CCNA Computer Forensics Fundamentals and Process Questions

75 of 155 questions · Page 2/3 · Computer Forensics Fundamentals and Process · Answers revealed

76
MCQmedium

An organization receives a legal hold notice regarding pending litigation. The IT department is instructed to preserve all relevant electronically stored information. What is the primary action the IT department should take?

A.Place a hold on relevant data and suspend routine deletion policies
B.Ignore the notice and continue normal operations
C.Create a forensic image of all servers immediately
D.Permanently delete all emails older than 30 days to reduce storage
AnswerA

This preserves the data as required by the legal hold.

Why this answer

The primary action is to place a legal hold on relevant data and suspend routine deletion policies. This ensures that all potentially relevant electronically stored information (ESI) is preserved in its current state, preventing spoliation and compliance with the legal hold notice. Suspending deletion policies stops automated processes like email purge jobs or document retention schedules from destroying evidence, which is a foundational step in the e-discovery process.

Exam trap

EC-Council often tests the misconception that the immediate response to a legal hold is to create forensic images of all systems, but the correct first step is to suspend deletion policies to prevent data loss before any imaging or collection occurs.

How to eliminate wrong answers

Option B is wrong because ignoring the notice and continuing normal operations would constitute spoliation of evidence, violating the legal hold and potentially leading to severe legal sanctions, including adverse inference instructions or monetary penalties. Option C is wrong because creating a forensic image of all servers immediately is an overreaction and not the first step; imaging is a preservation technique but should be targeted and performed after identifying the scope of relevant data, not indiscriminately across all servers, which is disruptive and unnecessary. Option D is wrong because permanently deleting all emails older than 30 days is the exact opposite of preservation; it would destroy potentially relevant ESI and directly violate the legal hold, risking spoliation charges.

77
MCQhard

An organization receives a legal hold notice for a civil lawsuit. An employee later deletes relevant emails from their mailbox. Which legal principle is MOST likely violated?

A.Spoilation of evidence
B.Best evidence rule
C.Locard's exchange principle
D.Probable cause
AnswerA

Spoilation is the intentional or negligent destruction of evidence, which can lead to sanctions.

Why this answer

The legal hold notice imposes a duty to preserve relevant evidence. Deleting emails after receiving such notice constitutes intentional destruction of evidence, which is spoliation. This violates the legal principle of spoliation of evidence, as the organization had a duty to preserve the emails for the pending litigation.

Exam trap

Cisco often tests spoliation by pairing it with a legal hold scenario to see if candidates confuse it with evidence admissibility rules (Best Evidence Rule) or forensic principles (Locard's Exchange Principle) rather than recognizing the duty to preserve evidence.

How to eliminate wrong answers

Option B is wrong because the Best Evidence Rule requires the original document or a reliable duplicate to prove its content, but it does not address the destruction of evidence after a legal hold. Option C is wrong because Locard's Exchange Principle is a forensic concept stating that every contact leaves a trace, applicable to physical evidence transfer, not to legal duties or evidence preservation. Option D is wrong because Probable Cause is a Fourth Amendment standard for searches and seizures, not a principle governing the destruction of evidence subject to a legal hold.

78
MCQeasy

A first responder arrives at a scene where a computer is powered on and the user is present. According to standard forensic first responder procedures, what should the responder do FIRST?

A.Photograph the scene and document the system state
B.Boot the system from a forensic USB to create a memory dump
C.Immediately disconnect the power cord to preserve the hard drive
D.Ask the user to log out so the system can be powered off safely
AnswerA

Documenting the scene, including the screen contents, connections, and surroundings, is the first critical step.

Why this answer

Option A is correct because the first priority at a live scene is to preserve volatile evidence and establish a chain of custody. Photographing the scene and documenting the system state (e.g., running processes, open network connections, logged-in users) captures critical volatile data before any action is taken. This aligns with the order of volatility (RFC 3227), which mandates capturing memory and system state before altering the system.

Exam trap

The trap here is that candidates confuse the urgency of preserving the hard drive (Option C) with the forensic priority of capturing volatile data first, leading them to pull the plug prematurely.

How to eliminate wrong answers

Option B is wrong because booting from a forensic USB before documenting the scene risks overwriting volatile data (e.g., memory, process lists) and violates the order of volatility; memory dumps should be performed after initial documentation. Option C is wrong because immediately disconnecting power destroys volatile data (RAM, network connections) and can cause file system corruption; a controlled shutdown or live acquisition is preferred. Option D is wrong because asking the user to log out alters the system state (e.g., terminates processes, clears clipboard) and may destroy evidence of user activity; the responder should not involve the user in evidence preservation.

79
MCQeasy

Which of the following BEST describes Locard's exchange principle as applied to digital forensics?

A.Digital evidence must be collected using a write blocker.
B.The chain of custody must be documented for evidence to be admissible.
C.Volatile data must be collected before powering off a system.
D.Every contact leaves a trace; an attacker will leave digital evidence on the compromised system.
AnswerD

This correctly applies the principle to digital forensics.

Why this answer

Locard's exchange principle states that every contact leaves a trace. In digital forensics, this means that when an attacker interacts with a compromised system, they inevitably leave behind digital artifacts such as log entries, modified files, registry changes, or network connection records. Option D correctly captures this core concept as applied to digital forensics.

Exam trap

The trap here is that candidates confuse procedural best practices (write blockers, chain of custody, order of volatility) with the fundamental theoretical principle of trace evidence exchange, leading them to pick a practical step instead of the conceptual definition.

How to eliminate wrong answers

Option A is wrong because using a write blocker is a best practice for preserving the integrity of digital evidence during acquisition, but it is not a description of Locard's exchange principle. Option B is wrong because documenting the chain of custody is a legal and procedural requirement for evidence admissibility, not a statement of the exchange principle. Option C is wrong because collecting volatile data before powering off is a priority in incident response (order of volatility), but it does not describe the trace-leaving nature of Locard's principle.

80
MCQmedium

Which of the following is a key requirement for digital evidence to be considered admissible in court?

A.The evidence must be authentic and its integrity must be verifiable
B.The evidence must have been collected by a law enforcement officer
C.The evidence must be stored on a write-blocked device
D.The evidence must be encrypted to ensure confidentiality
AnswerA

Authenticity and integrity are fundamental to admissibility.

Why this answer

Digital evidence must be authentic and its integrity verifiable to meet the legal standard of admissibility, as established by rules such as the Federal Rules of Evidence (FRE 901) and the Daubert standard. Authentication requires proving that the evidence is what it claims to be, typically through a hash value (e.g., MD5, SHA-1, or SHA-256) computed before and after analysis to ensure no tampering occurred. Without verifiable integrity, the evidence could be challenged as altered, making it inadmissible regardless of how it was collected.

Exam trap

EC-Council often tests the misconception that procedural steps like write-blocking or law enforcement involvement are legal requirements, when in fact the core admissibility criterion is the ability to prove authenticity and integrity through verifiable means like hash values and chain of custody documentation.

How to eliminate wrong answers

Option B is wrong because digital evidence can be collected by any qualified forensic examiner, not exclusively a law enforcement officer; private-sector investigators or certified forensic analysts often handle evidence in civil cases. Option C is wrong because while write-blocking is a best practice to preserve evidence integrity, it is not a legal requirement for admissibility; evidence stored on a non-write-blocked device may still be admissible if integrity is otherwise proven (e.g., via hash verification). Option D is wrong because encryption is not a requirement for admissibility; in fact, encrypted evidence may be inadmissible if the decryption key is unavailable or if encryption obscures the evidence's authenticity, and confidentiality is separate from the legal standards of authenticity and integrity.

81
MCQeasy

Locard's exchange principle is fundamental to forensic science. How does this principle apply to computer forensics?

A.Every action on a digital device leaves some trace of evidence.
B.Digital evidence is always volatile and must be preserved immediately.
C.Evidence must be collected within 24 hours.
D.Only physical evidence, such as fingerprints, can be left at a crime scene.
AnswerA

Logs, metadata, artifacts are all traces of activity.

Why this answer

Locard's principle states that every contact leaves a trace; in digital forensics, this translates to digital traces left behind when a system is accessed.

82
Multi-Selecthard

Which THREE of the following are considered types of evidence under the rules of evidence? (Choose three.)

Select 3 answers
A.Corroborating evidence
B.Best evidence
C.Circumstantial evidence
D.Direct evidence
E.Hearsay evidence
AnswersC, D, E

Evidence that implies a fact but does not directly prove it.

Why this answer

Circumstantial evidence is a recognized type of evidence under the rules of evidence because it relies on an inference to connect a fact to a conclusion, rather than directly proving the fact. In digital forensics, circumstantial evidence might include log entries showing a user logged in at the time of an incident, which indirectly suggests involvement. It is admissible as long as the chain of inferences is reasonable and supported by other facts.

Exam trap

EC-Council often tests the distinction between 'types of evidence' and 'rules governing evidence'—candidates confuse the best evidence rule (a procedural rule) with a type of evidence, leading them to incorrectly select 'Best evidence' as a type.

83
MCQmedium

During an investigation, a forensic analyst must preserve a hard drive that is part of a RAID array. Which of the following is the MOST appropriate method to preserve the evidence?

A.Power off the system and remove only the drive with the operating system
B.Disconnect all drives and image a logical volume after the RAID controller
C.Image each physical drive individually using a write blocker
D.Rebuild the array in a different system and then image
AnswerC

This preserves each drive's contents without modification, maintaining the ability to reconstruct the array.

Why this answer

Option C is correct because imaging each physical drive individually with a write blocker preserves the exact bit-for-bit state of every disk in the RAID array, including metadata, parity, and superblock information. This approach ensures that the logical volume can be reconstructed later in a controlled environment without altering the original evidence, which is critical for maintaining chain of custody and forensic integrity.

Exam trap

EC-Council often tests the misconception that imaging a logical volume or rebuilding the array is acceptable, but the trap here is that any operation that allows the RAID controller or OS to write to the drives (even during a read) can alter evidence, making individual physical imaging with a write blocker the only forensically sound method.

How to eliminate wrong answers

Option A is wrong because removing only the operating system drive from a RAID array destroys the array's configuration and may cause the controller to mark the remaining drives as degraded or foreign, potentially overwriting critical metadata. Option B is wrong because imaging a logical volume after the RAID controller introduces the risk of the controller altering data during read operations (e.g., on-the-fly parity recalculation or bad block remapping), and it does not capture the physical state of each drive, which may be needed for parity analysis or recovery of deleted data. Option D is wrong because rebuilding the array in a different system can trigger automatic synchronization or reconstruction processes that modify data on the drives, thereby contaminating the evidence and violating forensic best practices.

84
MCQhard

During a forensic investigation, a first responder notices that a computer is running and suspects that volatile data may be present. According to best practices, what should the responder do to preserve the most volatile data first?

A.Perform a graceful shutdown to avoid data corruption
B.Remove the hard drive immediately while the system is running
C.Capture the contents of RAM using a forensic tool, then shut down
D.Immediately unplug the power cord to freeze the system state
AnswerC

This preserves the most volatile data first.

