement offered to prove the truth of the matter asserted (e.g., that an intrusion occurred), which is hearsay, not circumstantial. Option C is wrong because direct evidence is evidence that directly proves a fact without inference, but a log file still requires interpretation and is a recorded statement, making it hearsay unless an exception applies. Option D is wrong because the best evidence rule (original document rule) applies to proving the content of a writing, recording, or photograph, but it does not overcome a hearsay objection; the log file could still be excluded as hearsay even if it is the original.

635
Multi-Selectmedium

A forensic examiner is preparing to testify as an expert witness. Which THREE of the following qualities are essential for the examiner's testimony to be admissible under the Daubert standard? (Select THREE)

Select 3 answers
A.The methods used have been tested and are subject to peer review
B.The techniques used are generally accepted within the forensic community
C.The examiner holds a degree in computer science
D.The examiner has testified in at least ten previous cases
E.The potential error rate of the methodology is known
AnswersA, B, E

Testability and peer review are key Daubert factors.

Why this answer

The Daubert standard requires that expert testimony be based on scientific methods that are testable, peer-reviewed, and have known error rates.

636
Multi-Selectmedium

Which TWO of the following are valid locations in a Windows system where forensic evidence of USB device connection can be found?

Select 2 answers
A.SYSTEM\CurrentControlSet\Enum\USBSTOR registry key
B.Amcache.hve file
C.SetupAPI.dev.log file
D.Event Logs with source 'Device Setup'
E.C:\Windows\Prefetch folder
AnswersA, C

This key enumerates all USB storage devices that have been connected to the system.

Why this answer

The SYSTEM\CurrentControlSet\Enum\USBSTOR registry key is a primary location where Windows records every USB storage device that has been connected to the system. Each device is listed under this key with a unique instance ID, including the vendor ID, product ID, and serial number, providing persistent evidence of USB connections even after the device is removed.

Exam trap

Cisco often tests the distinction between persistent device enumeration records (USBSTOR) and installation logs (SetupAPI.dev.log) versus volatile or indirect artifacts like prefetch files or misnamed event sources, leading candidates to incorrectly select Amcache.hve or Prefetch as valid USB connection evidence.

637
MCQmedium

An investigator finds evidence of data hidden using Alternate Data Streams (ADS) on an NTFS volume. Which command would display all ADS associated with files in a directory?

A.dir /s
B.dir /x
C.dir /r
D.dir /a
AnswerC

/r displays alternate data streams in the output.

Why this answer

The `dir /r` command in Windows Command Prompt lists all files, including their alternate data streams. Alternatively, tools like 'streams' from Sysinternals can be used.

638
MCQhard

During a network forensic investigation, the analyst examines firewall logs and notices a large number of outbound connections from an internal server to various IP addresses on port 443 at regular intervals. The connections are all initiated by a process called 'svchost.exe' running from a non-standard location (C:\Windows\Temp). What is the MOST likely explanation?

A.The server is running a scheduled backup to an external cloud service
B.The server is performing legitimate Windows Update checks
C.The server is infected with malware that is beaconing to a command-and-control server
D.The server is being used as a proxy for internal users
AnswerC

The non-standard path and regular outbound connections are classic indicators of C2 beaconing.

Why this answer

svchost.exe from C:\Windows\Temp indicates a masquerading technique where malware names itself after a legitimate Windows process but runs from an unauthorized location. The outbound connections on port 443 are likely command-and-control (C2) traffic.

639
MCQeasy

Which Android file system location is MOST likely to contain user-installed app data, preferences, and cached information?

A./vendor/
B./data/data/
C./system/
D./mnt/sdcard/
AnswerB

Standard location for app-specific data on Android.

Why this answer

The /data/data/ directory on Android devices stores application-specific data for user-installed apps, including preferences (shared preferences XML files), databases, and cached information. This location is part of the internal storage partition and is sandboxed per app, ensuring that each app can only access its own data directory. It is the primary repository for runtime app data, making it the most relevant for forensic analysis of user-installed app artifacts.

Exam trap

EC-Council often tests the misconception that user-installed app data is stored on the SD card (/mnt/sdcard/) because users commonly see app files there, but in Android's security model, private app data is strictly kept in /data/data/ and not on external storage.

How to eliminate wrong answers

Option A is wrong because /vendor/ contains proprietary firmware and system-level binaries provided by the device manufacturer, not user-installed app data. Option C is wrong because /system/ holds the Android operating system files (e.g., framework, core apps) and is read-only in normal operation; user-installed app data is never stored here. Option D is wrong because /mnt/sdcard/ (or /sdcard) is the external or emulated storage mount point for user-accessible files like photos and downloads, but it does not contain app-specific private data, preferences, or cached information that is sandboxed per app.

