CCNA Mobile and Malware Forensics Questions

75 of 164 questions · Page 2/3 · Mobile and Malware Forensics · Answers revealed

76
MCQmedium

A malware analyst runs a suspicious executable in Cuckoo Sandbox. The report shows that the process created a mutex named 'Global\MyMalwareMutex'. What is the significance of this mutex?

A.It is used to communicate with a remote command and control server
B.It prevents multiple instances of the malware from running simultaneously
C.It indicates the malware is packed with UPX
D.It stores encrypted configuration data
AnswerB

A mutex ensures only one instance of the malware runs to avoid conflicts.

Why this answer

The mutex named 'Global\MyMalwareMutex' is a named synchronization object used by the malware to ensure only one instance of its process runs at a time. This prevents conflicts in operations like file writing or network communication that could occur if multiple copies executed simultaneously. In Cuckoo Sandbox, detecting such a mutex is a common indicator of single-instance malware behavior.

Exam trap

EC-Council often tests the misconception that any named object with 'Global' implies network or cross-system communication, but in Windows, 'Global\' simply refers to the kernel object namespace accessible to all sessions on the same machine.

How to eliminate wrong answers

Option A is wrong because mutexes are local synchronization primitives within the Windows kernel, not network communication channels; C2 communication typically uses sockets, HTTP, or DNS. Option C is wrong because UPX packing is detected by analyzing the executable's section names (e.g., 'UPX0', 'UPX1') or entropy, not by mutex creation. Option D is wrong because mutexes do not store data; they are kernel objects with a name and state (signaled/non-signaled), whereas encrypted configuration is usually stored in files, registry keys, or memory.

77
MCQeasy

During a mobile forensic examination of an iPhone, the examiner wants to acquire the most data possible, including deleted files and unallocated space. Which acquisition type should be used?

A.File system acquisition
B.Logical acquisition
C.Physical acquisition
D.Manual acquisition
AnswerC

Physical acquisition creates a bit-for-bit image of the device's storage, including deleted and unallocated areas.

Why this answer

Physical acquisition creates a bit-for-bit copy of the entire flash storage, including unallocated space and deleted file remnants. This is the only method that captures the raw NAND memory, allowing recovery of data from unallocated blocks and slack space that logical and file system acquisitions skip.

Exam trap

Cisco often tests the misconception that logical acquisition (Option B) captures deleted data because it includes the iTunes backup, but backups exclude unallocated space and deleted file remnants.

How to eliminate wrong answers

Option A is wrong because file system acquisition only retrieves allocated files and metadata visible to the operating system, ignoring unallocated space and deleted data. Option B is wrong because logical acquisition extracts files and directories via the iOS API (e.g., iTunes backup), which excludes unallocated space and deleted file remnants. Option D is wrong because manual acquisition involves physically interacting with the device screen to capture visible data, providing no access to the underlying storage or deleted content.

78
Multi-Selectmedium

During a mobile forensics investigation of an Android device, the examiner finds that the user's Google account data is stored locally. Which TWO of the following artefacts are typically stored in the device's /data/system/ or /data/data/ directories related to Google account information?

Select 2 answers
A.accounts.db
B.GoogleLoginService.java
C.contacts.db
D.SMS.db
E.GoogleLoginService accounts and tokens
AnswersA, E

Accounts.db contains account credentials and sync settings.

Why this answer

The accounts.db file in /data/system/ is the SQLite database that stores all Google account credentials, including email addresses and authentication tokens used by the Android Account Manager. This is a primary artifact for identifying which Google accounts were configured on the device and their sync status.

Exam trap

EC-Council often tests the distinction between source code files (like .java) and compiled runtime artifacts, leading candidates to confuse AOSP source code with actual device-stored data.

79
MCQmedium

A forensic examiner is analyzing an Android device that has been factory reset. Which artefact is MOST likely to persist after a factory reset, providing potential evidence of prior usage?

A.Google account artefacts
B.App installation logs
C.Deleted SMS messages
D.Wi-Fi passwords
AnswerA

Google account credentials may be stored in the Google backup and could be restored after reset, or remnants may exist in the cloud.

Why this answer

Google account artefacts, such as the Google Services Framework (GSF) ID and the device's Google Account (GAIA) ID, are stored in the /data/system/ partition and are often retained even after a factory reset because the reset does not always wipe the cryptographic keys or the persistent data blocks used by Google's sync services. This allows forensic tools to recover the previously synced account details, providing evidence of prior usage.

Exam trap

The trap here is that candidates assume a factory reset wipes all user data completely, but EC-Council often tests the nuance that certain system-level identifiers like Google account artefacts persist because they are stored in areas not fully erased by a standard reset, unlike user-generated data such as SMS or Wi-Fi passwords.

How to eliminate wrong answers

Option B is wrong because app installation logs are stored in /data/log/ or /data/system/packages.xml, which are cleared during a factory reset that reformats the /data partition, leaving no persistent trace. Option C is wrong because deleted SMS messages reside in the /data/data/com.android.providers.telephony/databases/mmssms.db file, which is fully wiped when the /data partition is reformatted during a factory reset, and they are not backed up to Google servers by default. Option D is wrong because Wi-Fi passwords are stored in /data/misc/wifi/wpa_supplicant.conf, which is deleted when the /data partition is wiped, and while some devices may retain them in a separate persist partition, a standard factory reset removes them.