Why this answer

Option C is correct because volatile data, such as the contents of RAM, is lost when power is removed. The first responder must capture this data using a forensic tool (e.g., FTK Imager, WinPmem, or LiME) before performing a shutdown. This follows the Order of Volatility (RFC 3227), which prioritizes capturing registers, cache, and RAM before any persistent storage.

Exam trap

The trap here is that candidates often confuse 'preserving data integrity' with 'avoiding corruption' and choose a graceful shutdown (Option A), not realizing that the shutdown process itself destroys the most volatile evidence.

How to eliminate wrong answers

Option A is wrong because a graceful shutdown allows the operating system to overwrite or clear volatile data (e.g., memory pages, temporary files, and encryption keys) during the shutdown process, destroying potential evidence. Option B is wrong because removing the hard drive while the system is running can cause electrical damage to the drive and controller, and it does not preserve RAM; the volatile data in memory is lost immediately when power is interrupted. Option D is wrong because immediately unplugging the power cord causes an abrupt loss of power, which destroys all volatile data in RAM and cache, and may also cause filesystem corruption on the hard drive due to incomplete write operations.

85
MCQhard

During a forensic investigation, an analyst uses the following command: dd if=/dev/sda of=/mnt/evidence/image.dd bs=4096 conv=noerror,sync. What is the effect of the conv=noerror,sync option?

A.It verifies the integrity of the image using a hash algorithm
B.It ignores read errors and pads bad blocks with zeros in the output image
C.It creates a compressed image to save disk space
D.It enables logging of all I/O errors to a separate file
AnswerB

This is exactly what noerror (ignore errors) and sync (pad with zeros) do.

Why this answer

The `conv=noerror,sync` option in `dd` instructs the tool to continue processing even when a read error is encountered (`noerror`) and to pad the output block with zeros (`sync`) to maintain the correct block size and offset alignment. This ensures that the forensic image remains a bit-for-bit copy of the source device in terms of size and structure, with corrupted sectors replaced by zeros rather than causing the imaging process to abort or produce a truncated image.

Exam trap

Cisco often tests the misconception that `conv=noerror,sync` performs error correction or data recovery, when in fact it simply ignores errors and pads with zeros, which can lead to data loss if the analyst assumes the image is pristine.

How to eliminate wrong answers

Option A is wrong because `conv=noerror,sync` does not perform any hash verification; integrity verification is done separately using tools like `md5sum`, `sha1sum`, or `dd` with `conv=noerror` combined with a separate hash calculation. Option C is wrong because `dd` does not compress data; compression requires piping through `gzip` or using `conv=lz4` (if supported) or a separate compression tool. Option D is wrong because `dd` does not have a built-in logging feature for I/O errors; error logging must be implemented by redirecting stderr or using wrapper scripts.

86
MCQeasy

In the context of the US Fourth Amendment, what is typically required for law enforcement to seize a computer for forensic examination?

A.A subpoena duces tecum
B.No legal authorization is needed if the computer is in plain view
C.Consent of the owner, a warrant, or exigent circumstances
D.Only a warrant issued by a judge
AnswerC

These are common exceptions to the warrant requirement.

Why this answer

Option C is correct because the Fourth Amendment requires law enforcement to obtain a warrant based on probable cause, obtain the owner's consent, or demonstrate exigent circumstances before seizing a computer for forensic examination. This protects against unreasonable searches and seizures, and a computer's storage capacity means it can contain vast amounts of personal data, so the same constitutional protections apply as to a physical home or vehicle.

Exam trap

EC-Council often tests the misconception that a warrant is always required, ignoring that consent and exigent circumstances are equally valid legal bases for seizure without a warrant.

How to eliminate wrong answers

Option A is wrong because a subpoena duces tecum compels the production of documents or records, but it does not authorize law enforcement to physically seize a computer for forensic examination; it is a discovery tool, not a search warrant. Option B is wrong because the plain view doctrine only applies if the officer is lawfully present and the incriminating nature of the computer is immediately apparent, but it does not automatically permit seizing the device for a full forensic examination without a warrant or other exception. Option D is wrong because while a warrant is a common method, it is not the only method; consent and exigent circumstances are also valid exceptions under the Fourth Amendment.

87
MCQeasy

A first responder arrives at a crime scene where a computer is powered on and displaying a desktop. According to best practices, which of the following actions should the responder take FIRST?

A.Press Ctrl+Alt+Del to check for active user sessions.
B.Connect a write blocker and begin imaging the hard drive.
C.Unplug the power cord immediately to preserve volatile data.
D.Photograph the scene and the computer screen.
AnswerD

Documenting the scene photographically is the first step to preserve evidence context.

Why this answer

The first responder should photograph the scene and all visible evidence before any actions that might alter the state. This preserves a visual record of the original condition.

88
Multi-Selecthard

A first responder arrives at a crime scene where a computer is running. Which THREE actions should the first responder take to preserve volatile evidence?

Select 3 answers
A.Collect contents of RAM using a tool like FTK Imager or dd
B.Unplug the power cord immediately
C.Record active network connections using netstat
D.Run a full antivirus scan on the system
E.Photograph the screen to capture current state
AnswersA, C, E

Memory contains volatile data critical for investigation.

Why this answer

Option A is correct because RAM contains volatile data that is lost when power is removed. FTK Imager or dd can capture the exact contents of memory, preserving running processes, open network connections, encryption keys, and other transient evidence critical to the investigation.

Exam trap

EC-Council often tests the misconception that immediately cutting power is the safest action, but the trap is that this destroys the most volatile evidence (RAM) and can corrupt the filesystem, whereas a proper forensic response prioritizes capturing memory first.

89
MCQhard

During an internal investigation, an employee is suspected of leaking sensitive data. The security team finds that the employee's computer has been turned off. Which of the following evidence types would be LOST due to the system being powered off?

A.System logs stored in the Event Viewer
B.Files stored on the hard drive
C.Registry hives
D.Contents of RAM and network connections
AnswerD

RAM and network state are volatile and lost on power loss.

Why this answer

Volatile data such as RAM contents, network connections, and running processes are lost when the system is powered off. Non-volatile data on the hard drive remains.

90
Multi-Selectmedium

Which TWO of the following are essential components of a proper chain of custody documentation? (Select TWO)

Select 2 answers
A.The IP address of the forensic workstation
B.Backup location of the evidence
C.Date and time of evidence collection
D.Signature of the person handling the evidence
E.The forensic tool used to analyze the evidence
AnswersC, D

The exact date and time when evidence was collected is a fundamental part of chain of custody.

Why this answer

Chain of custody must include who handled the evidence, when (date/time), and what was done. Access control and backup procedures, while important, are not typically part of the chain of custody form itself.

91
MCQmedium

A forensic examiner uses a hardware write blocker when imaging a suspect's hard drive. What is the primary function of a hardware write blocker?

A.To encrypt the data on the suspect drive
B.To prevent any data from being written to the suspect drive
C.To connect the suspect drive via USB
D.To increase the speed of data acquisition
AnswerB

Correct. This preserves the original evidence.

Why this answer

A hardware write blocker is a device placed between the suspect drive and the forensic workstation that intercepts and blocks any write commands from the host system. Its primary function is to ensure that no data—such as file system metadata, temporary files, or operating system writes—can be written to the suspect drive, thereby preserving the original evidence in a forensically sound manner. This is critical for maintaining the integrity of the evidence and ensuring it is admissible in court.

Exam trap

EC-Council often tests the distinction between the function of a write blocker (preventing writes) and its physical interface (e.g., USB), leading candidates to mistakenly choose the interface option as the primary function.

How to eliminate wrong answers

Option A is wrong because encrypting the data on the suspect drive would alter the evidence and is not the function of a write blocker; encryption is a separate process typically applied to the forensic image, not the original drive. Option C is wrong because while many hardware write blockers do connect via USB or other interfaces, that is a means of connection, not the primary function; the core purpose is write protection, not the interface type. Option D is wrong because hardware write blockers do not increase acquisition speed; in fact, they may introduce a slight latency, and speed is determined by the drive interface and imaging software, not the blocker itself.

92
MCQmedium

A first responder arrives at a scene where a computer is on and logged in. There is a suspicion that the system contains volatile data that may be crucial to the investigation. According to best practices, what should the first responder do?

A.Immediately pull the power cord to preserve the hard drive
B.Place the system in a Faraday bag and transport to lab
C.Take photos and then shut down normally
D.Collect volatile data using tools like FTK Imager or dd
AnswerD

Volatile memory collection should be done before powering off.

Why this answer

Option D is correct because volatile data (e.g., RAM contents, network connections, running processes) is lost when the system loses power. FTK Imager or dd can capture a bit-for-bit image of memory and live system state while the computer remains on, preserving evidence that would otherwise vanish. This aligns with the order of volatility (RFC 3227), which prioritizes capturing volatile data before any other action.

Exam trap

EC-Council often tests the misconception that preserving the hard drive is the top priority, but the trap here is that volatile data is more fragile and must be collected first, even if it means leaving the system powered on.

How to eliminate wrong answers

Option A is wrong because immediately pulling the power cord destroys volatile data (RAM, open network sockets, cached credentials) and can cause file system corruption or anti-forensic artifacts (e.g., unflushed journal entries). Option B is wrong because a Faraday bag is used to isolate a device from wireless signals, not to preserve volatile data; it does not prevent data loss from power loss or capture running memory. Option C is wrong because shutting down normally triggers the OS to write cached data to disk, overwriting evidence, and terminates all volatile data; taking photos does not capture memory contents.

93
MCQmedium

A company receives a legal hold notice regarding a lawsuit. What immediate action should the company take to comply?

A.Delete all emails older than 30 days to free up storage
B.Immediately format the hard drives of all employees involved
C.Preserve all potentially relevant electronic documents and data
D.Ignore the notice because it is not a court order
AnswerC

The legal hold requires preservation of all data that might be relevant to the lawsuit.

Why this answer

Option C is correct because a legal hold notice triggers a duty to preserve all potentially relevant electronically stored information (ESI). Under the Federal Rules of Civil Procedure (FRCP) Rule 37(e), failure to preserve can lead to spoliation sanctions. The immediate action is to issue a litigation hold notice and suspend routine data deletion policies, ensuring that all relevant emails, documents, and logs are preserved in their current state.

Exam trap

EC-Council often tests the misconception that a legal hold notice is optional or that routine deletion policies can continue, but the trap is that preservation duties begin immediately upon anticipation of litigation, regardless of whether a formal court order has been served.

How to eliminate wrong answers

Option A is wrong because deleting emails older than 30 days violates the preservation obligation and constitutes spoliation, which can result in adverse inference instructions or monetary sanctions. Option B is wrong because formatting hard drives destroys all data, including potentially relevant evidence, and is a textbook example of intentional spoliation. Option D is wrong because a legal hold notice, even if not a formal court order, carries legal weight under FRCP and common law; ignoring it can lead to severe penalties for failure to preserve evidence.