640
MCQmedium

A forensic analyst finds multiple Prefetch files in C:\Windows\Prefetch with recent timestamps. What is the primary value of Prefetch files in an investigation?

A.They store the user's web browsing history
B.They list all network connections made by the system
C.They record the first and last execution times of applications
D.They contain the actual content of user documents
AnswerC

Prefetch files track execution times and frequency.

Why this answer

Prefetch files contain the first run time, last run time, and run count of applications, plus loaded DLLs, useful for timeline analysis.

641
MCQhard

A malware analyst is examining a suspicious Windows executable. Running 'strings' reveals references to 'C:\Windows\System32\drivers\etc\hosts' and IP addresses 185.130.5.21 and 192.168.1.1. Dynamic analysis in a sandbox shows the binary modifies the hosts file and creates a mutex named 'Global\Mtx_Update'. Which behavioral indicator is MOST clearly associated with persistence?

A.Modifying the hosts file with an entry for 192.168.1.1
B.Connecting to IP 185.130.5.21 on port 443
C.Writing temporary files to %TEMP%
D.Creating the mutex 'Global\Mtx_Update'
AnswerA

Modifying the hosts file persists across reboots and can be used for traffic redirection, but it is not a typical auto-start persistence; however, among the options, it is the only persistent system change.

Why this answer

Option A is correct because modifying the hosts file to redirect a legitimate domain to 192.168.1.1 is a classic persistence mechanism: the malware ensures that every time the system resolves that domain, it points to the attacker-controlled IP, effectively hijacking network traffic persistently across reboots without needing to run at startup. This behavior directly maintains unauthorized control over name resolution, which is a hallmark of persistence.

Exam trap

EC-Council often tests the distinction between persistence (surviving reboot) and other behavioral indicators like mutex creation or network connections, so the trap here is confusing a mutex (used for single-instance control) with a persistence mechanism.

How to eliminate wrong answers

Option B is wrong because connecting to an external IP (185.130.5.21) on port 443 is a network communication indicator (C2 beaconing), not a persistence mechanism—it does not ensure the malware survives a reboot. Option C is wrong because writing temporary files to %TEMP% is a common execution artifact (e.g., dropping payloads or logs) but does not by itself guarantee the malware will re-execute after a system restart. Option D is wrong because creating a mutex (Global\Mtx_Update) is a synchronization primitive used to prevent multiple instances of the malware from running simultaneously; it does not provide any mechanism for automatic re-execution upon boot.

642
Multi-Selectmedium

A forensic investigator is analyzing a Windows system suspected of malware infection. Which TWO of the following are common persistence mechanisms that malware may use?

Select 2 answers
A.Scheduled Tasks via schtasks
B.Creating a Windows service
C.Adding an entry to the hosts file
D.Modifying the boot.ini file
E.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AnswersA, E

Malware can create tasks to run at specific times or logon.

Why this answer

Scheduled Tasks via schtasks (Option A) are a common persistence mechanism because malware can create a task that runs at system startup or at regular intervals to re-infect or maintain a foothold. The schtasks command allows creating tasks with SYSTEM privileges, often triggered by logon or system boot events, making it a stealthy way to survive reboots.

Exam trap

Cisco often tests the distinction between persistence mechanisms and other system modifications (like hosts file or boot.ini) that do not automatically execute code on startup, leading candidates to mistakenly select options that alter system behavior but do not achieve persistence.

643
MCQmedium

During a forensic investigation, an analyst recovers a hard drive that uses GPT partitioning. The analyst needs to locate the backup GPT header to verify partition table integrity. Where is the backup GPT header typically stored on the disk?

A.The first sector of the last partition
B.The last sector of the disk
C.Sector 0 (the MBR sector)
D.Sector 1 (immediately after the protective MBR)
AnswerB

The backup GPT header is located at the last logical sector of the disk.

Why this answer

The backup GPT header is stored at the last sector of the disk to provide redundancy in case the primary GPT header is corrupted.

644
MCQmedium

During a database forensic investigation, an analyst recovers a MySQL binary log file (binlog.000012) from a compromised server. Which command should the analyst use to extract the actual SQL statements from this binary log in a human-readable format?

A.mysqldump --binlog binlog.000012
B.mysqlimport --binlog binlog.000012
C.mysqlcheck --binlog binlog.000012
D.mysqlbinlog binlog.000012
AnswerD

mysqlbinlog converts binary log to SQL text.

Why this answer

The `mysqlbinlog` utility is specifically designed to parse MySQL binary log files and output the contained SQL statements in a human-readable format. Binary logs record all data-changing operations (e.g., INSERT, UPDATE, DELETE) in a proprietary binary format, so only `mysqlbinlog` can decode them back into readable SQL for forensic analysis.