80
Multi-Selectmedium

A forensic analyst is examining an iOS device backup and wants to extract call history records. Which SQLite databases and/or files contain relevant call history data? (Select TWO.)

Select 2 answers
A.Notes.sqlite
B.SMS.db
C.AddressBook.db
D.Calendar.sqlite
E.call_history.db
AnswersC, E

Contains contact names and phone numbers that can be correlated with call records.

Why this answer

Option C is correct because the AddressBook.db (or Contacts.sqlitedb on newer iOS versions) stores contact information, and call history records are linked to contacts via the `call_history.db` file. The `call_history.db` database contains the actual call log entries, including timestamps, durations, and associated contact identifiers. Together, these two databases allow an analyst to reconstruct call history with contact names.

Exam trap

EC-Council often tests the misconception that SMS.db contains call logs because both involve communication records, but SMS.db is strictly for text messages and iMessages, not voice call history.

81
MCQhard

An analyst suspects a Windows executable is packed. They run `strings` on the file and see few readable strings, and PEiD reports 'UPX 0.89.6 - 1.02 / 1.05 - 1.24'. Which static analysis technique should the analyst use NEXT to extract the original code?

A.Use UPX with the -d flag to decompress the executable
B.Search for known YARA rules matching UPX
C.Run the executable in Cuckoo Sandbox to obtain dynamic analysis
D.Load the file into IDA Pro and attempt to disassemble directly
AnswerA

UPX can decompress its own packed files. Running `upx -d file.exe` will restore the original code for further analysis.

Why this answer

Option A is correct because UPX (Ultimate Packer for Executables) is a common packer that compresses Windows executables. The PEiD output 'UPX 0.89.6 - 1.02 / 1.05 - 1.24' confirms the file is packed with UPX. Running `upx -d` (decompress) reverses the packing, restoring the original executable code for static analysis.

This is the standard next step before attempting disassembly or dynamic analysis.

Exam trap

Cisco often tests the distinction between detection (YARA), dynamic analysis (sandbox), and direct disassembly (IDA) versus the correct unpacking step, trapping candidates who think any analysis tool can handle packed files without prior decompression.

How to eliminate wrong answers

Option B is wrong because searching for YARA rules matching UPX would only confirm the packer's presence, not extract the original code; it's a detection step, not a decompression technique. Option C is wrong because running the executable in Cuckoo Sandbox is dynamic analysis, which risks executing potentially malicious code and does not directly extract the original packed code for static analysis. Option D is wrong because loading a UPX-packed executable directly into IDA Pro results in disassembly of the UPX stub, not the original program code; the stub must be decompressed first.

82
Multi-Selecthard

A security team is investigating a suspected Advanced Persistent Threat (APT) intrusion. They have identified several IoCs. Which THREE of the following are considered standard types of Indicators of Compromise?

Select 3 answers
A.Employee badge number
B.IP address of a command and control server
C.MD5 hash of a malicious executable
D.Registry key path used for persistence
E.Email subject line from a phishing campaign
AnswersB, C, D

IP addresses are common network-based IoCs.

Why this answer

Option B is correct because IP addresses of command and control (C2) servers are a standard type of Indicator of Compromise (IoC). They represent network-based IoCs that allow defenders to identify and block communication between compromised hosts and attacker-controlled infrastructure, often used in conjunction with firewall logs or DNS queries.

Exam trap

EC-Council often tests the distinction between technical IoCs (like IP addresses, hashes, registry keys) and non-technical or variable indicators (like employee IDs or email subject lines), trapping candidates who confuse phishing campaign metadata with standard forensic IoCs.

83
MCQeasy

During a mobile forensic investigation of an iPhone, the examiner extracts data using a physical acquisition method. Which of the following BEST describes the level of data recovery achieved by this method?

A.It recovers the file system but not deleted files
B.It extracts data via the user interface by manually interacting with the device
C.It recovers only logical files visible to the operating system
D.It creates a bit-for-bit copy of the entire flash memory, including deleted files and unallocated space
AnswerD

This defines physical acquisition.

Why this answer

Physical acquisition creates a bit-for-bit copy of the entire flash memory, including deleted files and unallocated space, providing the most complete data recovery.

84
MCQeasy

A forensic investigator needs to analyze the keychain data from an iOS device backup. Which tool is specifically designed to decrypt and display iOS keychain contents?

A.Elcomsoft Phone Breaker
B.Cellebrite UFED
C.Oxygen Forensic Detective
D.Magnet AXIOM
AnswerA

Elcomsoft Phone Breaker can decrypt iOS backups and keychain items, including passwords and tokens.

Why this answer

Elcomsoft Phone Breaker is specifically designed to decrypt and display iOS keychain contents from backups, including passwords, tokens, and cryptographic keys. It leverages techniques such as brute-force, dictionary attacks, and GPU acceleration to recover the backup password, then extracts and decrypts the keychain data using iOS's Keychain Services API.