94
MCQmedium

A security analyst notices that a log file on a Linux server shows repeated failed SSH login attempts from an external IP address, but no successful login from that IP. However, the /var/log/auth.log file has been recently truncated. Which type of evidence is the truncated log file?

A.Hearsay evidence
B.Best evidence
C.Circumstantial evidence
D.Direct evidence
AnswerD

The truncated log file is a direct artifact of an action (tampering) and can be directly observed.

Why this answer

The truncated log file is direct evidence because it is a tangible, physical artifact that, by its very state (having been truncated), directly indicates that an action was taken to alter or destroy log data. In computer forensics, direct evidence is evidence that, if believed, proves a fact without any inference or presumption. The truncation itself is a fact that can be observed and analyzed, and it directly supports the conclusion that someone tampered with the log file to conceal the failed SSH login attempts.

Exam trap

EC-Council often tests the distinction between direct and circumstantial evidence by presenting a scenario where the evidence (like a truncated log) seems to require inference, but the trap is that the physical state of the file is itself a directly observable fact, not an inference, making it direct evidence of tampering.

How to eliminate wrong answers

Option A is wrong because hearsay evidence is an out-of-court statement offered to prove the truth of the matter asserted, and a truncated log file is not a statement but a physical artifact; forensic examiners treat logs as real evidence, not hearsay. Option B is wrong because best evidence refers to the original document or recording when its content is at issue, but here the issue is the state of the log file (truncated), not the content of the log entries; the truncated file itself is the best evidence of tampering, but the term 'best evidence' is a legal rule about proving the content of a writing, not a classification of evidence type. Option C is wrong because circumstantial evidence requires an inference to connect the evidence to a fact (e.g., the truncation implies someone deleted logs), but the truncated log file is direct evidence of the act of truncation itself—no inference is needed to see that the file was truncated.

95
MCQmedium

Which of the following is the BEST description of Locard's exchange principle as applied to digital forensics?

A.Only original evidence is admissible in court
B.Digital evidence must be collected in a manner that preserves its integrity
C.Every contact leaves a trace; the perpetrator will leave digital traces on the crime scene
D.Evidence must be documented with a chain of custody
AnswerC

Locard's principle applied to digital evidence.

Why this answer

Locard's exchange principle states that every contact leaves a trace. In digital forensics, this means that when a perpetrator interacts with a system—whether by accessing files, running commands, or connecting to a network—they inevitably leave digital artifacts such as log entries, registry keys, metadata, or network connection records. Option C correctly captures this core concept of trace transfer in the digital domain.

Exam trap

EC-Council often tests whether candidates confuse Locard's exchange principle with general forensic procedures like chain of custody or evidence integrity, so the trap is picking a correct-sounding but non-specific option (B or D) instead of the precise definition of trace transfer.

How to eliminate wrong answers

Option A is wrong because it misstates admissibility rules; evidence does not have to be original to be admissible—duplicates or copies are often acceptable under rules like Federal Rule of Evidence 1003, provided they are accurate and authentic. Option B is wrong because it describes the general requirement for evidence integrity and proper collection procedures, which is a forensic best practice but not a description of Locard's exchange principle. Option D is wrong because chain of custody is a documentation process to track evidence handling, not a statement about the transfer of traces between a perpetrator and a crime scene.

96
Multi-Selecteasy

Which TWO of the following hashing algorithms are commonly used to verify the integrity of forensic images? (Choose two.)

Select 2 answers
A.SHA-3
B.SHA-1
C.RSA
D.AES
E.MD5
AnswersB, E

SHA-1 is widely used in forensic imaging tools.

Why this answer

SHA-1 and MD5 are the two hashing algorithms most commonly used in forensic practice to verify the integrity of forensic images. They produce a fixed-size hash value (160-bit for SHA-1, 128-bit for MD5) that acts as a digital fingerprint; if the hash of the original image matches the hash of a copy, the data is considered unchanged. Despite known collision weaknesses, they remain the de facto standards in tools like FTK Imager, EnCase, and dd due to their speed and widespread tool support.

Exam trap

EC-Council often tests the distinction between hashing algorithms (integrity) and encryption algorithms (confidentiality), so the trap here is that candidates confuse RSA and AES as hashing algorithms because they are cryptographic primitives, but they serve entirely different purposes.

97
MCQmedium

During a forensic investigation, a lawyer objects to the admissibility of a log file on the grounds that it is hearsay. Which of the following is the BEST argument to overcome this objection?

A.The log file qualifies as a business record exception to the hearsay rule.
B.The log file is circumstantial evidence, not hearsay.
C.The log file is direct evidence of the intrusion.
D.The log file is the best evidence because it is an original record.
AnswerA

Business records that are regularly kept and relied upon are exceptions to hearsay (e.g., FRE 803(6)).

Why this answer

The log file is admissible under the business records exception to the hearsay rule (Federal Rule of Evidence 803(6)). This exception applies because logs are created automatically or by a person with knowledge, near the time of the event, in the regular course of business, and it is the regular practice to make such records. In digital forensics, system logs (e.g., Windows Event Logs, syslog) are routinely admitted under this exception, as they are generated by the system without the declarant's bias or memory issues.

Exam trap

EC-Council often tests the misconception that 'best evidence' or 'original record' automatically overcomes hearsay, but the trap here is that hearsay and best evidence are separate evidentiary rules, and only a specific exception like business records can defeat a hearsay objection.

How to eliminate wrong answers

Option B is wrong because circumstantial evidence is still subject to hearsay rules; the log file is an out-of-court statement offered to prove the truth of the matter asserted (e.g., that an intrusion occurred), which is hearsay, not circumstantial. Option C is wrong because direct evidence is evidence that directly proves a fact without inference, but a log file still requires interpretation and is a recorded statement, making it hearsay unless an exception applies. Option D is wrong because the best evidence rule (original document rule) applies to proving the content of a writing, recording, or photograph, but it does not overcome a hearsay objection; the log file could still be excluded as hearsay even if it is the original.

98
Multi-Selectmedium

A forensic examiner is preparing to testify as an expert witness. Which THREE of the following qualities are essential for the examiner's testimony to be admissible under the Daubert standard? (Select THREE)

Select 3 answers
A.The methods used have been tested and are subject to peer review
B.The techniques used are generally accepted within the forensic community
C.The examiner holds a degree in computer science
D.The examiner has testified in at least ten previous cases
E.The potential error rate of the methodology is known
AnswersA, B, E

Testability and peer review are key Daubert factors.

Why this answer

The Daubert standard requires that expert testimony be based on scientific methods that are testable, peer-reviewed, and have known error rates.

99
MCQmedium

During a forensic investigation, the examiner uses a write blocker to connect the suspect drive to the forensic workstation. What is the PRIMARY purpose of using a write blocker?

A.To speed up the data acquisition process
B.To encrypt the data on the evidence drive
C.To prevent the operating system from writing data to the evidence drive
D.To allow the evidence drive to be used as a boot device
AnswerC

This preserves the integrity of the evidence.

Why this answer

A write blocker prevents any write operations to the evidence drive, ensuring the original data is not altered during acquisition.

100
MCQhard

In a UK-based investigation, the police seize a computer without a warrant. The suspect's lawyer argues that the evidence is inadmissible because it violates which law?

A.Police and Criminal Evidence Act (PACE)
B.Fourth Amendment to the US Constitution
C.General Data Protection Regulation (GDPR)
D.Computer Misuse Act
AnswerA

Correct. PACE is the relevant UK law.

Why this answer

The Police and Criminal Evidence Act (PACE) 1984 governs the powers of police in England and Wales to search, seize, and retain evidence. Without a warrant, the seizure of a computer likely violates PACE's requirements for lawful entry and seizure, making the evidence inadmissible under UK law.

Exam trap

EC-Council often tests the distinction between US constitutional law (Fourth Amendment) and UK statutory law (PACE), causing candidates to mistakenly apply US legal principles to a UK scenario.

How to eliminate wrong answers

Option B is wrong because the Fourth Amendment to the US Constitution applies only to searches and seizures by US government entities, not to UK police investigations. Option C is wrong because the General Data Protection Regulation (GDPR) governs the processing of personal data, not the legality of evidence seizure without a warrant. Option D is wrong because the Computer Misuse Act criminalizes unauthorized access to computer systems, but does not regulate police seizure procedures or admissibility of evidence.

101
MCQmedium

During a forensic investigation, an analyst uses a tool to create a bit-for-bit copy of a hard drive while ensuring the original is not modified. Which of the following is a hardware write blocker that can be used for this purpose?

A.FTK Imager
B.Tableau
C.dd
D.EnCase
AnswerB

Tableau manufactures hardware write blockers that physically prevent data from being written to the source drive.

Why this answer

A hardware write blocker physically prevents any write commands from reaching the original drive at the SATA/IDE bus level, ensuring the drive remains unaltered during acquisition. Tableau is a well-known manufacturer of forensic hardware write blockers that operate transparently to the imaging software, making it the correct choice for a hardware-based solution.

Exam trap

Cisco often tests the distinction between software tools (FTK Imager, dd, EnCase) and dedicated hardware write blockers (Tableau), trapping candidates who assume any forensic imaging tool inherently provides write protection.

How to eliminate wrong answers

Option A is wrong because FTK Imager is a software tool, not a hardware device; it relies on the operating system or a separate hardware blocker to prevent writes. Option C is wrong because dd is a Unix/Linux command-line utility for bit-for-bit copying, but it is software and does not inherently block writes to the source drive without additional safeguards like a hardware blocker or a read-only mount. Option D is wrong because EnCase is a forensic software suite that can acquire images, but it is not a hardware write blocker; it depends on external hardware or software write protection to ensure the source is not modified.

102
MCQmedium

Which of the following is an example of Locard's Exchange Principle as applied to digital forensics?

A.A suspect's computer contains log files showing they accessed a server
B.A hard drive is encrypted and cannot be read
C.A firewall blocks all incoming traffic from a specific IP address
D.A write blocker prevents data from being written to a drive
AnswerA

The access leaves traces on the suspect's machine.

Why this answer

Locard's Exchange Principle states that every contact leaves a trace. In digital forensics, this translates to the idea that when a system interacts with another, digital artifacts (such as log entries, registry keys, or network connection records) are created. Option A is correct because the log files on the suspect's computer are a direct trace of the contact between the suspect's system and the server, demonstrating the principle in a digital context.

Exam trap

EC-Council often tests the misconception that any security tool or data protection mechanism (like encryption or firewalls) is an example of Locard's Exchange Principle, when in fact the principle specifically requires evidence of a transfer or contact trace, not a barrier or lack of access.

How to eliminate wrong answers

Option B is wrong because encryption is a protective measure that prevents data access, not an example of trace evidence exchange; it does not demonstrate the creation of digital artifacts from contact. Option C is wrong because a firewall rule that blocks traffic is a security control that prevents contact, not a trace of contact that has already occurred; it does not illustrate the exchange of digital evidence. Option D is wrong because a write blocker is a hardware or software tool used to preserve evidence integrity during acquisition, not an example of a trace left by an interaction; it prevents modification, not exchange.

103
MCQmedium

During an e-discovery process, a legal hold is issued. What is the PRIMARY purpose of a legal hold?

