CCNA Application, Email and Cloud Forensics Questions

75 of 155 questions · Page 1/3 · Application, Email and Cloud Forensics · Answers revealed

1
MCQmedium

An investigator examines an email header and sees the following: 'DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1; bh=...; h=...; b=...'. The email claims to be from 'support@example.com', but the DKIM signature validation fails. Which of the following is the MOST likely cause?

A.The DKIM signature is optional and can be ignored.
B.The email was sent from a different domain but the From header was spoofed.
C.The recipient's email server does not support DKIM.
D.The email was encrypted and cannot be verified.
AnswerB

DKIM signature failure indicates the email was not signed by the claimed domain's private key, suggesting the From address may be spoofed.

Why this answer

DKIM uses a digital signature to verify the email's domain. Validation failure strongly suggests the email was not sent by the legitimate domain, indicating spoofing.

2
MCQmedium

An investigator examining a compromised web server finds a file named shell.aspx in the uploads directory. The file contains code that accepts commands via HTTP POST and executes them on the server. What is the MOST likely type of attack?

A.Server-side request forgery (SSRF)
B.SQL injection
C.Webshell
D.Cross-site request forgery (CSRF)
AnswerC

A webshell allows remote command execution via a script file placed on the server.

Why this answer

A file that accepts and executes commands remotely is a webshell, often placed via file upload vulnerabilities to maintain access.

3
MCQeasy

Which tool is specifically designed for parsing and analyzing email headers to trace the origin of an email and detect spoofing?

A.Wireshark
B.EnCase
C.Nmap
D.EmailTrackerPro
AnswerD

It is designed for email header analysis and spoofing detection.

Why this answer

EmailTrackerPro is a commercial tool that parses email headers, extracts routing information, and helps detect spoofing by analyzing Received headers and X-Originating-IP.

4
MCQmedium

A security analyst reviews an Apache access log and finds the entry: '192.168.1.10 - - [10/Mar/2025:08:12:34 +0000] "GET /index.php?id=1 UNION SELECT username,password FROM users-- HTTP/1.1" 200 2345 "-" "Mozilla/5.0"'. Which attack is indicated?

A.Cross-site scripting (XSS)
B.SQL injection
C.Path traversal
D.Webshell upload
AnswerB

The UNION SELECT clause is a classic SQL injection technique to retrieve data from other tables.

Why this answer

The UNION SELECT statement in the URI indicates a SQL injection attack. The attacker is trying to extract data from the database.

5
MCQmedium

During an email forensics investigation, an analyst examines headers and sees `Received: from mail.evil.com (192.168.1.100) by mail.victim.com` followed by `DKIM-Signature: v=1; a=rsa-sha256; d=evil.com; s=selector; bh=...; h=...; b=...`. The email claims to be from support@paypal.com. Which finding is the strongest indicator of spoofing?

A.The email was received via SMTP
B.The email lacks a SPF record in the header
C.The email originated from IP 192.168.1.100
D.The DKIM signature domain is evil.com, not paypal.com
AnswerD

A valid DKIM signature for paypal.com should have d=paypal.com. The mismatch is a strong spoofing indicator.

Why this answer

The DKIM-Signature domain (evil.com) does not match the claimed sender domain (paypal.com). This mismatch indicates the email is likely spoofed.

6
MCQhard

An analyst discovers a suspicious file named 'cmd.aspx' in the web root of an IIS server. The file contains ASPX code that executes system commands. The IIS logs show a POST request to '/cmd.aspx' with a 200 status code. Which type of attack is indicated?

A.Webshell upload
B.SQL injection
C.Cross-site scripting (XSS)
D.Directory traversal
AnswerA

A webshell is a malicious script uploaded to a server that allows remote command execution. The file name 'cmd.aspx' and its ability to execute system commands are classic signs.

Why this answer

A webshell is a script that provides a backdoor for remote administration. The presence of 'cmd.aspx' in the web root with command execution capability confirms a webshell attack.

7
MCQmedium

An email header shows the following Received line: Received: from mail.example.com (192.168.1.1) by smtp.server.com (Postfix). The DKIM-Signature header is missing, and the X-Originating-IP header shows an IP address different from the sender's domain MX record. What is the MOST likely conclusion?

A.The email is likely spoofed
B.The email is legitimate but routed through a different server
C.The email was sent from a mobile device
D.The email server is misconfigured
AnswerA

Missing DKIM and mismatched originating IP are strong indicators of email spoofing.

Why this answer

The missing DKIM-Signature and mismatched X-Originating-IP suggest that the email may be spoofed. DKIM provides cryptographic verification; its absence combined with an IP mismatch indicates a lack of authentication and possible forgery.

8
MCQeasy

In the context of cloud forensics, what is the primary challenge associated with volatile evidence in Infrastructure as a Service (IaaS) environments?

A.Evidence can be lost when the cloud instance is stopped or terminated
B.Evidence may be stored across multiple jurisdictions
C.Encryption of data at rest prevents access to evidence
D.Cloud providers may not allow forensic investigators to access the physical hardware
AnswerA

Volatile evidence like RAM and process lists is lost upon instance shutdown.

Why this answer

Volatile evidence such as memory and running processes disappears when an instance is stopped or terminated, making timely acquisition critical.

9
MCQeasy

Which tool is specifically designed to extract and analyze metadata from email messages, including headers, attachments, and embedded objects, for forensic investigations?

A.FTK Imager
B.Wireshark
C.Sleuth Kit
D.EmailTracker
AnswerD

EmailTracker specializes in email header analysis and metadata extraction.

Why this answer

EmailTracker is a tool that parses email headers and extracts metadata for forensic analysis, such as tracking the path of an email.