Exam trap

EC-Council often tests the distinction between MySQL administrative utilities (mysqldump, mysqlcheck, mysqlimport) and the forensic-specific tool mysqlbinlog, exploiting the common misconception that any MySQL command with 'binlog' in its name can read binary logs.

How to eliminate wrong answers

Option A is wrong because `mysqldump` is a backup tool that exports database schemas and data as SQL text, not a binary log reader; it has no `--binlog` option. Option B is wrong because `mysqlimport` is used to load data from text files into tables using LOAD DATA INFILE, and it does not interact with binary logs. Option C is wrong because `mysqlcheck` is a maintenance utility for checking, repairing, and optimizing tables; it cannot decode binary log files.

645
Multi-Selecthard

A forensic examiner is analyzing a Linux system suspected of being used as a C2 server. Which THREE artifacts should the examiner prioritize to find evidence of command execution and persistence? (Select three.)

Select 3 answers
A.~/.bash_history
B./var/log/syslog
C./etc/passwd
D./var/log/auth.log
E./etc/crontab
AnswersA, D, E

Correct. Contains typed commands.

Why this answer

Bash history shows commands typed by the user. Auth.log may show reverse shell connections. Cron jobs are common persistence mechanisms.

Syslog is too broad, and /etc/passwd shows users but not execution.

646
Multi-Selectmedium

Which TWO of the following artifacts are used for timeline analysis in digital forensics? (Select two.)

Select 2 answers
A.LNK files
B.HKLM\SYSTEM
C.Prefetch files
D.HKLM\SAM
E.Windows Event Logs
AnswersA, C

LNK files contain timestamps of file access, useful for timeline.

Why this answer

LNK files are correct because they record the last access timestamp of the file or application they point to, along with the volume serial number and path. This metadata allows a forensic examiner to reconstruct user activity and file access sequences during timeline analysis. Prefetch files are correct because they store the last run time, run count, and file paths of executed applications, enabling the creation of a chronological timeline of program execution on a Windows system.

Exam trap

EC-Council often tests the distinction between artifacts that provide direct timestamps for user activity (LNK, Prefetch) versus those that store static configuration or security data (HKLM\SYSTEM, HKLM\SAM), leading candidates to incorrectly select registry hives as timeline sources.

647
MCQeasy

A forensic investigator needs to capture network traffic from a SPAN port on a switch to analyze an ongoing compromise. Which tool should the investigator use to collect the full packet capture (pcap) for later analysis?

A.NetFlow
B.nmap
C.Wireshark
D.tcpdump
AnswerD

tcpdump captures full packets and writes to pcap format.

Why this answer

tcpdump is a command-line packet capture utility that captures raw network traffic at the link layer, making it ideal for collecting full packet captures (PCAP) from a SPAN port. Unlike GUI tools, it can run headless on a forensic workstation and write binary PCAP files for later analysis with tools like Wireshark. It captures all packets traversing the SPAN port without filtering by default, ensuring a complete record of the compromise.

Exam trap

Cisco often tests the distinction between flow-based monitoring (NetFlow) and full packet capture (tcpdump), leading candidates to mistakenly choose NetFlow because it is associated with network monitoring, even though it lacks the payload data required for forensic analysis.

How to eliminate wrong answers

Option A is wrong because NetFlow is a flow-level monitoring protocol that exports aggregated metadata (e.g., source/destination IPs, ports, byte counts) rather than full packet payloads, so it cannot provide the complete packet capture needed for deep forensic analysis. Option B is wrong because nmap is a network scanning and discovery tool used for port scanning and service enumeration, not for capturing live network traffic or generating PCAP files. Option C is wrong because Wireshark is a GUI-based packet analyzer that can capture traffic, but it is not the optimal tool for headless, long-duration capture from a SPAN port; it consumes more system resources and is typically used for interactive analysis rather than raw PCAP collection in a forensic acquisition scenario.

648
MCQeasy

An analyst is examining a Windows 10 system and discovers a file in the $Recycle.bin folder with a name like '$RABCDEF.txt'. The analyst wants to recover the original file path and deletion date. Which forensic artifact should the analyst examine?

A.The corresponding $I file (e.g., $IABCDEF.txt) in $Recycle.bin
B.The Windows Event Logs
C.The USN journal
D.The $MFT entry for the $R file
AnswerA

$I files store the original name, path, and deletion timestamp.

Why this answer

The $I files in the $Recycle.bin contain metadata about the deleted file, including original path and deletion time.

649
MCQmedium

During a forensic investigation, the examiner uses a write blocker to connect the suspect drive to the forensic workstation. What is the PRIMARY purpose of using a write blocker?

A.To speed up the data acquisition process
B.To encrypt the data on the evidence drive
C.To prevent the operating system from writing data to the evidence drive
D.To allow the evidence drive to be used as a boot device
AnswerC

This preserves the integrity of the evidence.