A.To authorize forensic examiners to image all company devices
B.To prevent the destruction or alteration of potentially relevant evidence
C.To encrypt all data to prevent unauthorized access during litigation
D.To notify the opposing party of the intent to use electronic evidence
AnswerB

This is the core purpose: preserve data that may be relevant to a legal case.

Why this answer

The primary purpose of a legal hold is to preserve all forms of potentially relevant evidence by suspending normal data retention and deletion policies. This ensures that data, including emails, documents, and logs, is not altered or destroyed during the e-discovery process, which is critical for maintaining the integrity of evidence for litigation.

Exam trap

EC-Council often tests the distinction between preservation (legal hold) and collection (imaging), so candidates mistakenly choose authorization for imaging because they conflate the forensic process with the legal obligation to preserve.

How to eliminate wrong answers

Option A is wrong because a legal hold does not authorize forensic imaging; that requires a separate court order or explicit consent, and imaging is a technical step that follows preservation. Option C is wrong because encryption is a security measure to protect data from unauthorized access, not a preservation mechanism, and it can actually hinder e-discovery if keys are not managed properly. Option D is wrong because notifying the opposing party about the intent to use electronic evidence is part of the discovery phase, not the preservation phase, and is governed by rules like FRCP 26, not a legal hold.

104
MCQmedium

Which of the following BEST describes the purpose of a legal hold in e-discovery?

A.To suspend the deletion of data that may be relevant to upcoming litigation
B.To encrypt data for secure storage
C.To obtain a search warrant for digital evidence
D.To permanently delete irrelevant data
AnswerA

Correct. The legal hold ensures data is not destroyed.

Why this answer

A legal hold (also known as a litigation hold) is a directive that suspends the normal deletion or destruction of data that may be relevant to pending or reasonably anticipated litigation. In e-discovery, this ensures that potentially relevant electronically stored information (ESI) is preserved and not altered or destroyed, thereby preventing spoliation of evidence. The purpose is to maintain the integrity and availability of data for discovery obligations under rules such as FRCP Rule 37(e).

Exam trap

Cisco often tests the distinction between preservation (legal hold) and other e-discovery phases like collection or processing, leading candidates to confuse a legal hold with a search warrant or encryption, when in fact it is a proactive suspension of deletion policies.

How to eliminate wrong answers

Option B is wrong because encrypting data for secure storage is a security measure, not a preservation mechanism; encryption does not prevent deletion or alteration of data, and it can actually hinder e-discovery if keys are not managed properly. Option C is wrong because obtaining a search warrant is a legal process for law enforcement to seize evidence, not a civil e-discovery preservation directive; a legal hold is issued by a party or court, not a warrant. Option D is wrong because permanently deleting irrelevant data is the opposite of a legal hold; a legal hold preserves potentially relevant data, while deletion of irrelevant data may occur after the hold is lifted and data is deemed non-responsive.

105
MCQmedium

During a forensic investigation, a junior analyst suggests using a software write blocker to image a suspect's hard drive. Which of the following is the PRIMARY concern with relying solely on a software write blocker in a high-stakes legal case?

A.Software write blockers may be circumvented if the operating system is compromised.
B.Software write blockers require additional licensing fees.
C.Software write blockers are not compatible with all operating systems.
D.Software write blockers are too slow for large drives.
AnswerA

Software blockers run on the system being examined, so if the OS is malicious, it may bypass the blocker.

Why this answer

Software write blockers are not as reliable as hardware ones because they rely on the operating system, which can be compromised; hardware write blockers provide physical write protection.

106
MCQmedium

A forensic analyst creates a forensic image of a hard drive using the dd command: dd if=/dev/sda of=/evidence/image.dd bs=4096 conv=noerror,sync. What is the purpose of the 'conv=noerror,sync' option?

A.It verifies the hash of the image after creation
B.It synchronizes the output with the input to ensure data integrity
C.It continues on read errors and pads the output with zeros to maintain the same size
D.It enables direct memory access for faster imaging
AnswerC

This is the correct purpose: continue on error and pad with zeros to preserve the image size.

Why this answer

The `conv=noerror,sync` option in the `dd` command instructs the tool to continue processing when a read error is encountered (`noerror`) and to pad the output block with zeros (`sync`) to maintain the same total size as the original drive. This ensures that the forensic image remains a bit-for-bit copy in terms of size, even if physical sectors are unreadable, preserving the integrity of the acquisition process for analysis.

Exam trap

EC-Council often tests the misconception that `sync` means 'synchronize data integrity' or 'flush buffers,' when in fact it specifically pads output with zeros on read errors to maintain block alignment.

How to eliminate wrong answers

Option A is wrong because hash verification is not performed by `conv=noerror,sync`; that would require a separate tool like `sha256sum` or `md5sum` after imaging. Option B is wrong because `sync` in this context pads with zeros on read errors, not synchronizes I/O operations; synchronization of data is handled by the kernel's buffer cache, not this option. Option D is wrong because direct memory access (DMA) is a hardware-level feature not controlled by `dd` options; `dd` uses standard system calls for reading and writing.

107
MCQmedium

A legal hold is issued by an organization's legal department. What is the primary purpose of a legal hold?

A.To notify employees that litigation is pending
B.To authorize law enforcement to seize computers
C.To preserve all relevant data that may be needed for a legal case
D.To encrypt all company data for security
AnswerC

The legal hold ensures that evidence is not destroyed or altered during the pendency of a legal matter.

Why this answer

A legal hold suspends normal document deletion and preservation policies to ensure that relevant electronically stored information (ESI) is retained for potential litigation or investigation.

108
MCQhard

A forensic investigator is preparing to acquire the contents of a live system's RAM. Which of the following tools is specifically designed for this purpose and captures memory without altering the system state?

A.Tableau write blocker
B.EnCase
C.FTK Imager
D.dd
AnswerC

FTK Imager includes a memory capture feature that preserves the system state.

Why this answer

FTK Imager is specifically designed for live memory acquisition on Windows systems, capturing RAM contents via a kernel-level driver (e.g., win32dd or FTK Imager's own memory capture module) that reads physical memory without modifying the system state. It creates a forensic image (e.g., .mem or .raw) while maintaining data integrity through hashing (MD5/SHA1). This makes it the correct choice for acquiring RAM from a live system without altering evidence.

Exam trap

EC-Council often tests the misconception that dd is the universal forensic acquisition tool, but candidates forget that dd lacks built-in integrity verification and can alter system state when reading live memory on Windows, making FTK Imager the safer, purpose-built choice for RAM capture.

How to eliminate wrong answers

Option A is wrong because a Tableau write blocker is a hardware device used to prevent writes to storage media (e.g., hard drives) during acquisition, not for capturing RAM; it cannot access or image volatile memory. Option B is wrong because EnCase is a comprehensive forensic suite that can acquire RAM via its own module (e.g., EnCase Imager), but it is not specifically designed solely for memory capture and often requires additional configuration or licensing; FTK Imager is more lightweight and purpose-built for this task. Option D is wrong because dd is a Unix/Linux command-line tool for bit-for-bit copying of storage devices or memory (e.g., /dev/mem or /dev/pmem), but it can alter system state if not used carefully (e.g., reading /dev/mem may cause crashes on some kernels) and lacks built-in hashing or write-blocking guarantees; it is not specifically designed for forensic memory acquisition on live Windows systems.

109
Multi-Selectmedium

Which TWO of the following are valid justifications for a first responder to power off a computer at a crime scene? (Select TWO)

Select 2 answers
A.To prevent the computer from overheating
B.To save time during the investigation
C.The computer is destroying evidence (e.g., running a data wiping program)
D.The computer is in a hazardous environment (e.g., flooding)
E.The computer is actively being used to commit a crime
AnswersC, D

Powering off can stop the destruction, but ideally capture volatile data first if possible.

Why this answer

Option C is correct because if a computer is actively running a data wiping program (e.g., a tool that overwrites storage sectors with zeros or random data), leaving it powered on will cause the irreversible destruction of potential evidence. A first responder must immediately cut power to halt the wiping process and preserve the remaining data, as volatile memory (RAM) is not the primary concern in this scenario—the non-volatile storage is being actively sanitized.

Exam trap

EC-Council often tests the distinction between 'actively being used to commit a crime' (which requires live acquisition) and 'actively destroying evidence' (which justifies immediate power-off), causing candidates to mistakenly select Option E as a valid justification.

110
MCQeasy

According to Locard's exchange principle, which of the following is TRUE in a digital forensic context?

A.A suspect will always leave traces of their activity on a computer system.
B.Only physical evidence, not digital evidence, is subject to exchange.
C.Digital evidence is always volatile and cannot be preserved.
D.The absence of evidence proves the suspect is innocent.
AnswerA

Locard's principle implies that digital interactions leave residual data that can be recovered.

Why this answer

Locard's principle states that every contact leaves a trace. In digital forensics, this means that when a suspect interacts with a system, digital traces (e.g., logs, files) are left behind.

111
Multi-Selecthard

A forensic examiner has acquired a disk image using FTK Imager and needs to ensure the image is an exact duplicate of the original drive. Which THREE of the following methods can be used to verify integrity? (Select THREE)

Select 3 answers
A.Compute the SHA-256 hash of the image and compare it to the original drive's hash
B.Compute the MD5 hash of the image and compare it to the original drive's MD5 hash
C.Verify the cyclical redundancy check (CRC-32) of the image file
D.Use the 'verify' function within FTK Imager which automatically computes and compares hashes
E.Check the file size of the image matches the original drive's capacity
AnswersA, B, D

SHA-256 is a strong hash function and is recommended for forensic integrity verification.

Why this answer

Option A is correct because SHA-256 is a cryptographic hash function that produces a unique 256-bit digest. By computing the SHA-256 hash of the acquired image and comparing it to the hash computed from the original drive, the examiner can verify bit-for-bit integrity with extremely high collision resistance, ensuring the image is an exact duplicate.

Exam trap

EC-Council often tests the distinction between error-detection codes (CRC-32) and cryptographic hash functions (SHA-256, MD5), leading candidates to mistakenly select CRC-32 as a valid integrity verification method for forensic images.

112
MCQeasy

Under the US Fourth Amendment, when is a warrant generally NOT required for a computer search and seizure?

A.When the evidence is stored in the cloud
B.When the computer is owned by a corporation
C.When the investigation involves a civil case
D.When the suspect has given consent
AnswerD

Consent is a valid exception to the warrant requirement, provided it is voluntary and informed.

Why this answer

Under the Fourth Amendment, a warrant is generally required for searches and seizures, but one well-established exception is voluntary consent. When a suspect freely and knowingly agrees to a search of their computer or digital device, law enforcement may proceed without a warrant, provided the consent is not coerced and the scope of the search is not exceeded. This principle applies regardless of whether the data is stored locally or remotely, as long as the consenting party has actual or apparent authority over the device or data.

Exam trap

EC-Council often tests the misconception that the Fourth Amendment does not apply to corporate-owned devices or cloud data, but the trap here is that consent is a specific, well-recognized exception that overrides the warrant requirement, whereas the other options describe scenarios where a warrant is still generally required unless another exception applies.