10
MCQeasy

An analyst finds the following string in an IIS log: %3Cscript%3Ealert('XSS')%3C/script%3E. What does this indicate?

A.A cross-site scripting (XSS) attempt
B.A SQL injection attempt
C.A buffer overflow attempt
D.A path traversal attempt
AnswerA

The payload contains script tags intended to execute JavaScript.

Why this answer

The string is URL-encoded HTML/JavaScript (<script>alert('XSS')</script>). It is a typical cross-site scripting payload attempting to execute in a browser.

11
MCQmedium

During a forensic investigation of a compromised web server, an analyst examines the Apache access log and finds the following entry: '192.168.1.10 - - [12/Oct/2024:13:45:22 +0000] "GET /index.php?id=1 UNION SELECT username, password FROM users-- HTTP/1.1" 200 1234 "-" "Mozilla/5.0"'. What type of attack is MOST likely indicated?

A.Cross-site scripting (XSS)
B.SQL injection (SQLi)
C.Path traversal
D.Remote file inclusion (RFI)
AnswerB

The UNION SELECT statement and comment '--' are classic SQL injection payloads inserted into the id parameter.

Why this answer

The log entry contains 'UNION SELECT username, password FROM users--', which is a SQL injection attempt to retrieve data from the users table.

12
MCQhard

During a forensic investigation of a Google Cloud Platform (GCP) environment, an analyst reviews Audit Logs and sees a log entry with the method 'storage.objects.list' and a principal email 'attacker@gmail.com'. However, the identity is not from the organization's domain. What should the analyst conclude?

A.The analyst must immediately shut down the bucket.
B.The attacker spoofed the principal email in the log.
C.An external identity was granted IAM permissions on the bucket, possibly through a misconfigured resource.
D.The log entry is a false positive due to a logging error.
AnswerC

The presence of an external email in the principal field indicates that an external user had permissions, likely due to misconfigured IAM or a public bucket.

Why this answer

An external principal appearing in the log indicates that the bucket's IAM policy allowed access from outside the organization, a common misconfiguration.

13
MCQmedium

Which of the following is a primary challenge in cloud forensics due to shared infrastructure?

A.Slow internet speeds
B.Multi-tenancy and data comingling
C.Lack of logging capabilities
D.Inability to perform network analysis
AnswerB

Shared resources can cause evidence from different tenants to mix, complicating attribution.

Why this answer

Multi-tenancy means multiple customers share the same physical resources. This complicates evidence isolation and can lead to data comingling, making forensic acquisition difficult.

14
Multi-Selectmedium

A security analyst notices repeated entries in an IIS log: 10.0.0.2, -, 05/Feb/2023:08:12:34 +0000, GET /../../windows/system32/config/sam, 404, 0, 532. Which TWO of the following attack types are indicated by this log entry?

Select 2 answers
A.SQL injection
B.Directory traversal
C.Privilege escalation attempt
D.Denial of service
E.Cross-site scripting
AnswersB, C

'../' sequences aim to traverse directories to access restricted files.

Why this answer

The use of '../' indicates path traversal, and the target file (SAM) is a common target for privilege escalation.

15
MCQhard

A forensic analyst is examining a Docker container that was used to launch a DDoS attack. Which layer of a Docker image is most likely to contain the attacker's malicious scripts?

A.The overlay filesystem layer
B.The topmost writable container layer
C.The volume mounted from the host
D.The base image layer
AnswerB

Runtime changes, including malicious scripts, are stored in the writable layer.

Why this answer

Docker images consist of read-only layers. The topmost writable layer (container layer) holds changes made at runtime, such as installing tools or scripts. The attack scripts would be in this layer.

16
MCQmedium

During a forensic investigation of a compromised web server, you find the following entry in the IIS log: 192.168.2.50, -, 10/Jan/2023, 14:32:15, W3SVC1, WEB01, 192.168.2.10, 80, POST, /uploads/shell.aspx, 200, 0, 0, 513, 0, Mozilla/4.0. Which action should the investigator prioritize?

A.Rebuild the web server from a clean backup
B.Analyze the uploaded shell.aspx file for malicious content
C.Delete the shell.aspx file immediately
D.Check the web server's firewall logs for the attacker's IP
AnswerB

The file is likely a webshell; analyzing it helps understand the attacker's capabilities and persistence mechanisms.

Why this answer

The log shows a POST request to shell.aspx in the uploads directory with a 200 status, indicating a likely webshell upload. The investigator should retrieve and analyze the uploaded file for malicious content to confirm the compromise.

17
MCQeasy

Which tool is specifically designed to analyze email headers and track the path of an email across multiple servers?

A.Aid4Mail
B.EmailTracker
C.Wireshark
D.FTK Imager
AnswerB

EmailTracker analyzes headers and traces the email's path.

Why this answer

EmailTracker is a web-based tool that parses email headers and visualizes the route. Aid4Mail is for forensic acquisition/analysis. Wireshark captures network packets.

FTK Imager is for disk imaging.

18
MCQeasy

Which tool is specifically designed to analyze email headers and track the path an email took across mail servers?

A.Wireshark
B.Volatility
C.EmailTracker
D.FTK Imager
AnswerC

EmailTracker is purpose-built for email header forensics.

Why this answer

EmailTracker is a tool that parses email headers and visualizes the route, timing, and geolocation of mail servers.

19
MCQmedium

An investigator needs to analyze a Microsoft Outlook PST file from a suspect's computer. Which of the following tools is specifically designed for parsing and extracting emails, attachments, and metadata from PST files in a forensically sound manner?