Exam trap

Cisco often tests the misconception that general-purpose forensic tools like Cellebrite UFED or Magnet AXIOM can decrypt iOS keychain natively, when in fact only specialized tools like Elcomsoft Phone Breaker are designed for that specific task.

How to eliminate wrong answers

Option B (Cellebrite UFED) is wrong because it is a physical extraction and analysis tool for mobile devices, not specialized in decrypting iOS keychain data; it focuses on file system and logical extractions. Option C (Oxygen Forensic Detective) is wrong because it is a comprehensive forensic platform for mobile and cloud data, but it does not have native keychain decryption capabilities; it relies on third-party tools or manual extraction. Option D (Magnet AXIOM) is wrong because it is a digital forensic platform that processes artifacts from multiple sources, but it does not include a dedicated iOS keychain decryptor; it may import keychain data but cannot decrypt it natively.

85
MCQhard

During an iOS forensic examination of an iCloud backup, an analyst finds that the SQLite database files for the Health app are encrypted. Which component is MOST likely responsible for encrypting this data, and what is required to decrypt it?

A.The data is encrypted with the device's hardware UID; decryption is impossible without Apple's assistance.
B.The data is encrypted using Apple's FileVault; decryption requires the user's iCloud password.
C.The data is encrypted using SQLCipher; decryption requires a 256-bit key stored in the Keychain.
D.The data is protected by iOS Data Protection using a key derived from the device passcode; decryption requires the passcode or a forensic bypass tool.
AnswerD

Health data is protected by Data Protection, requiring the passcode for decryption.

Why this answer

Option D is correct because iOS Health app data is protected by iOS Data Protection, which uses a class key derived from the user's device passcode. This key encrypts the SQLite database files in iCloud backups, and decryption requires either the passcode or a forensic bypass tool that can extract the key from the device's Secure Enclave.

Exam trap

EC-Council often tests the distinction between device-level encryption (hardware UID) and iCloud backup encryption (passcode-derived keys), and the trap here is confusing SQLCipher (a third-party tool) with Apple's proprietary iOS Data Protection framework.

How to eliminate wrong answers

Option A is wrong because the hardware UID is used for device-level encryption of files on the local device, not for iCloud backup encryption; iCloud backups use a different key hierarchy involving the user's iCloud account and passcode. Option B is wrong because FileVault is a macOS full-disk encryption technology, not used on iOS or for iCloud backup encryption. Option C is wrong because SQLCipher is a third-party encryption library that apps can use, but Apple's Health app uses iOS Data Protection (Apple's built-in encryption framework), not SQLCipher; the key is derived from the passcode and stored in the Secure Enclave, not in the Keychain as a 256-bit key.

86
MCQmedium

A security analyst is reviewing output from a Cuckoo Sandbox analysis of a suspicious executable. The report shows that the process created a mutex named 'Global\GLOBAL_MUTEX_123' and modified the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\. Which behavioral indicator is MOST evident?

A.Command and control communication
B.Persistence mechanism
C.Anti-debugging technique
D.Privilege escalation
AnswerB

The 'Run' key is a common persistence location to launch malware at startup.

Why this answer

The modification of the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run is a classic persistence mechanism. This key is automatically processed by Windows Explorer at user logon, causing any executable listed there to run. Combined with the mutex creation (which prevents multiple instances), the behavioral indicator is clearly an attempt to establish persistence on the host.

Exam trap

EC-Council often tests the distinction between user-level persistence (HKCU Run) and system-level persistence (HKLM Run or services), and candidates may confuse the registry modification with privilege escalation or C2 activity because they see 'Run' and assume it implies higher privileges or network communication.

How to eliminate wrong answers

Option A is wrong because command and control communication typically involves network indicators such as DNS queries, HTTP/S connections to external IPs, or beaconing patterns, not registry modifications or mutex creation. Option C is wrong because anti-debugging techniques usually involve checking for the presence of a debugger via API calls like IsDebuggerPresent, NtQueryInformationProcess, or timing checks, not creating a mutex or writing to Run keys. Option D is wrong because privilege escalation involves gaining higher-level access rights, often via token manipulation, service exploitation, or UAC bypass; modifying the current user's Run key does not elevate privileges—it only runs code at the existing user's privilege level.

87
MCQmedium

A forensic examiner uses Oxygen Forensic Detective to acquire data from an Android device. The tool reports that it performed a 'full file system' extraction. Which of the following is a prerequisite for this type of extraction?

A.The bootloader must be unlocked
B.The device must be rooted
C.The device must be in recovery mode
D.USB debugging must be enabled
AnswerB

Root access is necessary to read the full file system, including app data and system partitions.

Why this answer

A full file system extraction in Oxygen Forensic Detective requires root access on the Android device because the tool must bypass the Linux kernel's permission model to read protected partitions (e.g., /data, /cache). Without root privileges, the extraction is limited to the logical or file-based scope, as the Android security model restricts user-space processes from accessing raw block devices or system files owned by root.

Exam trap

EC-Council often tests the misconception that USB debugging alone enables full file system extraction, but in reality, USB debugging only provides ADB shell access with limited (shell) user privileges, not the root-level access required for raw partition imaging.