How to eliminate wrong answers

Option A is wrong because the Fourth Amendment generally requires a warrant for cloud-stored data, as the user retains a reasonable expectation of privacy in data held by a third-party provider under the Stored Communications Act (18 U.S.C. § 2703), unless an exception like consent or exigent circumstances applies. Option B is wrong because corporate ownership does not automatically waive Fourth Amendment protections; while business records may have reduced privacy expectations, a warrant is still required for a search unless an exception such as consent from an authorized corporate officer or the plain view doctrine is present. Option C is wrong because the Fourth Amendment applies to government searches in both criminal and civil cases; in civil investigations, a warrant or a valid exception (e.g., consent, subpoena) is still required, and the absence of criminal charges does not eliminate the need for a warrant.

113
MCQmedium

Which hashing algorithm is commonly used in forensic imaging to verify the integrity of evidence and is considered more secure than MD5?

A.SHA-256
B.SHA-1
C.CRC32
D.MD5
AnswerA

SHA-256 is part of the SHA-2 family and is currently considered secure.

Why this answer

SHA-256 is the correct answer because it is a widely adopted cryptographic hash function in forensic imaging tools (e.g., FTK Imager, EnCase) to verify evidence integrity. It produces a 256-bit (32-byte) hash value and is considered collision-resistant, making it significantly more secure than MD5, which has known collision vulnerabilities.

Exam trap

EC-Council often tests the misconception that SHA-1 is still acceptable for forensic integrity checks because it was once the standard, but the trap is that SHA-1 is now deprecated due to practical collision attacks, while SHA-256 is the current recommended minimum.

How to eliminate wrong answers

Option B is wrong because SHA-1 produces a 160-bit hash and has been deprecated by NIST since 2011 due to demonstrated collision attacks (e.g., SHAttered). Option C is wrong because CRC32 is a cyclic redundancy check designed for error detection in data transmission, not a cryptographic hash, and it is easily reversible and collision-prone. Option D is wrong because MD5 is a 128-bit hash that is cryptographically broken; collisions can be generated in seconds using tools like hashclash, making it unsuitable for forensic integrity verification.

114
MCQeasy

Which of the following is the BEST definition of Locard's exchange principle in computer forensics?

A.Every contact leaves a trace; an attacker will leave digital traces on a system
B.Chain of custody must be maintained to prove evidence integrity
C.The best evidence rule requires original evidence over copies
D.Digital evidence must be collected in a forensically sound manner to be admissible in court
AnswerA

Locard's principle posits that there is always a transfer of material between the perpetrator and the scene; in digital forensics, this translates to digital traces.

Why this answer

Locard's exchange principle states that when a person interacts with a scene, they leave something behind and take something with them. In digital forensics, this means that an attacker will leave traces of their activity on the system (e.g., logs, malware) and may also remove evidence.

115
Multi-Selectmedium

Which TWO of the following are valid reasons for using a hardware write blocker over a software write blocker? (Select two.)

Select 2 answers
A.Hardware write blockers support faster transfer speeds than software blockers
B.Hardware write blockers can be bypassed by malware on the forensic workstation
C.Hardware write blockers operate at the physical layer and are OS-independent
D.Hardware write blockers provide a physical barrier that prevents any writes from reaching the suspect drive
E.Hardware write blockers are cheaper than software solutions
AnswersC, D

This is a key advantage; they do not rely on the OS.

Why this answer

Option C is correct because hardware write blockers operate at the physical layer of the OSI model, intercepting SATA/IDE/PATA commands before they reach the operating system. This makes them completely OS-independent, so they work identically on Windows, Linux, or macOS without requiring any kernel-mode drivers or OS-specific configurations. In contrast, software write blockers rely on the OS storage stack and can be affected by OS-level bugs or driver conflicts.

Exam trap

Cisco often tests the misconception that hardware write blockers are faster than software blockers, when in reality the hardware bridge introduces overhead, and the key advantage is OS independence and physical write prevention, not speed.

116
Multi-Selectmedium

Which TWO of the following are valid reasons for a first responder to power off a computer system at a crime scene? (Select TWO)

Select 2 answers
A.To save time during the investigation
B.To make it easier to transport the system
C.When the system is actively destroying evidence (e.g., a data wiping program is running)
D.To prevent the destruction of volatile data by allowing it to be captured before shutdown
E.When the system is a potential threat to first responders (e.g., a bomb or hazardous environment)
AnswersC, E

If evidence is being actively destroyed, powering off may be necessary to stop the process.

Why this answer

Option C is correct because if a system is actively running a data wiping program (e.g., a tool that overwrites sectors with zeros or random data per the Gutmann method or DoD 5220.22-M standard), immediate power-off is the only way to halt the destruction of evidence before it becomes unrecoverable. Pulling the power cord (hard shutdown) stops the wiping process in its tracks, preserving any data that has not yet been overwritten.

Exam trap

The trap here is that candidates confuse 'preventing destruction of volatile data' (which requires live acquisition, not shutdown) with 'preventing destruction of non-volatile data' (which may justify a hard power-off when a wiping program is active).

117
MCQeasy

A first responder arrives at a crime scene where a computer is turned on. What should the responder do FIRST?

A.Run antivirus software to check for malware
B.Immediately disconnect the power cord
C.Copy all files from the hard drive
D.Photograph the scene and document everything
AnswerD

Documentation is critical before any action.

Why this answer

Option D is correct because the first priority at a live crime scene is to preserve the state of the evidence through proper documentation and photography. This ensures an accurate record of the computer's condition, including screen contents, peripheral connections, and environmental context, before any volatile data is lost or altered. The CHFI methodology emphasizes that documentation precedes any seizure or data acquisition steps to maintain chain of custody and evidentiary integrity.

Exam trap

EC-Council often tests the misconception that immediate power disconnection is the safest action to prevent data alteration, but the trap is that this destroys volatile evidence and can trigger encryption lockouts, whereas proper documentation and live response preserve the most fragile data first.

How to eliminate wrong answers

Option A is wrong because running antivirus software modifies the system state by writing logs, updating signatures, and potentially altering malware artifacts, which violates forensic integrity principles. Option B is wrong because immediately disconnecting the power cord on a running system causes loss of volatile data (RAM contents, network connections, running processes) and may trigger anti-forensic mechanisms like encryption key destruction or disk wiping. Option C is wrong because copying files from the hard drive before proper imaging and write-blocking can modify file metadata (access timestamps) and does not capture unallocated space or slack space, compromising the forensic soundness of the evidence.

118
MCQhard

During a forensic investigation, the analyst needs to verify the integrity of a forensic image. The analyst originally computed MD5 and SHA-1 hashes of the source drive. Which action BEST ensures the image has not been altered?

A.Recompute MD5 and SHA-1 hashes of the image and compare with the original
B.Check that the image was created using a write blocker
C.Compare the file size of the image with the original drive's capacity
D.Open the image in FTK Imager and browse a few files
AnswerA

Hash comparison is the standard method for verifying data integrity.

Why this answer

Recomputing the hashes on the image and comparing them to the original hashes ensures that the image matches the source exactly, proving integrity.

119
MCQmedium

During a forensic investigation, the analyst needs to create a forensic image of a hard drive that also hashes the data during acquisition. Which command-line tool would be MOST appropriate for this task?

A.dd
B.fdisk
C.memdump
D.dcfldd
AnswerD

dcfldd can compute hashes on-the-fly, ensuring integrity.

Why this answer

dcfldd is a modified version of dd that includes built-in hashing (e.g., MD5, SHA-1, SHA-256) during the imaging process, allowing the analyst to verify data integrity in real time without a separate hashing step. This makes it the most appropriate tool for creating a forensic image that also hashes the data during acquisition.

Exam trap

Cisco often tests the distinction between dd and dcfldd, trapping candidates who assume dd is sufficient because it can create a raw image, ignoring the explicit requirement for integrated hashing during acquisition.

How to eliminate wrong answers

Option A (dd) is wrong because while dd can create a bit-for-bit copy, it does not natively compute or embed a hash during acquisition; any hashing must be done as a separate post-processing step, which is less efficient and can introduce integrity gaps. Option B (fdisk) is wrong because it is a partitioning tool used to manipulate partition tables, not to create forensic images or compute hashes. Option C (memdump) is wrong because it is designed to capture volatile memory (RAM), not to image a hard drive, and it does not provide hashing capabilities.

120
Multi-Selectmedium

Which TWO of the following are considered types of evidence under the rules of evidence?

Select 2 answers
A.Best evidence rule
B.Direct evidence
C.Circumstantial evidence
D.Hearsay evidence
E.Exculpatory evidence
AnswersB, C

Direct evidence directly proves a fact without inference.

Why this answer

Direct and circumstantial evidence are two main categories. Hearsay and best evidence are rules, not types.

121
Multi-Selecthard

Which THREE of the following are essential steps in the digital forensics investigation process? (Select three.)

Select 3 answers
A.Examination
B.Analysis
C.Encryption
D.Collection
E.Destruction
AnswersA, B, D

Examination involves searching for relevant data.

Why this answer

Option A (Examination) is correct because it is a core phase in the digital forensics process where investigators identify and extract potential evidence from collected data without altering it. This step involves techniques such as hashing (e.g., SHA-256) to verify integrity and using tools like FTK Imager or EnCase to preview files, ensuring the evidence is preserved in a forensically sound manner. Without examination, the raw collected data cannot be systematically reviewed for relevant artifacts.

Exam trap

EC-Council often tests the distinction between the forensic process steps and unrelated technical concepts like encryption or destruction, so candidates may mistakenly select 'Encryption' because they confuse a common obstacle with a required phase, or 'Destruction' because they think evidence must be destroyed after analysis.

122
MCQmedium

A forensic analyst needs to create a forensic image of a suspect's hard drive using FTK Imager. Which of the following image formats is MOST appropriate for maintaining evidence integrity and allowing compression?

A.ISO image format (.iso)
B.EnCase image format (.E01)
C.Advanced Forensic Format (AFF)
D.Raw/DD image (.dd)
AnswerB

E01 supports compression, integrity checks, and is widely accepted in court.

Why this answer

FTK Imager natively supports the EnCase image format (.E01), which is the most appropriate choice because it maintains evidence integrity through embedded CRC32 and MD5/SHA-1 hash verification while also supporting optional compression. Unlike raw/DD images, .E01 files can be segmented and compressed without losing forensic integrity, making them ideal for both storage efficiency and court-admissible evidence.

Exam trap

The trap here is that candidates often choose Raw/DD (.dd) because it is the simplest and most universally accepted format, but they overlook that FTK Imager's .E01 format provides built-in compression and hash verification, which are critical for both integrity and practical storage management in forensic acquisitions.