A.Aid4Mail
B.DBXtract
C.MailXaminer
D.OutlookSpy
AnswerA

Aid4Mail is a comprehensive email forensic tool that handles PST files and preserves metadata.

Why this answer

Aid4Mail is a forensic email analysis tool that supports PST file parsing and extraction.

20
MCQeasy

A forensic analyst needs to extract email artifacts from a Microsoft Outlook .OST file that is associated with an Exchange account. Which tool is specifically designed to parse and analyze .OST files?

A.Kernel for OST Viewer
B.Aid4Mail
C.EmailTracker Pro
D.MailXaminer
AnswerA

Kernel for OST Viewer is a dedicated tool for opening and analyzing .OST files.

Why this answer

Kernel for OST Viewer is specifically designed to parse offline Outlook data files (.OST).

21
MCQmedium

An analyst examining an Outlook PST file wants to recover deleted emails that are no longer visible in the Deleted Items folder. Which technique is MOST effective?

A.Convert the PST to an EDB file and mount it
B.Repair the PST file using Scanpst.exe
C.Reconstruct the PST from the Exchange server backup
D.Use a forensic tool to carve for deleted items within the PST
AnswerD

Forensic carving can recover deleted emails from unallocated space in the PST.

Why this answer

Deleted emails in PST files are often not immediately overwritten. Using forensic tools to scan the PST file for unallocated space or deleted items can recover them.

22
Multi-Selectmedium

A security analyst is investigating a phishing email and notices the DKIM-Signature header is present but fails validation. Which TWO actions should the analyst take?

Select 2 answers
A.Ignore the DKIM failure as it is not important
B.Check the DKIM DNS record for the signing domain
C.Reply to the sender to verify authenticity
D.Examine the Received headers for spoofing clues
E.Delete the email immediately
AnswersB, D

To verify if the signature matches the public key.

Why this answer

DKIM failure indicates the email may be forged or tampered with. Checking the domain's DKIM DNS record and examining the email headers for other spoofing indicators are appropriate steps.

23
MCQeasy

During a forensic investigation of a suspected data breach, you are asked to analyze email headers to trace the origin of a phishing email. Which header field provides the IP address of the sending SMTP server?

A.Received
B.Message-ID
C.DKIM-Signature
D.X-Originating-IP
AnswerA

Each Received header records the IP of the server that handled the message.

Why this answer

The Received header is added by each SMTP server that relays the message, showing the IP of the previous hop. The last entry often contains the original sender's IP.

24
Multi-Selectmedium

An investigator is analyzing email headers and notices the following: The 'Received' headers show a path through multiple servers, the 'DKIM-Signature' domain matches the sender domain, and 'X-Originating-IP' is present. Which TWO pieces of information are MOST useful to trace the original sender's IP address? (Choose two.)

Select 2 answers
A.The 'Message-ID' header
B.The 'From' header email address
C.The DKIM-Signature's 'd=' domain
D.The X-Originating-IP header value
E.The last (bottommost) Received header's IP
AnswersD, E

Some mail servers add this header with the original client IP.

Why this answer

The bottommost 'Received' header contains the IP of the first receiving server, which is often the sender's MTA or the client IP. 'X-Originating-IP' is a non-standard header that may contain the original client IP if included by the outbound server.

25
Multi-Selectmedium

A forensic analyst is examining Azure Activity Logs for signs of privilege escalation. Which TWO of the following activities would be MOST indicative of an attacker attempting to escalate privileges? (Choose two.)

Select 2 answers
A.A user updating their own password
B.Deleting a resource group
C.Creation of a custom RBAC role with Owner permissions
D.Adding a user to the Global Administrator role
E.A user accessing a storage account they own
AnswersC, D

Creating a custom role with Owner permissions can allow the creator to grant themselves full control.

Why this answer

Creating a custom RBAC role with high permissions (like Owner) and assigning it to a user can grant elevated privileges. Adding a user to a privileged role (like Global Administrator) directly escalates privileges.

26
Multi-Selecteasy

Which TWO tools are commonly used for email forensic analysis and metadata extraction?

Select 2 answers
A.Aid4Mail
B.Wireshark
C.Volatility
D.EmailTracker
E.FTK Imager
AnswersA, D

Aid4Mail is a commercial email forensic tool.

Why this answer

Aid4Mail and EmailTracker are specialized for email forensics.

27
MCQeasy

In Docker forensics, which command is used to view the command history of a container, including how it was built?

A.docker diff
B.docker history
C.docker logs
D.docker inspect
AnswerB

This command displays the history of an image, including build commands and layer information.

Why this answer

The `docker history` command displays the history of a Docker image, showing each layer and the command that created it. This includes the build commands from the Dockerfile, allowing an investigator to see how the container was constructed and what instructions were executed during the build process.

Exam trap

EC-Council often tests the distinction between commands that operate on running containers (like `docker logs` and `docker diff`) versus those that inspect image metadata (like `docker history`), leading candidates to confuse runtime activity with build-time history.

How to eliminate wrong answers

Option A is wrong because `docker diff` shows changes to files and directories in a container's filesystem compared to its base image, not the command history or build steps. Option C is wrong because `docker logs` retrieves the stdout/stderr output from a running or stopped container, not the build history or command sequence. Option D is wrong because `docker inspect` returns low-level configuration and metadata about a container or image (e.g., network settings, mounts), but does not show the layered command history of how the image was built.

28
Multi-Selecthard

In an email forensics investigation, which THREE indicators suggest that an email is likely spoofed? (Select THREE.)