How to eliminate wrong answers

Option A is wrong because an unlocked bootloader is a prerequisite for flashing custom recovery or rooting, but it is not directly required for a full file system extraction; the extraction itself can be performed on a device with a locked bootloader if root access is already obtained. Option C is wrong because recovery mode is used for flashing firmware or performing factory resets, not for forensic extraction; Oxygen Forensic Detective typically requires the device to be booted into Android with USB debugging enabled and root access granted. Option D is wrong because USB debugging is necessary for ADB communication and logical extractions, but it alone does not grant the elevated privileges needed to read the full file system; root access is the critical prerequisite.

88
MCQmedium

An investigator extracts the SMS.db file from an iOS backup. Which table within this database would contain the actual message content for sent and received messages?

A.message
B.attachment
C.handle
D.chat
AnswerA

The message table stores the actual text and associated metadata.

Why this answer

The `message` table in iOS's SMS.db database stores the actual text content of each SMS and iMessage in its `text` column. This is the primary table queried to retrieve the body of sent and received messages, as it contains one row per message with fields like `is_from_me`, `date`, and `text`.

Exam trap

EC-Council often tests the distinction between where message content is stored versus where metadata (like attachment info or participant handles) resides, leading candidates to confuse the `chat` or `handle` tables as containing the message body.

How to eliminate wrong answers

Option B is wrong because the `attachment` table stores metadata about file attachments (e.g., file names, MIME types, transfer state), not the message text itself. Option C is wrong because the `handle` table maps phone numbers or email addresses to a unique identifier used for addressing, but does not contain message content. Option D is wrong because the `chat` table defines chat sessions (group chats, participants) and links to messages via the `chat_message_join` table, but does not hold the message body.

89
MCQeasy

A forensic analyst is examining a Windows malware sample using static analysis. Which tool is BEST suited for viewing the PE header structure, including sections, imports, and exports?

A.Strings
B.Ghidra
C.IDA Pro
D.PEiD
AnswerD

PEiD is a tool for analyzing PE files, detecting packers, and viewing header information.

Why this answer

PEiD is specifically designed to analyze PE (Portable Executable) headers, making it ideal for quickly viewing section tables, import/export tables, and detecting packers or compilers. It parses the IMAGE_NT_HEADERS structure directly, providing a concise summary of the PE layout without requiring disassembly or decompilation.

Exam trap

EC-Council often tests the distinction between a specialized PE header analysis tool (PEiD) and general-purpose reverse-engineering tools (Ghidra, IDA Pro), leading candidates to choose a more complex tool when a simpler, purpose-built one is correct.

How to eliminate wrong answers

Option A is wrong because Strings is a command-line tool that extracts readable ASCII/Unicode strings from a binary, not a PE header parser. Option B is wrong because Ghidra is a full reverse-engineering framework focused on disassembly and decompilation, not a lightweight PE header viewer. Option C is wrong because IDA Pro is a disassembler/debugger that can show PE headers but is overkill for this specific task and not the best tool for a quick header inspection.

90
MCQeasy

In Android forensics, which of the following acquisition methods provides the most complete and forensically sound image of the device's internal storage?

A.Manual extraction through the user interface
B.Logical extraction via ADB
C.File system extraction
D.Physical extraction using a JTAG or chip-off technique
AnswerD

Physical extraction captures the entire flash memory, including deleted files and unallocated space.

Why this answer

Physical extraction using a JTAG or chip-off technique provides the most complete and forensically sound image because it accesses the raw NAND flash memory at the hardware level, bypassing the operating system and any software-based restrictions. This method captures deleted data, unallocated space, and the entire file system structure, including areas not accessible via logical or file system extractions, ensuring a bit-for-bit copy of the internal storage.

Exam trap

EC-Council often tests the misconception that logical extraction via ADB is sufficient for a complete forensic image, but candidates must recognize that only physical methods (JTAG/chip-off) capture the entire raw storage, including deleted and hidden data.

How to eliminate wrong answers

Option A is wrong because manual extraction through the user interface only captures data visible to the user through the device's screen and does not access underlying file systems, deleted data, or unallocated space, making it highly incomplete and not forensically sound. Option B is wrong because logical extraction via ADB (Android Debug Bridge) uses the Android operating system's APIs to retrieve only active files and directories, missing deleted data, slack space, and low-level system partitions. Option C is wrong because file system extraction, while more thorough than logical extraction, still relies on the device's kernel to parse the file system and cannot recover data from unallocated blocks or areas outside the mounted file system, unlike physical extraction.

91
MCQmedium

During dynamic analysis of a malware sample, an analyst uses Process Monitor to capture registry and file system activity. Which filter would be MOST effective in identifying attempts to create a persistence mechanism?

A.Filter for 'WriteFile' events in System32
B.Filter for 'RegSetValue' events with path containing 'CurrentVersion\Run'
C.Filter for 'Process Create' events
D.Filter for 'RegSetValue' events with path containing 'RunOnce'
AnswerB

This captures modifications to common autorun locations, indicating persistence.