Why this answer

A write blocker prevents any write operations to the evidence drive, ensuring the original data is not altered during acquisition.

650
MCQhard

In a UK-based investigation, the police seize a computer without a warrant. The suspect's lawyer argues that the evidence is inadmissible because it violates which law?

A.Police and Criminal Evidence Act (PACE)
B.Fourth Amendment to the US Constitution
C.General Data Protection Regulation (GDPR)
D.Computer Misuse Act
AnswerA

Correct. PACE is the relevant UK law.

Why this answer

The Police and Criminal Evidence Act (PACE) 1984 governs the powers of police in England and Wales to search, seize, and retain evidence. Without a warrant, the seizure of a computer likely violates PACE's requirements for lawful entry and seizure, making the evidence inadmissible under UK law.

Exam trap

EC-Council often tests the distinction between US constitutional law (Fourth Amendment) and UK statutory law (PACE), causing candidates to mistakenly apply US legal principles to a UK scenario.

How to eliminate wrong answers

Option B is wrong because the Fourth Amendment to the US Constitution applies only to searches and seizures by US government entities, not to UK police investigations. Option C is wrong because the General Data Protection Regulation (GDPR) governs the processing of personal data, not the legality of evidence seizure without a warrant. Option D is wrong because the Computer Misuse Act criminalizes unauthorized access to computer systems, but does not regulate police seizure procedures or admissibility of evidence.

651
MCQeasy

In Windows forensics, which artifact is a database of metadata about files and applications accessed by the user, used to populate the 'Recent Items' and 'Quick Access' lists?

A.Jumplists
B.Prefetch files
C.LNK files
D.ShellBags
AnswerA

Jumplists track recent files and tasks per application.

Why this answer

Jumplists contain recently accessed files and application-specific destinations, used for Quick Access and Recent Items.

652
MCQmedium

A forensic investigator is examining a Mac system and wants to review recently accessed files and applications. Which macOS artifact is MOST useful for this purpose?

A.bash_history
B..plist files in ~/Library/Preferences/
C.Unified Logging (log stream)
D.FSEvents (/.fseventsd)
AnswerD

FSEvents records file system changes and can be used to reconstruct user activity.

Why this answer

FSEvents records file system events such as file creation, modification, and deletion. It is a key artifact for timeline analysis on macOS.

653
MCQmedium

An iOS forensic examiner recovers a Keychain dump from an iPhone. Which of the following types of data is typically NOT stored in the iOS Keychain?

A.Wi-Fi passwords
B.Safari saved passwords
C.SMS message content
D.VPN credentials
AnswerC

SMS messages are stored in the SMS.db database, not in the Keychain.

Why this answer

The iOS Keychain is designed to store small, sensitive credentials such as passwords, keys, and certificates. SMS message content is stored in the SMS/MMS database (sms.db) under the protected /private/var/mobile/Library/SMS/ directory, not in the Keychain. Keychain items are encrypted per-app or per-service, whereas SMS messages are managed by the Messages app and stored in a SQLite database with its own encryption layer.

Exam trap

EC-Council often tests the misconception that all sensitive user data (including messages) is stored in the Keychain, but the Keychain is strictly for credentials and secrets, not for bulk message content.

How to eliminate wrong answers

Option A is wrong because Wi-Fi passwords are stored in the iOS Keychain as network credentials, accessible via the System Keychain. Option B is wrong because Safari saved passwords are stored in the Keychain under the iCloud Keychain or local Keychain for autofill. Option D is wrong because VPN credentials (e.g., L2TP, IPSec shared secrets, or certificate-based authentication) are stored in the Keychain as part of the VPN configuration payload.

654
MCQmedium

A forensic analyst is examining a Microsoft Outlook PST file as part of an email investigation. Which tool is specifically designed to parse and analyze PST files and extract email metadata?

A.Wireshark
B.EmailTracker
C.Sleuth Kit
D.Aid4Mail
AnswerD

Aid4Mail is a forensic email extraction and analysis tool.

Why this answer

Aid4Mail is a forensic email analysis tool that supports PST, OST, MBOX, and other formats. It is commonly used for email investigations.

655
Drag & Dropmedium

Drag and drop the steps to capture network traffic with Wireshark for forensic analysis into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Network capture requires admin rights, interface selection, optional filters, and saving the capture.

656
MCQhard

After a factory reset on an Android device, a forensic examiner attempts to recover user data. Which of the following statements is most accurate regarding the recoverability of data?

A.Some user data may be recoverable from the /data partition if it has not been overwritten
B.Data in /data/data/ is securely wiped using TRIM commands, making recovery impossible
C.All user data is permanently destroyed and cannot be recovered
D.Only Google account tokens are recoverable after a factory reset
AnswerA

Factory reset does not overwrite all blocks, so data may persist and be recoverable.