Select 3 answers
A.The 'DKIM-Signature' header is missing or fails validation
B.The 'Reply-To' header contains a different domain than the 'From' header
C.The email's 'Received' headers show an inconsistent routing path
D.The 'Received-SPF' header shows 'pass'
E.The 'From' domain matches the 'Return-Path' domain
AnswersA, B, C

Missing or invalid DKIM is a strong indicator of spoofing.

Why this answer

Spoofed emails often fail SPF checks, have no DKIM signature (or a failed one), and may contain mismatched headers like From vs. Return-Path.

29
Multi-Selectmedium

A Docker container is suspected of malicious activity. Which THREE data sources should the investigator collect for forensic analysis?

Select 3 answers
A.Network packet captures from the container's virtual interface
B.Host system audit logs
C.Docker image layer files
D.Container logs (stdout/stderr)
E.The Dockerfile used to build the image
AnswersB, C, D

Host logs (e.g., syslog) show container interactions with the host.

Why this answer

Container logs, image layers, and host system logs are key sources in Docker forensics.

30
MCQhard

During an investigation of a web application breach, an analyst reviews IIS logs and finds numerous entries with status code '200' and URIs containing '?cmd=' followed by encoded strings. The analyst also notices that some requests have a 'User-Agent' string resembling 'Microsoft-CryptoAPI/10.0'. What is the MOST likely conclusion?

A.The logs indicate a successful SQL injection attack
B.The logs show a cross-site scripting (XSS) attack targeting administrators
C.The server is infected with ransomware, encrypting files
D.A webshell is being used to execute commands on the server
AnswerD

The cmd parameter and non-standard User-Agent are indicators of a webshell, likely executed via a command injection vulnerability.

Why this answer

A valid POST request with no cookies and a suspicious User-Agent could indicate a webshell attempting to exfiltrate data or execute commands, as the User-Agent is atypical for a browser.

31
Multi-Selectmedium

Which THREE of the following are indicators of a webshell in web server logs? (Select THREE)

Select 3 answers
A.Multiple GET requests to /index.html
B.POST requests to a script file with large payloads
C.Consistent 304 Not Modified responses
D.Requests to unusual script files like cmd.aspx or shell.php
E.A high number of requests from a single IP to a single script
AnswersB, D, E

POST to a script file may indicate command execution.

Why this answer

Webshells are indicated by anomalous script files being accessed, POST requests to script files, and high request rates to a single script. These patterns suggest remote access and command execution.

32
MCQmedium

A security analyst reviews Apache access logs and finds the following entry: `192.168.1.10 - - [12/Jul/2024:10:15:30 -0400] "GET /search.php?q=1' UNION SELECT username,password FROM users-- HTTP/1.1" 200 5321 "-" "Mozilla/5.0"`. Which attack technique is most likely being attempted?

A.Remote file inclusion
B.SQL injection
C.Cross-site scripting (XSS)
D.Directory traversal
AnswerB

The UNION SELECT SQL statement in the query parameter indicates a SQL injection attempt.

Why this answer

The log entry shows a SQL injection payload (the UNION SELECT statement) in the query parameter. This is a classic SQL injection attempt.

33
Multi-Selectmedium

In email forensics, which TWO of the following headers are most useful for identifying the true origin of an email? (Select TWO.)

Select 2 answers
A.Message-ID
B.DKIM-Signature
C.X-Originating-IP
D.Received
E.MIME-Version
AnswersC, D

This header often contains the IP address of the sender's machine.

Why this answer

Received headers show the path and each server's IP, while X-Originating-IP may contain the sender's IP. DKIM verifies integrity but not origin IP. Message-ID is just an identifier.

34
MCQhard

A forensic analyst is investigating a suspected data exfiltration from a MySQL database. Which log source would be MOST useful to identify the exact SQL queries executed, including SELECT statements that retrieved large volumes of data?

A.MySQL error log
B.MySQL binary log
C.MySQL slow query log
D.MySQL general query log
AnswerD

The general query log logs all SQL statements, including SELECT, making it ideal for detecting data exfiltration via queries.

Why this answer

MySQL's general query log records all SQL queries, including SELECT statements. The binary log records changes (INSERT, UPDATE, DELETE) for replication and recovery, not SELECT queries. Audit logs may be enabled but are not as detailed for SELECT queries by default.

35
MCQmedium

An analyst finds the following in an IIS log: 10.0.0.5, -, 02/15/2024, 14:23:56, GET /../../windows/system32/cmd.exe, 404, 0, 0, 0, Mozilla/4.0. Which attack technique does this log entry represent?

A.Cross-site scripting
B.SQL injection
C.Path traversal
D.Remote code execution
AnswerC

The ../ sequences indicate an attempt to traverse directories.

Why this answer

The URI contains ../ patterns attempting to access a system file outside the web root, which is path traversal.

36
MCQeasy

Which cloud service's audit logs would an investigator examine to identify who deleted a virtual machine in an Azure subscription?

A.GCP Audit Logs
B.Azure Activity Log
C.Azure AD Sign-in Logs
D.AWS CloudTrail
AnswerB

Activity Log tracks resource management operations in Azure.

Why this answer

Azure Activity Logs record all control-plane events (e.g., create/delete resources) at the subscription level, including who performed the action.

37
MCQhard

In a database forensic investigation, you recover a MySQL binary log with the following entry: #230110 13:45:22 server id 1 end_log_pos 123456 Query thread_id=100 exec_time=0 error_code=0 SET TIMESTAMP=1673358322; SELECT * FROM customers INTO OUTFILE '/tmp/export.csv';. What does this indicate?

A.Data exfiltration via the MySQL instance
B.A backup operation was performed
C.A stored procedure execution
D.A SQL injection attack using UNION
AnswerA

The query exports customer data to a file in /tmp, which can be retrieved by the attacker. This is a known data exfiltration technique.