Why this answer

The 'CurrentVersion\Run' registry key is a standard persistence location where malware adds entries to execute automatically at user logon. Filtering for 'RegSetValue' events targeting this path directly captures the act of writing a new value to that key, which is a common persistence mechanism. Process Monitor's 'RegSetValue' operation specifically monitors registry value modifications, making it the most effective filter for this purpose.

Exam trap

The trap here is that candidates confuse 'RunOnce' with 'Run' — 'RunOnce' is for one-time execution and is less common for persistent malware, while 'CurrentVersion\Run' is the standard persistence key tested in CHFI.

How to eliminate wrong answers

Option A is wrong because 'WriteFile' events in System32 capture file write operations, not registry modifications, and while malware may drop files there, it does not directly indicate persistence creation. Option C is wrong because 'Process Create' events show when processes are started, not how they are configured to start automatically, so they miss the registry modification that establishes persistence. Option D is wrong because 'RunOnce' keys are used for one-time execution and are less commonly used for persistent malware compared to 'CurrentVersion\Run', which ensures execution on every boot.

92
MCQmedium

A malware analyst uses Cuckoo Sandbox to analyze a sample. The report shows that the sample sends HTTP POST requests to 'http://malicious.example.com/gate.php' with encrypted data. Which type of indicator of compromise (IoC) is this?

A.Host-based IoC
B.Memory-based IoC
C.Hash-based IoC
D.Network-based IoC
AnswerD

The URL and domain are network artifacts indicating C2 communication.

Why this answer

The HTTP POST request to a remote URL with encrypted data is a classic network-based indicator because it involves communication over a network protocol (HTTP) to an external server. Cuckoo Sandbox captures this as a network artifact, making it a network-based IoC (Option D). Host-based IoCs focus on file system or registry changes, memory-based on in-RAM artifacts, and hash-based on file fingerprints.

Exam trap

EC-Council often tests the distinction between host-based and network-based IoCs by presenting a network artifact (like an HTTP request) and expecting candidates to recognize it as network-based, not host-based, even though the malware runs on the host.

How to eliminate wrong answers

Option A is wrong because host-based IoCs refer to artifacts on the local system (e.g., files created, registry keys modified, processes spawned), not outbound network traffic. Option B is wrong because memory-based IoCs involve artifacts found in RAM (e.g., injected code, API hooks, process memory dumps), not network packets. Option C is wrong because hash-based IoCs are cryptographic hashes (e.g., MD5, SHA-1, SHA-256) of files, used to identify known malware samples, not behavioral network patterns.

93
MCQeasy

During a mobile forensics investigation, an examiner needs to acquire data from an iPhone running iOS 14. Which of the following acquisition methods provides the MOST complete data extraction?

A.File system acquisition via jailbreak
B.Manual acquisition by browsing the device
C.Physical acquisition via JTAG or chip-off
D.Logical acquisition via iTunes backup
AnswerC

Physical acquisition provides a complete bit-for-bit copy of the storage, including deleted and hidden data.

Why this answer

Physical acquisition via JTAG or chip-off provides the most complete data extraction because it captures a bit-for-bit copy of the raw NAND flash memory, including deleted files, unallocated space, and system partitions that are otherwise inaccessible. On iOS 14, Apple's security features (e.g., full-disk encryption, SEP) limit logical and file system methods, but physical techniques bypass the operating system to retrieve the entire storage image, albeit with decryption challenges.

Exam trap

EC-Council often tests the misconception that jailbreak-based file system acquisition is the most complete method, but physical acquisition (JTAG/chip-off) is technically superior because it captures the entire raw storage, including areas the OS hides or encrypts.

How to eliminate wrong answers

Option A is wrong because jailbreaking iOS 14 is often not possible or reliable due to Apple's hardened security (e.g., KTRR, PAC), and even if achieved, file system acquisition still cannot access the raw physical memory or unallocated space, leaving gaps in data recovery. Option B is wrong because manual acquisition only captures visible data through the user interface, missing hidden files, metadata, and deleted content, making it the least complete method. Option D is wrong because logical acquisition via iTunes backup only retrieves files that iOS chooses to include in the backup (e.g., app data, settings), excluding system files, deleted data, and unallocated space, and it relies on the backup encryption state.

94
MCQeasy

In Android forensics, which command is used to extract a full physical image of a device's flash memory over USB using the Android Debug Bridge (ADB)?

A.adb pull /data data.img
B.adb shell dd if=/dev/block/mmcblk0 of=/sdcard/physical.img
C.adb backup -f backup.ab
D.adb install physical.img
AnswerB

dd copies the raw block device to a file, creating a physical image.

Why this answer

Option B is correct because the `adb shell dd if=/dev/block/mmcblk0 of=/sdcard/physical.img` command uses the `dd` utility to perform a bit-for-bit copy of the raw block device representing the internal flash memory (mmcblk0) to a file on the device's SD card, which can then be pulled via ADB. This method captures a full physical image, including deleted data and unallocated space, which is essential for deep forensic analysis.