How to eliminate wrong answers

Option A is wrong because ISO image format (.iso) is designed for optical disc images and does not support forensic metadata, hash integrity checks, or compression in a forensically sound manner; it is not a forensic image format. Option C is wrong because Advanced Forensic Format (AFF) is an open-source format that supports compression and metadata, but it is not natively supported by FTK Imager for image creation; FTK Imager primarily uses .E01 and raw/DD formats. Option D is wrong because Raw/DD image (.dd) is a bit-for-bit copy that preserves integrity but does not support built-in compression or embedded hash verification, requiring separate hash files and lacking the efficiency of .E01 for large drives.

123
MCQmedium

An expert witness is preparing to testify in a computer forensics case. Which of the following is a key requirement for the expert's testimony to be admissible under the Daubert standard?

A.The expert's methods must be generally accepted in the scientific community
B.The expert's techniques must be based on reliable principles and methods
C.The expert must have personally examined all evidence
D.The expert must have a law degree
AnswerB

Daubert focuses on reliability and relevance, including whether methods have been tested and subjected to peer review.

Why this answer

Under the Daubert standard, the admissibility of expert testimony hinges on whether the expert's techniques are based on reliable principles and methods, not merely on general acceptance. This standard, established in Daubert v. Merrell Dow Pharmaceuticals, requires the trial judge to act as a gatekeeper, evaluating the scientific validity and reliability of the methodology used.

In computer forensics, this means the expert must demonstrate that their acquisition, preservation, and analysis methods (e.g., using write-blockers, cryptographic hashing like SHA-256, and chain-of-custody documentation) are scientifically sound and consistently applied.

Exam trap

Cisco often tests the distinction between the Daubert and Frye standards, and the trap here is that candidates mistakenly choose 'general acceptance' (Option A) because it was the historical standard, but Daubert requires a more rigorous focus on the reliability and scientific validity of the methodology itself.

How to eliminate wrong answers

Option A is wrong because while general acceptance (the Frye standard) is a factor under Daubert, it is not the sole or key requirement; Daubert emphasizes reliability and relevance over mere acceptance. Option C is wrong because the expert witness does not need to personally examine all evidence; they can rely on reports, logs, and data provided by other qualified personnel, as long as the underlying methodology is reliable. Option D is wrong because a law degree is not a requirement for expert testimony in computer forensics; the expert's qualification comes from technical expertise, certifications (e.g., CHFI, EnCE), and practical experience, not legal credentials.

124
Multi-Selectmedium

Which TWO of the following are considered forms of evidence under the rules of evidence? (Select two.)

Select 2 answers
A.Illegally obtained evidence
B.Hearsay evidence
C.Circumstantial evidence
D.Opinion evidence
E.Direct evidence
AnswersC, E

Circumstantial evidence requires inference but is still valid.

Why this answer

Circumstantial evidence is a recognized form of evidence under the rules of evidence because it allows a fact-finder to infer a fact from other established facts, even without direct witness testimony. In digital forensics, this is critical when reconstructing user activity from log files, file metadata, or network traffic patterns that indirectly prove an action occurred.

Exam trap

EC-Council often tests the distinction between admissibility and form of evidence, leading candidates to mistakenly select 'illegally obtained evidence' as a valid form because they confuse the concept of 'evidence' with 'admissible evidence'.

125
MCQmedium

An investigator is examining a Windows system and needs to capture volatile data without altering the system. Which of the following tools would be MOST appropriate for acquiring the contents of RAM?

A.FTK Imager
B.dd
C.EnCase
D.Tableau write blocker
AnswerA

FTK Imager has a memory capture feature.

Why this answer

FTK Imager can capture a memory dump (RAM) from a live system, preserving volatile data for analysis.

126
MCQhard

During a forensic examination, an analyst runs `dcfldd if=/dev/sda of=image.dd hash=sha256 hashwindow=1G` on a suspect drive. What is the PRIMARY advantage of using `hashwindow=1G` over a single hash at the end?

A.It enables the image to be mounted as a loop device.
B.It allows verification of the image in 1GB segments, so errors can be pinpointed.
C.It encrypts the image file for security.
D.It reduces the total time to create the image.
AnswerB

If a hash mismatch occurs, the analyst knows which 1GB block is problematic.

Why this answer

The `hashwindow=1G` option in `dcfldd` computes a SHA-256 hash for every 1 GB segment of the input data, rather than a single hash for the entire image. This allows the analyst to verify the integrity of each segment independently, so if a hash mismatch occurs during later verification, the exact 1 GB block containing the error can be identified and reacquired without reimaging the entire drive.

Exam trap

The trap here is that candidates confuse `hashwindow` with a performance optimization or encryption feature, when in fact it is an integrity verification mechanism that trades slight performance overhead for granular error detection.

How to eliminate wrong answers

Option A is wrong because `hashwindow` does not affect the ability to mount the image as a loop device; mounting requires a filesystem-aware tool like `mount` with `-o loop`, not a hashing parameter. Option C is wrong because `hashwindow` provides integrity verification, not encryption; `dcfldd` does not encrypt output, and encryption would require separate tools like `openssl` or `LUKS`. Option D is wrong because computing multiple hashes during imaging actually increases CPU overhead and can slightly increase total imaging time compared to a single hash at the end.

127
MCQhard

An investigator seizes a computer that was involved in a crime. The suspect claims that the evidence was planted. Which forensic principle best helps to refute this claim by demonstrating that the evidence could only have been left by the suspect?

A.Locard's exchange principle
B.Hearsay rule
C.Best evidence rule
D.Chain of custody
AnswerA

Locard's principle asserts that every contact leaves a trace, supporting that the suspect's interaction with the evidence is inevitable.

Why this answer

Locard's exchange principle states that every contact leaves a trace. In digital forensics, this means the suspect's interaction with the computer—such as typing, accessing files, or connecting peripherals—will leave unique digital artifacts (e.g., registry keys, prefetch files, USB device serial numbers, or browser history). By demonstrating that these artifacts could only have been created by the suspect's specific actions or device, the investigator refutes the claim of planting.

Exam trap

EC-Council often tests whether candidates confuse chain of custody (a procedural safeguard) with Locard's principle (a scientific concept about trace evidence), leading them to pick chain of custody when the question asks about how evidence was left by the suspect.

How to eliminate wrong answers

Option B (Hearsay rule) is wrong because it is a legal rule governing the admissibility of out-of-court statements as evidence, not a forensic principle about physical or digital trace transfer. Option C (Best evidence rule) is wrong because it requires the original document or recording as evidence, not a principle explaining how evidence is left by a suspect. Option D (Chain of custody) is wrong because it documents the handling and integrity of evidence from seizure to court, but does not itself demonstrate that the evidence was left by the suspect.

128
MCQhard

In a UK-based investigation, law enforcement officers seize a computer without a warrant. The suspect argues the seizure violated his rights under the Police and Criminal Evidence Act 1984 (PACE). Which of the following is a key consideration under PACE regarding the admissibility of the seized evidence?

A.The evidence is automatically admissible because it was seized during an investigation.
B.The evidence is admissible because it is circumstantial.
C.The evidence is admissible only if the suspect signed a consent form.
D.The court may exclude the evidence if its admission would be unfair to the suspect.
AnswerD

Section 78 of PACE gives the court discretion to exclude evidence obtained improperly.

Why this answer

Under Section 78 of PACE, the court has discretion to exclude prosecution evidence if its admission would have such an adverse effect on the fairness of the proceedings that it ought not to be admitted. Since the computer was seized without a warrant, the court must weigh the potential breach of PACE safeguards against the probative value of the digital evidence. This is not automatic exclusion, but a judicial balancing test specific to the circumstances of the seizure.

Exam trap

EC-Council often tests the misconception that any procedural violation automatically excludes evidence, whereas PACE Section 78 gives the court discretion to admit evidence if the breach does not render the trial unfair.

How to eliminate wrong answers

Option A is wrong because PACE does not provide automatic admissibility for evidence seized without a warrant; the court retains discretion under Section 78 to exclude evidence obtained in breach of PACE codes. Option B is wrong because the classification of evidence as circumstantial or direct has no bearing on admissibility under PACE; the key factor is the fairness of the proceedings, not the type of evidence. Option C is wrong because PACE does not require a suspect's signed consent for admissibility; consent relates to lawful search and seizure under PACE Code B, but even without consent, evidence may still be admissible if the court deems it fair to admit.

129
MCQhard

A security analyst discovers unauthorized access to a server. The incident response team decides to preserve evidence. Which of the following actions is MOST critical to ensure the admissibility of evidence in court?

A.Disconnecting the server from the network
B.Documenting the chain of custody
C.Running a full antivirus scan on the server
D.Taking screenshots of the server's screen
AnswerB

Correct. Chain of custody is essential for evidence admissibility.

Why this answer

Chain of custody documentation is the most critical action for evidence admissibility because it establishes a verifiable record of who handled the evidence, when, and under what conditions, ensuring the evidence has not been tampered with. Without a proper chain of custody, even technically sound evidence can be ruled inadmissible under rules like Federal Rule of Evidence 901. In forensic practice, this involves logging every access with timestamps, digital signatures, and hash values (e.g., SHA-256) to maintain integrity.

Exam trap

EC-Council often tests the misconception that immediate network disconnection is the top priority, but the CHFI exam emphasizes that preserving the integrity and admissibility of evidence through chain of custody outweighs technical containment actions.

How to eliminate wrong answers

Option A is wrong because disconnecting the server from the network may cause loss of volatile data (e.g., active network connections, memory contents) and can trigger anti-forensic mechanisms; the proper forensic step is to capture a memory dump and network state before isolation. Option C is wrong because running a full antivirus scan modifies file access times, potentially overwrites deleted files, and alters the system state, which violates forensic integrity principles (e.g., not altering original evidence). Option D is wrong because screenshots are easily manipulated and lack metadata integrity; they do not provide a verifiable, hash-authenticated record like a forensic image or chain-of-custody log.

130
Multi-Selecthard

According to the US Fourth Amendment, which of the following THREE conditions generally allow law enforcement to search and seize digital evidence without a warrant? (Select THREE)

Select 3 answers
A.Consent given voluntarily by the owner of the device
B.The suspect is a minor
C.Exigent circumstances where evidence is likely to be destroyed
D.The data is encrypted and the key is not provided
E.The evidence is in plain view during a lawful search
AnswersA, C, E

Consent is a valid exception.

Why this answer

Option A is correct because the Fourth Amendment generally requires a warrant for searches, but an exception exists when the owner of the device voluntarily consents to the search. In digital forensics, consent must be knowing, intelligent, and voluntary, and it can be revoked at any time. This exception is commonly applied when a suspect agrees to a forensic examination of their computer or mobile device without a court order.

Exam trap

EC-Council often tests the misconception that encryption or a minor's status automatically creates a warrant exception, when in fact neither condition alone satisfies the Fourth Amendment's requirements for a warrantless search.

131
MCQeasy

A security analyst arrives at a crime scene where a computer is turned on and the screen shows a document. What is the FIRST action the analyst should take according to forensic best practices?

A.Create a forensic image of the hard drive using a write blocker.
B.Open the Task Manager to check for suspicious processes.
C.Immediately unplug the power cord to preserve volatile data.
D.Photograph the screen and surroundings, then proceed to document the scene.
AnswerD

Photographing and documenting the scene is the initial step to capture the current state.