Why this answer

This log entry records a SELECT ... INTO OUTFILE statement that exports the customers table to a CSV file. This is a common technique for data exfiltration, as it writes data to a file that can be accessed by the attacker.

38
MCQeasy

In cloud forensics, one of the major challenges is that data may be stored in multiple jurisdictions with different legal requirements. This challenge is known as:

A.Multi-tenancy
B.Chain of custody
C.Volatile evidence
D.Data jurisdiction
AnswerD

Correct term for legal boundaries across regions.

Why this answer

Data jurisdiction refers to the legal and regulatory issues that arise when data is stored or processed across different geographic locations with varying laws.

39
MCQhard

During a cloud forensic investigation, you review AWS CloudTrail logs and find the following event: {"eventSource":"ec2.amazonaws.com","eventName":"RunInstances","userIdentity":{"arn":"arn:aws:iam::123456789012:user/attacker"},"requestParameters":{"instanceType":"t2.micro","imageId":"ami-0abcdef1234567890"},"responseElements":{"instancesSet":{"items":[{"instanceId":"i-0a1b2c3d4e5f67890"}]}}}. What is the immediate forensic action?

A.Delete the instance immediately
B.Check the VPC flow logs for network traffic
C.Isolate the instance and create a forensic snapshot
D.Notify the user who launched the instance
AnswerC

Isolation prevents further actions, and a snapshot captures the instance state for analysis.

Why this answer

The log shows an unauthorized user launched an EC2 instance. The immediate action is to isolate the instance by stopping it or applying a security group to block traffic, preventing further malicious activity while preserving the instance for forensic analysis.

40
Multi-Selecteasy

Which TWO of the following are common challenges specific to cloud forensics?

Select 2 answers
A.Multi-tenancy issues
B.Data jurisdiction
C.Inability to create disk images
D.Permanent data deletion recovery
E.Lack of forensic tools
AnswersA, B

Data from multiple tenants may be co-mingled, complicating isolation.

Why this answer

Multi-tenancy complicates data isolation, and data jurisdiction affects legal access to data across regions.

41
Multi-Selecthard

Which THREE of the following are common challenges specific to cloud forensics? (Select THREE)

Select 3 answers
A.Data jurisdiction and legal compliance across regions
B.Volatility of evidence due to auto-scaling and ephemeral instances
C.Inability to acquire physical hard drives
D.Lack of standardized log formats
E.High cost of forensic tools
AnswersA, B, C

Data may be stored in multiple countries with different laws.

Why this answer

Cloud forensics faces challenges such as data jurisdiction (legal boundaries), volatile evidence (ephemeral resources), and multi-tenancy (data commingling).

42
MCQmedium

An analyst discovers a suspicious file named 'cmd.aspx' in the uploads directory of an IIS web server. Analysis reveals the file contains code to execute system commands. What is this file most likely?

A.A log file
B.A benign configuration file
C.A web shell
D.A backup of a legitimate page
AnswerC

Web shells are scripts that provide remote access and command execution.

Why this answer

A file with .aspx extension that executes commands is a webshell, allowing remote command execution on the server.

43
MCQeasy

An email forensic analyst receives a suspicious email and wants to trace its origin. Which email header field provides the most reliable information about the IP address of the sending SMTP server?

A.Return-Path
B.Received
C.DKIM-Signature
D.X-Originating-IP
AnswerB

Each SMTP hop adds a Received header with the IP address of the sending server.

Why this answer

The 'Received' header is added by each SMTP server that handles the email, and the last 'Received' header (or the first after the client) contains the originating IP.

44
MCQhard

A forensic examiner needs to analyze a Microsoft Outlook PST file from a suspect's computer. Which tool is BEST suited to parse and extract emails, attachments, and metadata from the PST file?

A.Aid4Mail
B.DB Browser for SQLite
C.MailXaminer
D.Outlook Express
AnswerA

Aid4Mail is specifically designed for email forensic analysis and supports PST files.

Why this answer

Aid4Mail is a professional email forensic tool that can parse PST files and extract all components including metadata, attachments, and headers.

45
MCQmedium

During an investigation, an analyst extracts email headers from a suspicious email. The header includes: Received: from mail.attacker.com (192.168.1.100); DKIM-Signature: v=1; a=rsa-sha256; d=legitbank.com; s=selector1; bh=...; The email claims to be from support@legitbank.com. Which indicator strongly suggests email spoofing?

A.The email was sent on a weekend
B.The DKIM signature uses RSA-SHA256 algorithm
C.The X-Originating-IP header is present
D.The Received header shows the email came from a server not owned by legitbank.com
AnswerD

Legitimate emails from legitbank.com would originate from their own mail servers, not attacker.com.

Why this answer

The DKIM-Signature domain (d=legitbank.com) should match the sender domain. However, the Received header shows the email originated from mail.attacker.com, not legitbank.com's mail servers. Additionally, analyzing the DKIM signature might fail if it doesn't match, but the mismatch in origin is a clear spoofing indicator.

46
MCQmedium

A security analyst is investigating a containerized application running on a Docker host. The analyst needs to collect forensic evidence from a stopped container without starting it. Which of the following Docker commands should be used to export the container's filesystem as a tar archive?

A.docker commit
B.docker export
C.docker cp
D.docker save
AnswerB

docker export exports a container's filesystem to a tar archive.

Why this answer

docker export exports the container's filesystem as a tar archive. It works on stopped or running containers and does not require the container to be started.