Why this answer

A factory reset on Android typically performs a fast format of the /data partition, which only erases the file system metadata (e.g., ext4 journal and inode tables) but does not overwrite the actual data blocks. Therefore, user data may remain on the flash storage and be recoverable using forensic tools until those blocks are overwritten by new writes. This is why option A is correct: some user data may be recoverable from the /data partition if it has not been overwritten.

Exam trap

Cisco often tests the misconception that a factory reset performs a full secure wipe, when in reality it only removes file system pointers and does not overwrite the underlying data, making recovery possible until overwritten.

How to eliminate wrong answers

Option B is wrong because TRIM commands are issued by the file system to the eMMC/NAND controller to mark blocks as unused, but they do not securely wipe data; they only allow the controller to garbage-collect blocks, and data remnants can often be recovered before physical erasure. Option C is wrong because a factory reset does not perform a secure erase or overwrite of all user data; it only removes file system pointers, leaving the underlying data intact until overwritten. Option D is wrong because not only Google account tokens but also other user data (e.g., app data, cached files, photos) may be recoverable from the /data partition after a factory reset.

657
MCQmedium

Which tool is specifically designed to extract metadata from email messages, including tracking the route and identifying the originating IP address?

A.EmailTracker
B.Wireshark
C.MailXaminer
D.Outlook
AnswerA

EmailTracker specializes in analyzing email headers and metadata for forensic purposes.

Why this answer

EmailTracker is a tool that analyzes email headers to trace the path and identify the source IP, often used in email forensics.

658
MCQhard

A security analyst observes a suspicious process creating multiple mutexes with names like 'XxX_12345' and 'XxX_67890' and making outbound connections to an IP address 185.130.5.1 on port 443. Which behavioral indicator is MOST consistent with malware communication?

A.The process is performing data exfiltration via DNS tunneling
B.The process is attempting to spread to other machines via SMB
C.The mutexes indicate an attempt to prevent multiple instances, and outbound connections suggest C2 activity
D.The process is a legitimate application using mutexes for inter-process communication
AnswerC

Mutexes are often used for single-instance protection, and outbound connections are typical for C2.

Why this answer

The creation of mutexes with a consistent naming pattern (e.g., 'XxX_12345') is a classic anti-replication mechanism used by malware to ensure only one instance runs on a system, preventing conflicts and detection. The outbound connections to a specific IP on port 443 (HTTPS) are highly indicative of command-and-control (C2) communication, as malware often uses encrypted channels to blend in with legitimate traffic. Option C correctly identifies both the mutex's purpose (preventing multiple instances) and the network behavior (C2 activity), making it the most consistent with malware communication.

Exam trap

Cisco often tests the misconception that any outbound connection on port 443 is automatically legitimate HTTPS traffic, but the trap here is that malware frequently uses this port for C2, and the mutex pattern is a key differentiator from benign software.

How to eliminate wrong answers

Option A is wrong because DNS tunneling involves encoding data in DNS queries/responses, typically on UDP port 53, not outbound HTTPS connections on port 443; the mutex names also have no relation to DNS. Option B is wrong because SMB propagation uses port 445 (or 139) for file and printer sharing, not port 443, and mutexes are not a standard mechanism for spreading via SMB. Option D is wrong because while legitimate applications do use mutexes for inter-process communication, the combination of suspicious mutex names (e.g., 'XxX_') and outbound connections to an external IP on a common C2 port (443) is not typical of benign software; legitimate apps rarely hardcode such patterns for external communication.

659
MCQeasy

In Windows registry forensics, which registry hive contains the SAM database storing local user account hashes?

A.HKLM\Security
B.HKLM\System
C.NTUSER.DAT
D.HKLM\Sam
AnswerD

Correct: HKLM\SAM contains the SAM database with local user account hashes.

Why this answer

The Security Account Manager (SAM) registry hive stores local user account information and password hashes, typically located at HKLM\SAM.

660
MCQmedium

A security analyst detects that a known malware sample writes to the registry key 'HKLM\SYSTEM\CurrentControlSet\Services\<malware>\ImagePath' and creates a service. This behavior is characteristic of which type of persistence mechanism?

A.Scheduled task
B.AppInit_DLLs
C.Startup folder entry
D.Windows service
AnswerD

The registry path under Services indicates the malware is installed as a service, which runs automatically at boot.

Why this answer

The malware writes to 'HKLM\SYSTEM\CurrentControlSet\Services\<malware>\ImagePath' and creates a service, which is the exact mechanism for registering a Windows service. This persistence method ensures the malware runs automatically when the system boots, as the Service Control Manager (SCM) loads services based on this registry key. Option D is correct because this behavior directly corresponds to the Windows service persistence technique.