Why this answer

Option D is correct because the first priority at a live crime scene is to preserve the state of the system and its environment through documentation. Photographing the screen and surroundings captures volatile data (e.g., open documents, running processes, network connections) before any interaction alters the system. This aligns with the order of volatility and the principle of minimizing changes to the evidence.

Exam trap

EC-Council often tests the misconception that preserving volatile data means immediately pulling the plug, when in fact the correct first step is to document the live state to avoid destroying evidence that cannot be recovered.

How to eliminate wrong answers

Option A is wrong because creating a forensic image with a write blocker is a later step after documenting the live state; connecting a write blocker or imaging tool could modify the system’s memory or storage. Option B is wrong because opening Task Manager alters the system state (e.g., changes process metadata, modifies memory) and may destroy volatile evidence like running processes or network connections. Option C is wrong because immediately unplugging the power cord destroys volatile data (RAM, network connections, process lists) and can cause file system corruption or loss of encryption keys, violating the order of volatility.

132
MCQmedium

An organization receives a litigation hold notice regarding an ongoing lawsuit. The IT department is instructed to preserve all relevant electronic data. Which of the following actions should be taken FIRST to comply with the legal hold?

A.Delete all data that is not relevant to the lawsuit to reduce storage.
B.Immediately preserve all potentially relevant data, including backups and archives, and suspend automatic deletion policies.
C.Notify all employees to ignore the hold and continue normal operations.
D.Conduct a forensic analysis of the data to determine relevance before preservation.
AnswerB

Preserving data is the first step to comply with the legal hold.

Why this answer

Option B is correct because the first step in responding to a litigation hold is to immediately preserve all potentially relevant data, including backups and archives, and suspend any automatic deletion or rotation policies. This ensures that no spoliation of evidence occurs, which could lead to legal sanctions. The preservation order must be broad to cover all data that might be relevant, as determining exact relevance comes later in the e-discovery process.

Exam trap

Cisco often tests the misconception that you can first analyze data to determine relevance before preserving it, but in legal hold scenarios, the correct order is always preserve first, then analyze, to avoid any risk of spoliation.

How to eliminate wrong answers

Option A is wrong because deleting data, even if believed to be irrelevant, risks destroying potentially relevant evidence and violates the duty to preserve, which can result in severe legal penalties for spoliation. Option C is wrong because notifying employees to ignore the hold and continue normal operations directly contradicts the legal hold requirement and would likely lead to the destruction of relevant data through routine operations. Option D is wrong because conducting a forensic analysis to determine relevance before preservation is premature and risky; the priority is to freeze the data in place to prevent any alteration or loss, with analysis performed only after a proper preservation hold is in place.

133
MCQeasy

Which type of evidence is based on information that is not directly from an eyewitness but is reported by someone else?

A.Direct evidence
B.Circumstantial evidence
C.Best evidence
D.Hearsay evidence
AnswerD

Hearsay is out-of-court statement offered for the truth of the matter.

Why this answer

Hearsay evidence is defined as a statement made outside of court that is presented to prove the truth of the matter asserted. In digital forensics, this applies when a witness testifies about what another person said regarding an event, rather than recounting their own direct observation. The CHFI exam categorizes this under evidence types because it is not based on the witness's firsthand knowledge, making it generally inadmissible unless an exception applies.

Exam trap

EC-Council often tests the distinction between hearsay and circumstantial evidence, where candidates mistakenly choose circumstantial because they think any indirect information is circumstantial, but the key differentiator is that hearsay specifically involves a secondhand statement, not an inference from physical evidence.

How to eliminate wrong answers

Option A is wrong because direct evidence is based on firsthand observation or direct knowledge, such as an eyewitness account or a log file that directly records an event, not a report from someone else. Option B is wrong because circumstantial evidence relies on inference to connect a fact to a conclusion, such as a fingerprint at a crime scene, but it does not involve a secondhand report of an event. Option C is wrong because best evidence refers to the original source of evidence (e.g., the original hard drive or document) rather than a copy, and it is a rule of admissibility, not a category based on how the information is obtained.

134
Multi-Selecteasy

Which TWO of the following are examples of circumstantial evidence in a digital forensics investigation? (Select TWO)

Select 2 answers
A.A witness testifying they saw the suspect commit the crime
B.A video recording of the suspect typing a password
C.Metadata showing a file was created on the suspect's computer during the incident timeframe
D.A signed confession from the suspect
E.Server logs showing the suspect's IP address connected at the time of the incident
AnswersC, E

Metadata alone does not prove the suspect created the file; it's circumstantial.

Why this answer

Option C is correct because metadata, such as file system timestamps (e.g., $STANDARD_INFORMATION and $FILE_NAME attributes in NTFS), provides indirect evidence that a file was created during the incident timeframe. This does not directly prove the suspect's actions but supports an inference of involvement, which is the hallmark of circumstantial evidence.

Exam trap

EC-Council often tests the distinction between direct and circumstantial evidence by presenting seemingly conclusive items (like a video or confession) as traps, leading candidates to overlook that circumstantial evidence requires inference, not direct observation.

135
MCQmedium

A forensic analyst is preparing to acquire an image from a suspect's hard drive. The analyst connects the drive to a write blocker, then uses FTK Imager to create a forensic image. Which hashing algorithm is commonly used by FTK Imager to verify image integrity?

A.AES
B.RSA
C.Blowfish
D.MD5
AnswerD

MD5 is a hash function commonly used by FTK Imager to verify that the image is identical to the source.

Why this answer

FTK Imager commonly uses MD5 and SHA-1 to verify integrity; MD5 is a standard option.

136
Multi-Selecteasy

Which TWO of the following are types of write blockers used in forensic imaging? (Select two.)

Select 2 answers
A.Encryption write blocker
B.Network write blocker
C.Hash write blocker
D.Hardware write blocker
E.Software write blocker
AnswersD, E

Hardware write blockers are physical devices.

Why this answer

Hardware write blockers (Option D) are physical devices that sit between the suspect drive and the forensic workstation, intercepting and blocking any write commands at the SATA/IDE/USB bus level. They ensure that no data is altered on the source drive during imaging by electrically or mechanically preventing write signals from reaching the drive.

Exam trap

EC-Council often tests the distinction between integrity verification (hashing) and write prevention, leading candidates to mistakenly select 'Hash write blocker' as a valid type.

137
Multi-Selecteasy

Which TWO of the following are types of evidence recognized in legal proceedings? (Select two.)

Select 2 answers
A.Corroborative evidence
B.Direct evidence
C.Demonstrative evidence
D.Circumstantial evidence
E.Primary evidence
AnswersB, D

Direct evidence proves a fact directly, e.g., eyewitness testimony.

Why this answer

Direct evidence (B) is recognized because it directly proves a fact without requiring any inference, such as a witness testifying they saw the defendant commit the crime. Circumstantial evidence (D) is also recognized as it relies on inference to connect a fact to a conclusion, like a log file showing a user logged in at the time of an incident. Both are admissible in legal proceedings under the Federal Rules of Evidence (FRE) and similar frameworks.

Exam trap

EC-Council often tests the misconception that 'corroborative evidence' or 'demonstrative evidence' are primary legal categories, when in fact they are subcategories or procedural tools, not the two fundamental types recognized in court (direct and circumstantial).

138
MCQmedium

During an investigation, an analyst creates a forensic image of a hard drive using FTK Imager and computes the MD5 hash of the image. Later, the hash is re-computed and found to match. What does this confirm?

A.The image is an exact copy and has not been altered
B.FTK Imager is a valid forensic tool
C.The original hard drive is free of malware
D.The image was acquired without using a write blocker
AnswerA

Correct. Hashing verifies integrity.

Why this answer

A matching MD5 hash confirms that the forensic image is bit-for-bit identical to the original drive at the time of acquisition and has not been modified since. MD5 is a cryptographic hash function that produces a 128-bit digest; any change to the image, even a single bit, would produce a completely different hash. This integrity verification is a foundational step in the forensic process to ensure the evidence is admissible and untampered.

Exam trap

EC-Council often tests the distinction between integrity verification (hash matching) and other forensic steps like tool validation, malware detection, or acquisition methodology, leading candidates to conflate hash matching with broader forensic guarantees.

How to eliminate wrong answers

Option B is wrong because a hash match does not validate the tool itself; FTK Imager's validity as a forensic tool is established through testing, certification, and peer review, not by a hash comparison. Option C is wrong because a hash match only verifies the integrity of the image, not the contents of the original drive; malware could still be present on the original drive or in the image. Option D is wrong because the use of a write blocker is a separate procedural requirement to prevent alteration of the source drive during acquisition; a matching hash does not confirm whether a write blocker was used or not.

139
MCQmedium

Which type of evidence is a witness's statement that they saw someone log into a computer?

A.Hearsay evidence
B.Best evidence
C.Circumstantial evidence
D.Direct evidence
AnswerD

Correct. The witness directly observed the act.

Why this answer

Direct evidence is testimony or other proof that directly proves a fact without requiring any inference. A witness's statement that they saw someone log into a computer is direct evidence because it is based on the witness's firsthand observation of the act itself, not on any deduction or assumption. In digital forensics, direct evidence can include eyewitness accounts of specific actions on a system, such as entering credentials or accessing files.

Exam trap

EC-Council often tests the distinction between direct and circumstantial evidence by presenting a scenario where a witness sees a result (e.g., a screen displaying a file) and candidates mistakenly classify it as direct evidence of the action (e.g., file access) when it is actually circumstantial evidence requiring an inference.

How to eliminate wrong answers

Option A is wrong because hearsay evidence is an out-of-court statement offered to prove the truth of the matter asserted, and a witness's firsthand observation of a login is not hearsay—it is a statement based on personal knowledge, not a secondhand report. Option B is wrong because best evidence refers to the original document or recording (e.g., the actual log file) rather than a witness's testimony; the best evidence rule typically applies to writings, recordings, or photographs, not to live testimony about an observed event. Option C is wrong because circumstantial evidence requires an inference to connect it to a fact (e.g., finding a log entry at a certain time implies someone logged in), whereas the witness directly observed the login, so no inference is needed.

140
MCQmedium

A forensic examiner needs to create a bit-for-bit copy of a suspect's hard drive for analysis. Which tool is specifically designed for this purpose and can also verify integrity using hashing?

A.Wireshark
B.Metasploit
C.Nmap
D.dd
AnswerD

dd creates raw bit-for-bit images and can be used with hashing.

Why this answer

dd is a Unix/Linux command-line tool that creates sector-by-sector copies (forensic images), and its variant dcfldd adds on-the-fly hashing. FTK Imager and EnCase also create forensic images.

141
Multi-Selecteasy

Which TWO of the following are common hashing algorithms used to verify the integrity of forensic images? (Select two.)

Select 2 answers
A.AES
B.SHA-1
C.Blowfish
D.RSA
E.MD5
AnswersB, E

SHA-1 is widely used in forensics.

Why this answer

MD5 and SHA-1 are widely used hash functions for integrity verification in digital forensics. SHA-256 is also used but less common in legacy contexts.