47
MCQhard

A forensic investigator is analyzing a compromised web server. In the Apache access logs, the investigator finds the following request: 'GET /images/../../../etc/passwd HTTP/1.1' with a 200 status code. Which of the following is the MOST likely reason the server returned a 200 (OK) response?

A.The server redirected the request to the root directory and returned the index page
B.The server has a custom 404 page that returns a 200 status code
C.The request was blocked by a web application firewall (WAF) which returned a 200 status
D.The server is vulnerable to directory traversal and returned the contents of /etc/passwd
AnswerD

A 200 status code with a path traversal attempt suggests successful exploitation, as the server served the requested file.

Why this answer

A 200 response to a path traversal request indicates that the server executed the request and returned the file content, meaning the directory traversal attack succeeded.

48
MCQeasy

Which tool is specifically designed to analyze email headers, track the path of an email, and extract metadata such as originating IP and authentication results?

A.Volatility
B.Wireshark
C.EmailTracker
D.FTK Imager
AnswerC

EmailTracker parses email headers and provides detailed path and authentication info.

Why this answer

EmailTracker is specifically designed to parse email headers, trace the email's path through mail servers, and extract metadata such as the originating IP address, authentication results (SPF, DKIM, DMARC), and timestamps. Unlike general-purpose tools, it focuses solely on email header analysis and visualization, making it the correct choice for this task.

Exam trap

EC-Council often tests the distinction between network packet analysis tools (Wireshark) and email-specific header analysis tools (EmailTracker), trapping candidates who confuse live SMTP traffic capture with post-delivery email header forensics.

How to eliminate wrong answers

Option A is wrong because Volatility is a memory forensics framework used for analyzing RAM dumps, not for parsing email headers or tracking email paths. Option B is wrong because Wireshark is a network protocol analyzer that captures and inspects live network traffic (e.g., SMTP packets), but it does not parse stored email headers or extract metadata like originating IP from an email's header fields. Option D is wrong because FTK Imager is a disk imaging and data acquisition tool used for creating forensic images of storage media, not for analyzing email headers or extracting email metadata.

49
MCQmedium

A security analyst reviewing Apache access logs finds entries like: 192.168.1.10 - - [12/Jan/2023:15:23:11 +0000] "GET /search?q=1' OR '1'='1 HTTP/1.1" 200 5324. What attack is indicated?

A.Cross-site scripting (XSS)
B.SQL injection
C.Path traversal
D.Command injection
AnswerB

The payload '1' OR '1'='1' is a classic SQL injection tautology aiming to bypass authentication or extract data.

Why this answer

The log entry shows a SQL injection attempt via the 'q' parameter with a tautology. The 200 response indicates the request was processed, suggesting possible success.

50
MCQmedium

A web server log shows the following request: 'GET /../../../../etc/passwd HTTP/1.1' with a 200 response code. The web server is running Apache on Linux. What attack has likely succeeded?

A.Remote File Inclusion (RFI)
B.SQL injection
C.Cross-Site Request Forgery (CSRF)
D.Local File Inclusion (LFI) or Path Traversal
AnswerD

The URI attempts to traverse directories to access /etc/passwd.

Why this answer

The '../' sequences indicate path traversal, attempting to access files outside the web root. A 200 response suggests the file was served.

51
MCQeasy

Which email header field is specifically used to verify that an email was not tampered with during transit and is signed by the sender's domain?

A.X-Originating-IP
B.Message-ID
C.Received
D.DKIM-Signature
AnswerD

DKIM uses a digital signature to verify the email was not altered and originated from the claimed domain.

Why this answer

DKIM-Signature header contains a digital signature that allows the receiver to verify the email's integrity and authenticity.

52
MCQeasy

An investigator needs to parse and analyze a Microsoft Outlook personal folders file (.pst). Which tool is specifically designed for this purpose?

A.Aid4Mail
B.FTK Imager
C.Wireshark
D.Sleuth Kit
AnswerA

Aid4Mail specializes in email forensics and supports PST files.

Why this answer

Aid4Mail is a forensic email analysis tool that can parse Outlook PST files, among other formats, and extract metadata, attachments, and headers.

53
MCQmedium

An email forensic investigator examines a suspicious email and notices the following header: Received: from mail.evil.com (192.168.1.100) by mail.company.com. The DKIM-Signature header fails verification. What does this indicate?

A.The receiving server rejected the email
B.The email is legitimate and was forwarded through a relay
C.The email was sent from a compromised mail server
D.The email may be spoofed or its content altered
AnswerD

DKIM failure means the signature does not match the domain's public key, indicating spoofing or modification.

Why this answer

A failing DKIM-Signature indicates the email may have been tampered with during transit or was not signed by the claimed domain. This is a strong indicator of email spoofing or alteration.

54
MCQmedium

A forensic examiner is investigating a Docker container suspected of being used for malicious activity. Which of the following is the BEST approach to collect volatile evidence from the container without altering its state?

A.Stop the container immediately and then export its filesystem with 'docker export'
B.Create a memory dump of the host machine and extract container memory
C.Use 'docker commit' to create an image of the container's current state
D.Execute 'docker exec' to access the container shell and run forensic tools
AnswerC

docker commit captures the container's filesystem state without modifying it, preserving volatile data.

Why this answer

Using 'docker commit' creates a snapshot of the container's filesystem without stopping the container, preserving volatile evidence.

55
Multi-Selecteasy

Which TWO of the following are valid email header fields that can be used to detect email spoofing? (Select 2)

Select 2 answers
A.Subject
B.Received-SPF
C.Content-Type
D.MIME-Version
E.DKIM-Signature
AnswersB, E

Indicates SPF check result.