Exam trap

Cisco often tests the distinction between registry-based persistence mechanisms; the trap here is that candidates confuse the 'Services' registry key with other common persistence locations like 'Run' keys or 'AppInit_DLLs', but the specific 'ImagePath' value under a service subkey uniquely identifies Windows service persistence.

How to eliminate wrong answers

Option A is wrong because scheduled tasks are configured via the Task Scheduler and stored in 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule' or XML files in '\Windows\System32\Tasks', not under the Services registry key. Option B is wrong because AppInit_DLLs persistence uses the 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs' registry value to load DLLs into every user-mode process, not by creating a service entry. Option C is wrong because the Startup folder entry involves placing a shortcut or executable in 'C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' or the All Users startup folder, not modifying the Services registry hive.

661
Multi-Selectmedium

A forensic examiner is analyzing a mobile device that may have been tampered with to erase evidence. Which TWO anti-forensic techniques are commonly encountered in mobile forensics? (Select TWO.)

Select 2 answers
A.Encryption
B.Steganography
C.Factory reset
D.Log wiping
E.Timestomping
AnswersC, E

Factory reset is a common method to erase evidence on mobile devices.

Why this answer

Factory reset (option C) is a common anti-forensic technique in mobile forensics because it wipes user data partitions and resets the device to its original state, often using the 'wipe_data' command in recovery mode or via settings. This removes user-installed applications, accounts, and files, making data recovery difficult unless a physical or chip-off method is used. Timestomping (option E) is also common, as attackers modify file timestamps (e.g., using 'touch -t' on rooted devices or manipulating EXT4 metadata) to mislead forensic timelines and hide the sequence of events.

Exam trap

EC-Council often tests the distinction between anti-forensic techniques (active evidence destruction or manipulation) and general security controls (like encryption), leading candidates to incorrectly select encryption as an anti-forensic method.

662
MCQmedium

During a forensic investigation, an analyst uses a tool to create a bit-for-bit copy of a hard drive while ensuring the original is not modified. Which of the following is a hardware write blocker that can be used for this purpose?

A.FTK Imager
B.Tableau
C.dd
D.EnCase
AnswerB

Tableau manufactures hardware write blockers that physically prevent data from being written to the source drive.

Why this answer

A hardware write blocker physically prevents any write commands from reaching the original drive at the SATA/IDE bus level, ensuring the drive remains unaltered during acquisition. Tableau is a well-known manufacturer of forensic hardware write blockers that operate transparently to the imaging software, making it the correct choice for a hardware-based solution.

Exam trap

Cisco often tests the distinction between software tools (FTK Imager, dd, EnCase) and dedicated hardware write blockers (Tableau), trapping candidates who assume any forensic imaging tool inherently provides write protection.

How to eliminate wrong answers

Option A is wrong because FTK Imager is a software tool, not a hardware device; it relies on the operating system or a separate hardware blocker to prevent writes. Option C is wrong because dd is a Unix/Linux command-line utility for bit-for-bit copying, but it is software and does not inherently block writes to the source drive without additional safeguards like a hardware blocker or a read-only mount. Option D is wrong because EnCase is a forensic software suite that can acquire images, but it is not a hardware write blocker; it depends on external hardware or software write protection to ensure the source is not modified.

663
MCQmedium

Which of the following is an example of Locard's Exchange Principle as applied to digital forensics?

A.A suspect's computer contains log files showing they accessed a server
B.A hard drive is encrypted and cannot be read
C.A firewall blocks all incoming traffic from a specific IP address
D.A write blocker prevents data from being written to a drive
AnswerA

The access leaves traces on the suspect's machine.

Why this answer

Locard's Exchange Principle states that every contact leaves a trace. In digital forensics, this translates to the idea that when a system interacts with another, digital artifacts (such as log entries, registry keys, or network connection records) are created. Option A is correct because the log files on the suspect's computer are a direct trace of the contact between the suspect's system and the server, demonstrating the principle in a digital context.

Exam trap

EC-Council often tests the misconception that any security tool or data protection mechanism (like encryption or firewalls) is an example of Locard's Exchange Principle, when in fact the principle specifically requires evidence of a transfer or contact trace, not a barrier or lack of access.

How to eliminate wrong answers

Option B is wrong because encryption is a protective measure that prevents data access, not an example of trace evidence exchange; it does not demonstrate the creation of digital artifacts from contact. Option C is wrong because a firewall rule that blocks traffic is a security control that prevents contact, not a trace of contact that has already occurred; it does not illustrate the exchange of digital evidence. Option D is wrong because a write blocker is a hardware or software tool used to preserve evidence integrity during acquisition, not an example of a trace left by an interaction; it prevents modification, not exchange.

664
MCQeasy

Which of the following is the primary purpose of performing static analysis on a suspicious binary?