Exam trap

Cisco often tests the distinction between logical acquisition (adb pull) and physical acquisition (adb shell dd), so the trap here is that candidates confuse the simple file copy command (adb pull) with the raw block-level imaging command (adb shell dd), assuming any command with 'pull' or 'backup' can produce a forensic image.

How to eliminate wrong answers

Option A is wrong because `adb pull /data data.img` only copies the logical contents of the /data partition, not a raw block-level image, and thus misses deleted files, unallocated space, and metadata from other partitions. Option C is wrong because `adb backup -f backup.ab` creates a logical backup of app data and system settings, not a physical image of flash memory; it does not capture the raw block device or unallocated space. Option D is wrong because `adb install physical.img` is used to install an APK file, not to extract an image; attempting to install a raw image file would fail or corrupt the device.

95
MCQmedium

During dynamic analysis of a malware sample in Any.run, an analyst observes that the malware writes a value to HKCU\Software\Microsoft\Windows\CurrentVersion\Run and also creates a scheduled task named 'UpdateTask'. Which anti-forensic technique is the malware MOST likely attempting to counter?

A.Packing
B.Encryption
C.Timestomping
D.Log wiping
AnswerD

Creating persistence and then cleaning up traces is a form of log wiping to hide its presence.

Why this answer

Persistence mechanisms like Run keys and scheduled tasks are often monitored by security tools. If malware attempts to delete or modify these after execution, it is trying to remove evidence of persistence, which is a form of log wiping or anti-forensics.

96
MCQhard

During a forensic examination of a Windows system infected with ransomware, the analyst finds that the file timestamps (creation, modification, access) for several critical system files have been altered to match legitimate Windows files. Which anti-forensic technique is MOST likely being used?

A.Data hiding via ADS
B.Steganography
C.Log wiping
D.Timestomping
AnswerD

Timestomping modifies file timestamps to evade forensic analysis.

Why this answer

Timestomping is the deliberate alteration of file timestamps (creation, modification, access) to mislead forensic investigators. In this scenario, the ransomware modified critical system file timestamps to match legitimate Windows files, which is the hallmark of timestomping. This technique is commonly used to evade timeline analysis and hide the true sequence of malicious activity.

Exam trap

EC-Council often tests the distinction between timestomping (altering file timestamps) and log wiping (removing event logs), so the trap here is that candidates may confuse 'log wiping' with any timestamp-related manipulation, but log wiping specifically targets event logs, not file metadata.

How to eliminate wrong answers

Option A is wrong because data hiding via Alternate Data Streams (ADS) conceals data within NTFS file streams without altering timestamps, not by modifying them to match legitimate files. Option B is wrong because steganography hides data within other files (e.g., images or audio) and does not involve changing file timestamps. Option C is wrong because log wiping targets system or application logs to remove evidence, not file metadata timestamps on the filesystem.

97
MCQeasy

An Android phone is found at a crime scene. The phone is locked with a PIN. The forensic examiner wants to extract data without bypassing the lock. Which of the following is the MOST appropriate logical acquisition method?

A.Use Cellebrite UFED to perform a file system extraction
B.Perform a physical acquisition via JTAG
C.Perform an ADB backup
D.Use ADB to pull /data/data/ directory
AnswerC

ADB backup can extract user app data if USB debugging was enabled before locking; it does not require root.

Why this answer

ADB backup (option C) is the most appropriate logical acquisition method for a locked Android phone because it uses the Android Backup protocol over ADB, which can extract application data without needing to bypass the lock screen, provided USB debugging is enabled and the device authorizes the backup. This method does not require root access or physical disassembly, making it a non-invasive logical acquisition technique.

Exam trap

EC-Council often tests the misconception that ADB pull can access /data/data/ on a locked device, but in reality, ADB pull requires root or an unlocked device, while ADB backup is a distinct protocol that can extract data without bypassing the lock screen under specific conditions.

How to eliminate wrong answers

Option A is wrong because Cellebrite UFED's file system extraction typically requires the device to be unlocked or uses exploits to bypass the lock, which contradicts the requirement of not bypassing the lock. Option B is wrong because JTAG is a physical acquisition method that involves hardware-level access and often requires disassembly or bypassing the lock, not a logical acquisition method. Option D is wrong because ADB pull of /data/data/ directory requires root access or an unlocked device to read protected app data, and on a locked phone without root, ADB cannot access that directory.

98
MCQeasy

During a mobile forensics investigation, an analyst needs to acquire data from an iPhone that cannot be bypassed via passcode. The device is locked, and the analyst has the passcode. Which acquisition method provides the MOST comprehensive data extraction?

A.Physical acquisition
B.Manual acquisition
C.Logical acquisition
D.File system acquisition
AnswerA

Physical acquisition creates a full image of the device's storage, retrieving all data including deleted files.

Why this answer

Physical acquisition is the most comprehensive method because it creates a bit-for-bit copy of the entire flash storage, including the operating system, kernel, unallocated space, and deleted file remnants. Even with the passcode known, a locked iPhone restricts file system access via USB, but physical acquisition (often using advanced techniques like JTAG or chip-off) bypasses these restrictions to extract the raw NAND data, yielding the fullest forensic picture.