142
Multi-Selectmedium

Which TWO of the following are requirements for evidence to be admissible in court? (Select two.)

Select 2 answers
A.Evidence must be reliable
B.Evidence must be encrypted
C.Evidence must be stored on a write-blocked drive
D.Evidence must be obtained by the police
E.Evidence must be relevant
AnswersA, E

Reliability is crucial for admissibility.

Why this answer

The rules of evidence require that evidence be admissible, reliable, complete, and authentic. In many jurisdictions, evidence must be relevant and reliable to be admissible. Completeness and authenticity are also key.

143
MCQeasy

During the first response to a computer incident, which of the following actions is MOST critical for preserving evidence?

A.Run antivirus software to remove any malware
B.Disconnect the power to prevent data alteration
C.Photograph the scene including all visible cables and connections
D.Immediately boot the system to verify it is operational
AnswerC

This preserves the initial state as evidence.

Why this answer

Option C is correct because photographing the scene, including all visible cables and connections, is the most critical first step in preserving the chain of custody and documenting the exact physical state of the system before any changes occur. This visual record captures port assignments, device connections, and cable orientations that could be altered by subsequent actions, ensuring that the original configuration is preserved for forensic analysis. Without this documentation, later evidence of network topology or peripheral involvement may be lost or disputed.

Exam trap

Cisco often tests the misconception that immediately disconnecting power (Option B) is the safest action, but the trap is that this destroys volatile evidence and may cause unintended writes, whereas photographing the scene is the least intrusive and most defensible first step for preserving the physical state of evidence.

How to eliminate wrong answers

Option A is wrong because running antivirus software modifies the system by scanning, quarantining, or deleting files, which alters the original data and violates forensic integrity principles (e.g., overwriting slack space or modifying timestamps). Option B is wrong because disconnecting power on a running system can cause loss of volatile data (e.g., RAM contents, open network connections, process lists) and may trigger write operations during shutdown, potentially corrupting evidence. Option D is wrong because immediately booting the system writes new data to the disk (e.g., log files, temporary files, registry changes) and overwrites unallocated space, destroying potential evidence and violating the 'do not modify the original' forensic rule.

144
MCQhard

A forensic analyst is preparing to testify as an expert witness in court. Which of the following characteristics is MOST essential for the court to accept the analyst's testimony?

A.The analyst's methods are generally accepted in the forensic community
B.The analyst has direct knowledge of the case
C.The analyst has a certification in computer forensics
D.The analyst is employed by the prosecution
AnswerA

Daubert standard requires reliable methods generally accepted.

Why this answer

The court's acceptance of expert testimony hinges on the reliability and validity of the methods used, not the analyst's personal involvement or credentials. Under the Daubert standard (or Frye standard in some jurisdictions), the key factor is whether the forensic methods have been subjected to peer review, are generally accepted within the relevant scientific community, and have a known error rate. This ensures the testimony is based on sound scientific principles, not just the analyst's qualifications or role in the case.

Exam trap

EC-Council often tests the distinction between an expert witness and a fact witness, trapping candidates who think direct knowledge or employment status is the primary criterion for expert testimony admissibility.

How to eliminate wrong answers

Option B is wrong because direct knowledge of the case is a requirement for a fact witness, not an expert witness; an expert witness can testify based on hypotheticals or analysis of evidence provided by others, and their testimony is evaluated on methodology, not firsthand involvement. Option C is wrong because while a certification (e.g., CHFI, EnCE) can bolster credibility, it is not a legal prerequisite for admissibility; the court focuses on the reliability of the methods and the analyst's demonstrated expertise, which can be established through experience, training, or education without a specific certification. Option D is wrong because employment by the prosecution does not automatically qualify an analyst as an expert; in fact, it may raise concerns about bias, and the court must independently assess the methodology's acceptance in the forensic community regardless of which party retains the analyst.

145
MCQhard

During a forensic examination, an analyst uses the command 'dcfldd if=/dev/sda of=image.dd hash=sha256 hashlog=hash.txt'. What is the primary purpose of including 'hash=sha256' in this command?

A.To split the image into multiple files named with SHA-256 checksums
B.To compute a SHA-256 hash of the input drive and log it to a file for integrity verification
C.To encrypt the output image file using SHA-256
D.To compress the image using SHA-256 compression algorithm
AnswerB

The hash is computed during imaging and logged, allowing later verification that the image matches the original.

Why this answer

Option B is correct because the `hash=sha256` parameter in `dcfldd` instructs the tool to compute a SHA-256 hash of the input device (`/dev/sda`) during the acquisition process. This hash is then logged to the file specified by `hashlog=hash.txt`, providing a verifiable integrity check that the forensic image matches the original source. This is a standard forensic practice to ensure the image has not been altered or corrupted.

Exam trap

The trap here is that candidates confuse hashing with encryption or compression, assuming that `hash=sha256` might secure or shrink the output, when in fact it only generates a fixed-length digest for integrity verification.

How to eliminate wrong answers

Option A is wrong because `dcfldd` uses the `split=` parameter (e.g., `split=2G`) to split an image into multiple files, not the `hash=` parameter, which is solely for hash computation. Option C is wrong because SHA-256 is a cryptographic hash function, not an encryption algorithm; it produces a fixed-size digest, not ciphertext, and cannot encrypt files. Option D is wrong because SHA-256 is a hash function, not a compression algorithm; compression in `dcfldd` is not supported natively, and SHA-256 does not reduce file size.

146
Multi-Selecthard

Which THREE of the following correctly describe the rules of evidence as applied to digital forensics? (Select three.)

Select 3 answers
A.Evidence must be relevant to the case and obtained through lawful means
B.Circumstantial evidence is not allowed in digital forensics cases
C.Hearsay evidence is always inadmissible in court
D.The evidence must be complete and not misleading
E.Evidence must be authentic and its integrity must be verifiable
AnswersA, D, E

Relevance and lawful acquisition are fundamental.

Why this answer

Option A is correct because evidence must be relevant to the case and obtained through lawful means. In digital forensics, this aligns with the legal principle of relevance under the Federal Rules of Evidence (FRE 401) and the requirement that evidence be obtained via a lawful search warrant or consent, otherwise it may be suppressed under the exclusionary rule (e.g., Fourth Amendment violations).

Exam trap

Cisco often tests the misconception that hearsay evidence is always inadmissible, but in digital forensics, server logs and automated records frequently qualify under hearsay exceptions, making Option C a trap for those who do not know the exceptions.

147
MCQmedium

A forensic analyst is examining a hard drive that was seized from a suspect's home. The analyst uses FTK Imager to create a forensic image. After imaging, the analyst computes the MD5 hash of the image and compares it to the hash computed at the scene. The hashes match. What does this confirm?

A.The file system is intact and readable
B.The image is an exact bit-for-bit copy of the original drive
C.The drive contains malware
D.The drive was not encrypted
AnswerB

Hash matching verifies data integrity.

Why this answer

B is correct because a matching MD5 hash between the image and the original drive confirms that the forensic image is an exact bit-for-bit copy. Hashing algorithms like MD5 produce a unique fixed-size hash value based on the binary content; if two hashes match, the data is identical with no alterations. This validates the integrity of the acquisition process, ensuring that the image is a perfect forensic duplicate.

Exam trap

EC-Council often tests the misconception that a matching hash confirms the drive is readable or free from issues like encryption or malware, when in fact it only confirms bit-for-bit integrity of the acquired image.

How to eliminate wrong answers

Option A is wrong because a matching hash only verifies data integrity, not file system health; a corrupted file system can still produce an identical hash if the corruption existed on the original drive. Option C is wrong because hash matching has no bearing on the presence of malware; malware can be present on both the original and the image without affecting the hash match. Option D is wrong because encryption does not affect the hash comparison; an encrypted drive will produce a hash of the encrypted data, and a matching hash only confirms the image is a copy of that encrypted state.

148
MCQeasy

Which US Constitutional amendment primarily governs the legality of searching and seizing digital devices?

A.Fifth Amendment
B.Fourth Amendment
C.Fourteenth Amendment
D.First Amendment
AnswerB

The Fourth Amendment protects against unreasonable searches and seizures.

Why this answer

The Fourth Amendment protects against unreasonable searches and seizures, requiring law enforcement to obtain a warrant based on probable cause before searching or seizing digital devices. This directly governs the legality of accessing data on computers, smartphones, and storage media in forensic investigations.

Exam trap

EC-Council often tests the misconception that the Fifth Amendment (self-incrimination) governs digital searches, but the Fourth Amendment's warrant requirement is the primary constitutional basis for seizing and searching digital devices.

How to eliminate wrong answers

Option A is wrong because the Fifth Amendment protects against self-incrimination and due process, not the legality of searches or seizures of digital devices. Option C is wrong because the Fourteenth Amendment addresses equal protection and due process at the state level, not the specific warrant requirements for searching digital devices. Option D is wrong because the First Amendment protects freedom of speech, religion, press, and assembly, and has no bearing on search and seizure law for digital evidence.

149
Multi-Selecthard

Which THREE of the following are rules of evidence that must be satisfied for digital evidence to be admissible in court? (Select THREE.)

Select 3 answers
A.Simplicity
B.Admissibility
C.Authenticity
D.Encryption
E.Completeness
AnswersB, C, E

Evidence must be legally allowed in court.

Why this answer

Admissibility requires that evidence is relevant (admissible), reliable (authentic), and complete (not partial).

150
MCQhard

A forensic investigator uses FTK Imager to create a forensic image of a suspect's laptop. The acquisition generates both an E01 file and a corresponding hash file. Which statement accurately describes the integrity verification process in FTK Imager?

A.The hash is computed only when the image is mounted for analysis, not during acquisition
B.FTK Imager does not support hash verification; a separate tool must be used
C.The hash is compared to a known-good hash from the manufacturer's database
D.The image file includes embedded hash values that can be verified later to ensure data integrity
AnswerD

E01 files contain CRC checksums and hash values that allow verification of integrity without the original drive.

Why this answer

Option D is correct because FTK Imager embeds hash values (MD5 and SHA1) directly into the E01 file during acquisition. These embedded hashes can be verified later by FTK Imager or compatible tools to confirm that the image has not been altered, ensuring data integrity without relying on an external hash file.

Exam trap

The trap here is that candidates often assume hash verification requires an external file or separate tool, but FTK Imager embeds the hash directly in the E01 file, making verification a built-in feature that does not rely on external databases or post-acquisition computation.

How to eliminate wrong answers

Option A is wrong because FTK Imager computes the hash during acquisition, not when the image is mounted for analysis; the hash is calculated in real-time as data is read from the source. Option B is wrong because FTK Imager fully supports hash verification; it can verify the embedded hash against the acquired data and also allows verification of separate hash files (e.g., .txt or .md5). Option C is wrong because FTK Imager does not compare hashes to a manufacturer's database; it compares the computed hash of the acquired image to the hash value embedded in the E01 file or provided separately, ensuring the image matches the original source.

← PreviousPage 2 of 3 · 155 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Computer Forensics Fundamentals and Process questions.