A.Capturing network traffic generated by the binary
B.Observing the binary's runtime behaviour in a sandbox
C.Analysing the binary's code and structure without executing it
D.Modifying the binary to bypass anti-analysis techniques
AnswerC

Static analysis involves examining the binary file itself, including headers, strings, and disassembly, without running it.

Why this answer

Static analysis examines a binary's code and structure without executing it, allowing analysts to identify malicious indicators such as embedded strings, import tables, and cryptographic constants. This approach avoids triggering anti-analysis mechanisms that activate upon execution, making it a foundational step in malware forensics.

Exam trap

EC-Council often tests the distinction between static and dynamic analysis, trapping candidates who confuse observing runtime behavior (dynamic) with examining code without execution (static).

How to eliminate wrong answers

Option A is wrong because capturing network traffic is a dynamic analysis technique that requires executing the binary to observe its communication, not static analysis. Option B is wrong because observing runtime behavior in a sandbox is dynamic analysis, which executes the binary and risks triggering anti-VM or anti-sandbox code. Option D is wrong because modifying the binary to bypass anti-analysis is an active evasion technique, not a purpose of static analysis; static analysis is non-invasive and does not alter the binary.

665
MCQmedium

During an e-discovery process, a legal hold is issued. What is the PRIMARY purpose of a legal hold?

A.To authorize forensic examiners to image all company devices
B.To prevent the destruction or alteration of potentially relevant evidence
C.To encrypt all data to prevent unauthorized access during litigation
D.To notify the opposing party of the intent to use electronic evidence
AnswerB

This is the core purpose: preserve data that may be relevant to a legal case.

Why this answer

The primary purpose of a legal hold is to preserve all forms of potentially relevant evidence by suspending normal data retention and deletion policies. This ensures that data, including emails, documents, and logs, is not altered or destroyed during the e-discovery process, which is critical for maintaining the integrity of evidence for litigation.

Exam trap

EC-Council often tests the distinction between preservation (legal hold) and collection (imaging), so candidates mistakenly choose authorization for imaging because they conflate the forensic process with the legal obligation to preserve.

How to eliminate wrong answers

Option A is wrong because a legal hold does not authorize forensic imaging; that requires a separate court order or explicit consent, and imaging is a technical step that follows preservation. Option C is wrong because encryption is a security measure to protect data from unauthorized access, not a preservation mechanism, and it can actually hinder e-discovery if keys are not managed properly. Option D is wrong because notifying the opposing party about the intent to use electronic evidence is part of the discovery phase, not the preservation phase, and is governed by rules like FRCP 26, not a legal hold.

666
MCQhard

During a forensic investigation of a compromised web server, an analyst finds the following entry in the IIS access log: 192.168.1.5, -, 04/May/2024:14:23:11, GET /scripts/..%5c../windows/system32/cmd.exe, 200. What is the probable attack vector?

A.Brute force attack
B.Cross-site scripting
C.Path traversal
D.SQL injection
AnswerC

The ..%5c.. sequence is a path traversal payload to access cmd.exe.

Why this answer

The log shows a path traversal attempt using URL-encoded backslashes (%5c) to navigate to cmd.exe. The 200 status indicates the request succeeded. This is a classic path traversal attack.

667
MCQeasy

In database forensics, which type of log records every transaction (including INSERT, UPDATE, DELETE) and allows reconstruction of database changes over time?

A.Audit log
B.Error log
C.Transaction log
D.Slow query log
AnswerC

Transaction logs capture every data modification operation.

Why this answer

Transaction logs (also called redo logs) record all changes to the database, enabling point-in-time recovery and auditing of data modifications.

668
MCQmedium

A network forensic analyst captures traffic that includes the following Wireshark filter: "tcp.port == 22 and tcp.flags.syn == 1 and tcp.flags.ack == 0". What type of traffic is this filter selecting?

A.SSH traffic with payload
B.Outgoing SSH connection attempts
C.SSH key exchange
D.SSH established sessions
AnswerB

SYN packets to port 22 are connection initiation attempts, typically outgoing from the client.

Why this answer

The filter matches TCP packets to port 22 (SSH) with only the SYN flag set (SYN=1, ACK=0). These are the first packets in a TCP handshake, representing connection attempts.

669
MCQeasy

Which network forensic tool is BEST suited for analyzing NetFlow data to identify top talkers and detect anomalies?

A.SiLK
B.tcpdump
C.Nmap
D.Wireshark
AnswerA

SiLK is a flow analysis toolkit used for NetFlow data.

Why this answer

SiLK (System for Internet-Level Knowledge) is a set of NetFlow analysis tools designed for large-scale flow data analysis, including identifying top talkers and anomaly detection.

670
MCQhard

An analyst is investigating a possible data exfiltration via email. The analyst notices that the email headers contain a DKIM-Signature field that is invalid. Which of the following does a failed DKIM check indicate?