Exam trap

EC-Council often tests the misconception that 'logical acquisition' or 'file system acquisition' is sufficient for locked devices, but the trap is that even with the passcode, a locked iPhone restricts file system access via USB, making physical acquisition the only method that can bypass these restrictions and capture the full storage image.

How to eliminate wrong answers

Option B (Manual acquisition) is wrong because it relies on visually navigating the device and photographing or recording the screen, which only captures visible data and cannot extract deleted files, system files, or data from locked partitions. Option C (Logical acquisition) is wrong because it only retrieves files accessible through the operating system's APIs (e.g., via iTunes backup or libimobiledevice), missing unallocated space, deleted data, and system-level artifacts. Option D (File system acquisition) is wrong because, while it provides more data than logical acquisition by accessing the file system hierarchy, it still requires the device to be unlocked and cannot capture raw NAND blocks, unallocated space, or data from protected areas like the kernel cache.

99
MCQhard

A forensic examiner is analyzing an Android device that has been factory reset. Which of the following artefacts is MOST likely to still be recoverable from the device's flash memory after a factory reset, assuming no overwrite has occurred?

A.The GUID Partition Table (GPT)
B.The device's encryption keys
C.The Android OS system files
D.User data such as photos and contacts
AnswerD

User data may be recoverable from unallocated space after a factory reset if not overwritten.

Why this answer

After a factory reset on an Android device, the operating system typically performs a 'fastboot format' or 'wipe data/factory reset' which only unmounts the userdata partition and marks its blocks as free in the ext4 or F2FS filesystem metadata. The actual user data (photos, contacts, etc.) remains physically stored in the NAND flash memory until those blocks are overwritten by new data. Because no overwrite has occurred in this scenario, the raw data is still recoverable using forensic tools that bypass the filesystem and read the flash memory directly.

Exam trap

EC-Council often tests the misconception that a factory reset securely erases all data, when in fact it only removes filesystem pointers, leaving the underlying data recoverable until overwritten.

How to eliminate wrong answers

Option A is wrong because the GUID Partition Table (GPT) is stored in the boot partition area (LBA 1–34) and is not erased or affected by a factory reset; it remains intact and is not a user-data artifact. Option B is wrong because encryption keys are stored in the device's dedicated hardware-backed keystore (e.g., Trusted Execution Environment or StrongBox) and are securely wiped or invalidated during a factory reset, making them unrecoverable. Option C is wrong because Android OS system files reside in the system partition, which is read-only and not modified by a factory reset; they are not user data and are not the target of recovery in this context.

100
MCQhard

A forensic investigator is analyzing a malware sample that appears to be packed. Using PEiD, the analyst detects an entropy value of 7.8 and the entry point section is named 'UPX0'. Which of the following tools should the analyst use NEXT to unpack the malware for static analysis?

A.UPX -d
B.Ghidra
C.Process Monitor
D.IDA Pro
AnswerA

The UPX tool with -d flag decompresses UPX-packed executables.

Why this answer

The presence of 'UPX0' as the entry point section name and an entropy value of 7.8 (very high, indicating compression or encryption) strongly suggests the malware is packed with UPX (Ultimate Packer for eXecutables). The correct next step is to use UPX with the -d (decompress) switch to unpack the binary, restoring the original executable for static analysis. This is a standard, reversible unpacking method that does not require dynamic analysis or disassembly of the packed stub.

Exam trap

EC-Council often tests the distinction between tools for unpacking versus tools for analysis, expecting candidates to recognize that UPX -d is the direct unpacking utility, while Ghidra and IDA Pro are analysis tools that require an already-unpacked binary for effective static analysis.

How to eliminate wrong answers

Option B (Ghidra) is wrong because Ghidra is a reverse-engineering framework for disassembly and decompilation, not a dedicated unpacking tool; attempting to analyze a packed binary in Ghidra without first unpacking it would yield obfuscated or compressed code, making static analysis ineffective. Option C (Process Monitor) is wrong because Process Monitor is a dynamic analysis tool for capturing real-time system activity (registry, file system, process/thread activity), not for unpacking or static analysis of a binary. Option D (IDA Pro) is wrong because IDA Pro is an interactive disassembler and debugger; while it can be used to analyze packed binaries with plugins, the immediate next step after detecting UPX packing is to use the UPX tool itself to decompress the file, as IDA Pro is not a dedicated unpacker and would still require unpacking first for effective static analysis.

101
MCQhard

During a malware analysis session, an analyst uses a tool to view the import address table (IAT) of a suspicious PE file. The tool shows imports from ws2_32.dll and wininet.dll. Which of the following tools would BEST allow the analyst to statically analyze the binary and view the IAT?

A.PEiD
B.Wireshark
C.Process Monitor
D.Cuckoo Sandbox
AnswerA

PEiD is a static analysis tool that can view imports, packers, and other PE header information.

Why this answer

PEiD (Portable Executable Identifier) is a static analysis tool that can parse the PE file structure, including the Import Address Table (IAT), to reveal which DLLs and functions are imported. Since the question specifies static analysis and viewing the IAT, PEiD is the best choice because it directly reads the PE headers without executing the file.