Why this answer

SPF and DKIM are email authentication mechanisms that help detect spoofing. SPF checks if the sending server is authorized, DKIM verifies the email integrity.

56
MCQeasy

Which email header field is MOST reliable for identifying the true origin of an email, assuming no header tampering occurred at the initial MTA?

A.Received
B.Message-ID
C.From
D.DKIM-Signature
AnswerA

Received headers are added by each mail server and the earliest one usually contains the true originating IP.

Why this answer

The Received header chain shows the path the email took. The last Received header (from the originating server) is the most reliable for identifying the original sender's IP.

57
MCQeasy

Which of the following is a unique challenge in cloud forensics compared to traditional digital forensics?

A.Encryption of data at rest
B.Lack of network connectivity
C.Inability to acquire disk images
D.Multi-tenancy and data isolation
AnswerD

Multi-tenancy means evidence from one tenant may be co-mingled with others, complicating seizure and privacy.

Why this answer

Multi-tenancy (multiple customers sharing the same physical infrastructure) is a key challenge in cloud forensics because isolating evidence and maintaining data privacy across tenants is difficult.

58
MCQmedium

In an Azure environment, an investigator needs to review actions performed by a specific user over the past 30 days. Which Azure service provides the necessary audit logs for this purpose?

A.Azure Activity Log
B.Azure Security Center
C.Azure Monitor
D.Azure AD Audit Logs
AnswerA

The Activity Log is the subscription-level audit log for Azure resource operations.

Why this answer

Azure Activity Logs record all control-plane events (create, update, delete) for Azure resources, including user actions.

59
MCQmedium

During a cloud forensics investigation of an AWS environment, an analyst extracts CloudTrail logs and notices many events with the error code 'AccessDenied' for a specific IAM user attempting to list an S3 bucket. Which of the following is the most appropriate next step?

A.Review the IAM policies attached to the user to determine if the action was authorized
B.Immediately disable the IAM user account
C.Escalate the issue to law enforcement
D.Check the S3 bucket's access logs for the same IP address
AnswerA

Logs show AccessDenied, so the user is blocked, but reviewing policies helps understand intent and whether policies are misconfigured.

Why this answer

AccessDenied indicates the user lacks permissions; check IAM policies to see if the user should have access or if it's an unauthorized attempt.

60
MCQmedium

In an Azure environment, a forensic analyst needs to identify which user assigned a specific role to another user, leading to privilege escalation. Which Azure log should the analyst examine?

A.Azure AD Sign-In Logs
B.Azure Activity Log
C.Azure Diagnostic Logs
D.Azure Network Watcher Logs
AnswerB

Azure Activity Log records all control-plane events, including role assignments and changes to IAM policies.

Why this answer

Azure Activity Log captures all write operations (PUT, POST, DELETE) on Azure resources, including role assignments, making it the primary source for investigating privilege escalation.

61
MCQmedium

An email investigator receives a suspicious email and examines the headers. The 'Received-SPF: pass (google.com: domain of example.com designates 203.0.113.5 as permitted sender)' header is present. However, the 'From' address is 'admin@example.com' and the 'Return-Path' is 'admin@example.com'. What does this indicate?

A.The email passed SPF alignment for the domain example.com
B.The email originated from 203.0.113.5
C.The email failed SPF check
D.The email is definitely legitimate
AnswerA

SPF pass indicates the sending IP is authorized; alignment with From domain is satisfied.

Why this answer

SPF check passed for the domain example.com, meaning the sending server (203.0.113.5) is authorized. This suggests the email is not spoofed from that domain, at least from SPF perspective.

62
MCQhard

During a cloud forensic investigation, the analyst discovers that the suspect used AWS IAM credentials to launch unauthorized EC2 instances. The suspect claims the credentials were stolen. Which log would the analyst examine to determine the source IP address from which the credentials were used?

A.VPC Flow Logs
B.Amazon Inspector findings
C.AWS Config
D.AWS CloudTrail
AnswerD

CloudTrail logs API calls with source IP.

Why this answer

AWS CloudTrail logs all API calls, including the source IP address of the request. By analyzing CloudTrail events for the RunInstances API, the analyst can see the IP address.

63
MCQeasy

Which tool is commonly used to analyze email headers and trace the path of an email across servers by parsing 'Received' fields?

A.EmailTrackerPro
B.Wireshark
C.Volatility
D.FTK Imager
AnswerA

EmailTrackerPro parses email headers and maps the route of an email.

Why this answer

EmailTrackerPro is specifically designed to analyze email headers and trace the path of an email.

64
Multi-Selecthard

A GCP audit log shows a project owner granted 'iam.serviceAccountUser' role to a service account from a different project. Which TWO potential security implications should the investigator prioritize?

Select 2 answers
A.The service account can be used to escalate privileges by attaching it to resources
B.The audit logging is now disabled for that service account
C.The service account's keys are automatically rotated
D.Cross-project access may allow lateral movement
E.The service account can now impersonate any user in the project
AnswersA, D

With the role, the service account can be attached to resources, gaining its permissions.

Why this answer

This privilege escalation allows the service account to impersonate other accounts and potentially access resources across projects.

65
MCQmedium

Which of the following email headers is used to verify the domain of the sending server and is commonly used for authentication to prevent spoofing?

A.Content-Type
B.Received
C.X-Mailer
D.DKIM-Signature
AnswerD

DKIM-Signature provides a digital signature for domain verification.

Why this answer

The DKIM-Signature header contains a cryptographic signature that allows the receiver to verify that the email was not modified and is from the claimed domain, helping prevent spoofing.