A.The email's content has been modified since it was signed
B.The email was sent through a proxy server
C.The email client does not support DKIM
D.The email was sent from a different domain than the one in the From field
AnswerA

DKIM failure typically means the signature is invalid, possibly due to tampering.

Why this answer

DKIM provides a digital signature that verifies the email was not tampered with and originates from the claimed domain. A failed DKIM check indicates the email may have been altered or spoofed.

671
Multi-Selecteasy

Which TWO of the following are primary purposes of using the GrayKey tool in iOS forensics?

Select 2 answers
A.Perform static analysis of iOS malware
B.Decrypt iOS application binaries for analysis
C.Extract the full file system from a locked iOS device
D.Bypass the iOS passcode to gain access to the device
E.Create an encrypted iTunes backup
AnswersC, D

After bypass, GrayKey can perform a full file system extraction.

Why this answer

Option C is correct because GrayKey is a specialized hardware/software tool designed to perform a full file system extraction from locked iOS devices, including those with passcodes. It exploits vulnerabilities in the iOS Secure Enclave or bootrom to bypass security mechanisms and retrieve a bit-for-bit copy of the device's storage, which is critical for forensic acquisition.

Exam trap

EC-Council often tests the distinction between 'bypassing the passcode' (option D) and 'extracting the file system' (option C) as separate but complementary purposes, leading candidates to incorrectly select only one when both are primary functions of GrayKey.

672
MCQmedium

Which of the following BEST describes the purpose of a legal hold in e-discovery?

A.To suspend the deletion of data that may be relevant to upcoming litigation
B.To encrypt data for secure storage
C.To obtain a search warrant for digital evidence
D.To permanently delete irrelevant data
AnswerA

Correct. The legal hold ensures data is not destroyed.

Why this answer

A legal hold (also known as a litigation hold) is a directive that suspends the normal deletion or destruction of data that may be relevant to pending or reasonably anticipated litigation. In e-discovery, this ensures that potentially relevant electronically stored information (ESI) is preserved and not altered or destroyed, thereby preventing spoliation of evidence. The purpose is to maintain the integrity and availability of data for discovery obligations under rules such as FRCP Rule 37(e).

Exam trap

Cisco often tests the distinction between preservation (legal hold) and other e-discovery phases like collection or processing, leading candidates to confuse a legal hold with a search warrant or encryption, when in fact it is a proactive suspension of deletion policies.

How to eliminate wrong answers

Option B is wrong because encrypting data for secure storage is a security measure, not a preservation mechanism; encryption does not prevent deletion or alteration of data, and it can actually hinder e-discovery if keys are not managed properly. Option C is wrong because obtaining a search warrant is a legal process for law enforcement to seize evidence, not a civil e-discovery preservation directive; a legal hold is issued by a party or court, not a warrant. Option D is wrong because permanently deleting irrelevant data is the opposite of a legal hold; a legal hold preserves potentially relevant data, while deletion of irrelevant data may occur after the hold is lifted and data is deemed non-responsive.

673
Multi-Selectmedium

Which TWO of the following are common indicators of a path traversal attack found in web server logs? (Select 2)

Select 2 answers
A.Requests containing a large number of User-Agent strings
B.Requests containing '../' sequences
C.Requests containing '<script>' tags
D.Requests containing '%2e%2e%2f'
E.Requests containing 'OR 1=1'
AnswersB, D

Direct directory traversal pattern.

Why this answer

Path traversal attacks use '../' sequences or encoded versions to access files outside the web root. Both options A and B are typical signatures.

674
Multi-Selectmedium

A forensic analyst is examining a Windows system and wants to identify recently accessed files and programs. Which TWO artifacts should the analyst prioritize? (Select TWO.)

Select 2 answers
A.Jump Lists
B.Event ID 4624 logs
C.Prefetch files
D.System Restore points
E.SAM registry hive
AnswersA, C

Track recent documents and applications.

Why this answer

Prefetch files track application launches; Jump Lists track recently used files per application.

675
MCQmedium

During a forensic investigation, a junior analyst suggests using a software write blocker to image a suspect's hard drive. Which of the following is the PRIMARY concern with relying solely on a software write blocker in a high-stakes legal case?

A.Software write blockers may be circumvented if the operating system is compromised.
B.Software write blockers require additional licensing fees.
C.Software write blockers are not compatible with all operating systems.
D.Software write blockers are too slow for large drives.
AnswerA

Software blockers run on the system being examined, so if the OS is malicious, it may bypass the blocker.

Why this answer

Software write blockers are not as reliable as hardware ones because they rely on the operating system, which can be compromised; hardware write blockers provide physical write protection.

Page 8

Page 9 of 14

Page 10