66
MCQmedium

An analyst examining Apache access logs finds the following entry: 192.168.1.10 - - [10/Oct/2023:13:55:36 -0400] "GET /search.php?q=1'%20OR%20'1'='1 HTTP/1.1" 200 5324 "-" "Mozilla/5.0". Which of the following attacks is MOST likely occurring?

A.SQL injection
B.Cross-site scripting (XSS)
C.Remote file inclusion
D.Path traversal
AnswerA

The payload contains SQL code trying to manipulate the query.

Why this answer

The log shows a URI parameter containing SQL injection syntax (1' OR '1'='1). The single quote and OR condition are classic indicators of SQL injection attempts.

67
MCQhard

In a Google Cloud Platform (GCP) environment, a forensic investigator needs to determine who deleted a Cloud Storage bucket and when. Which log type should be queried to obtain this information?

A.Cloud Monitoring metrics
B.VPC flow logs
C.Cloud Storage access logs
D.Cloud Audit Logs (Admin Activity)
AnswerD

Admin Activity audit logs capture all API calls that modify configuration or metadata, including bucket deletion.

Why this answer

GCP Cloud Audit Logs record admin activities like bucket deletion. Cloud Storage logs (access logs) record object-level operations but not bucket deletion by IAM users.

68
MCQhard

During a forensic investigation of a Microsoft SQL Server, you find the transaction log contains the following: LOP_BEGIN_XACT, LOP_INSERT_ROWS, LOP_COMMIT_XACT for a table named 'CreditCards', with a timestamp just before a known data breach. The log also shows a bulk insert operation. What does this indicate?

A.A scheduled backup
B.Data exfiltration via the transaction log
C.A SQL injection attack on the database
D.Normal database maintenance
AnswerB

The INSERT operations on a sensitive table, especially bulk, indicate data theft.

Why this answer

A transaction log showing INSERT operations on a sensitive table, especially with bulk insert, is strong evidence of data exfiltration. The timing and table name suggest unauthorized copying of credit card data.

69
MCQmedium

In Docker forensics, which of the following commands would you use to inspect the history of an image, including the commands that created each layer?

A.docker image ls
B.docker history
C.docker logs
D.docker inspect
AnswerB

'docker history' displays the image's layer history with build commands.

Why this answer

The 'docker history' command shows the history of an image, listing each layer and the command that created it.

70
MCQeasy

Which of the following is a primary challenge in cloud forensics due to the shared responsibility model?

A.Absence of forensic tools
B.Inability to perform network analysis
C.Lack of logging capabilities
D.Multi-tenancy and data segregation
AnswerD

Multi-tenancy makes it difficult to isolate a customer's data without affecting others.

Why this answer

Multi-tenancy means data from multiple customers may reside on the same physical hardware, complicating isolation and acquisition of evidence.

71
MCQeasy

An analyst examines the following Apache access log entry: 192.168.1.10 - - [10/Jan/2023:13:45:22 +0000] "GET /search.php?q=1%27%20UNION%20SELECT%201,2,3-- HTTP/1.1" 200 1234 "-" "Mozilla/5.0". Which attack is MOST likely indicated?

A.Path Traversal
B.SQL Injection
C.Cross-Site Scripting (XSS)
D.Remote File Inclusion
AnswerB

The UNION SELECT statement in the query parameter is a SQL injection technique to extract data from the database.

Why this answer

The log shows a UNION SELECT statement in the query parameter, indicating a SQL injection attempt. The URL-encoded single quote (') and comment (--) are classic SQLi payloads.

72
Multi-Selectmedium

Which TWO of the following are indicators of a webshell on a web server? (Select TWO.)

Select 2 answers
A.A file named 'cmd.php' with a modification date matching other legitimate files
B.The file contains system commands executed via GET or POST parameters
C.A recently modified file with a timestamp different from other files in the same directory
D.The server's index.html file is missing
E.The file is over 1 MB in size
AnswersB, C

Webshells commonly execute commands from input parameters.

Why this answer

Webshells often have recent modification times out of sync with other files, and they typically accept command parameters in GET/POST requests. Large file size alone is not definitive, and missing index.html is unrelated.

73
MCQmedium

During a database forensic investigation, a MSSQL transaction log analysis reveals a series of INSERT statements that added records to a customer table, followed by a TRUNCATE TABLE statement. What does this pattern most likely indicate?

A.A database backup and restore operation
B.A scheduled data archiving process
C.An attacker exfiltrating data and then clearing the table to hide evidence
D.A DBA testing a new schema
AnswerC

INSERT adds data (exfiltration target), TRUNCATE hides the activity.

Why this answer

TRUNCATE TABLE removes all rows and is often used by attackers to cover tracks after exfiltration, while INSERT adds data (possibly exfiltrated or planted).

74
MCQeasy

Which email header field is used to verify that an email was sent by the authorized mail server for the domain and has not been tampered with, using cryptographic signatures?

A.X-Mailer
B.Message-ID
C.Received-SPF
D.DKIM-Signature
AnswerD

DKIM uses a public-key signature to verify that the email was not altered and originated from the claimed domain.

Why this answer

DKIM (DomainKeys Identified Mail) uses a digital signature to verify the email's origin and integrity.

75
MCQmedium

An investigator is analyzing a compromised MySQL database server. To determine the exact time and content of a suspect data exfiltration query, which MySQL log should be examined first, assuming it is enabled?

A.General query log
B.Error log
C.Binary log
D.Slow query log
AnswerA

The general query log records all SQL queries received from clients, including SELECT statements that exfiltrate data.

Why this answer

The general query log captures every SQL statement, including SELECT queries, making it ideal for identifying data exfiltration.

Page 1 of 3 · 155 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Application, Email and Cloud Forensics questions.