Exam trap

EC-Council often tests the distinction between static and dynamic analysis tools; the trap here is that candidates may confuse dynamic analysis tools (like Cuckoo Sandbox or Process Monitor) with static PE parsing tools, or mistake Wireshark for a binary analysis tool because it deals with network data.

How to eliminate wrong answers

Option B (Wireshark) is wrong because it is a network protocol analyzer that captures live traffic, not a static PE file analysis tool; it cannot parse the IAT of a binary. Option C (Process Monitor) is wrong because it is a dynamic monitoring tool that logs real-time system activity (registry, file system, process/thread) and does not perform static PE header analysis. Option D (Cuckoo Sandbox) is wrong because it is an automated dynamic malware analysis sandbox that executes the sample in an isolated environment, not a static analysis tool for viewing the IAT without execution.

102
MCQmedium

During a malware investigation, you find that a process named `svchost.exe` is making outbound connections to an IP address known to be malicious. What tool would be BEST to capture the network traffic for further analysis?

A.PEiD
B.Process Explorer
C.Regshot
D.Wireshark
AnswerD

Captures and analyzes network packets.

Why this answer

Wireshark is the best tool for capturing and analyzing network traffic because it can intercept packets at the network interface level, allowing you to inspect the full payload and headers of outbound connections from `svchost.exe` to the malicious IP. This enables deep analysis of protocols, data exfiltration attempts, and command-and-control communication patterns, which is essential in malware forensics.

Exam trap

EC-Council often tests the distinction between process analysis tools (like Process Explorer) and network analysis tools (like Wireshark), leading candidates to mistakenly choose Process Explorer because it can show network connections in its lower pane, but it cannot capture or inspect packet contents.

How to eliminate wrong answers

Option A is wrong because PEiD is a tool for detecting packers, cryptors, and compilers in executable files, not for capturing network traffic. Option B is wrong because Process Explorer is a process management and analysis tool that shows process details, handles, and DLLs, but it does not capture or analyze network packets. Option C is wrong because Regshot is a registry comparison tool used to detect changes made to the Windows registry, not for network traffic capture.

103
MCQeasy

Which mobile forensics tool is specifically designed for physical extraction of iOS devices, including bypassing passcodes and extracting full file system images?

A.Oxygen Forensic Detective
B.Magnet AXIOM
C.Cellebrite UFED
D.GrayKey
AnswerD

GrayKey is a dedicated iOS forensic tool capable of physical extraction and passcode bypass.

Why this answer

GrayKey is a specialized forensic tool developed by GrayShift that performs physical extraction on iOS devices, including bypassing passcodes and obtaining full file system images. It exploits hardware and software vulnerabilities in iOS to extract data, making it the correct choice for this specific task.

Exam trap

The trap here is that candidates often confuse Cellebrite UFED's broad device support with the specific ability to perform physical extraction and passcode bypass on iOS, but Cellebrite's iOS capabilities are more limited compared to GrayKey's specialized focus.

How to eliminate wrong answers

Option A is wrong because Oxygen Forensic Detective is a comprehensive forensic platform that supports logical and file system extractions for iOS, but it does not specialize in physical extraction or passcode bypass for iOS devices. Option B is wrong because Magnet AXIOM is a digital forensic tool that focuses on artifact analysis and logical extractions, not physical extraction or passcode bypass for iOS. Option C is wrong because Cellebrite UFED supports physical extraction for many devices, but for iOS, it primarily relies on logical extraction or using the device's backup, and does not consistently bypass passcodes for full physical extraction like GrayKey does.

104
MCQmedium

A security analyst discovers a suspicious file on a Windows system with the hash 'd41d8cd98f00b204e9800998ecf8427e'. Which type of indicator of compromise (IoC) is this hash most commonly associated with?

A.Network indicator
B.Behavioural indicator
C.Registry key indicator
D.File hash indicator
AnswerD

File hashes (MD5, SHA1, SHA256) are used to uniquely identify known malicious files.

Why this answer

The hash 'd41d8cd98f00b204e9800998ecf8427e' is the MD5 hash of an empty file (zero bytes). In malware forensics, a file hash is a classic file-based indicator of compromise (IoC) used to uniquely identify known malicious files. Option D is correct because this hash directly identifies a specific file, making it a file hash indicator.

Exam trap

EC-Council often tests candidates' ability to distinguish between IoC types by presenting a well-known hash value, leading some to mistakenly classify it as a network or behavioural indicator due to its unusual appearance.

How to eliminate wrong answers

Option A is wrong because a network indicator refers to IP addresses, domain names, or URLs observed in network traffic, not a cryptographic hash of a file. Option B is wrong because a behavioural indicator describes actions or patterns of behaviour (e.g., process creation, registry modification) rather than a static file identifier. Option C is wrong because a registry key indicator involves Windows Registry paths or values, not a file hash.

105
Multi-Selecteasy

Which TWO of the following are anti-forensic techniques used by malware to evade detection?

Select 2 answers
A.Packing
B.Logging errors
C.Timestomping
D.Encryption of communication
E.Creating mutexes
AnswersA, C

Packing compresses/obfuscates code to evade signature-based detection.

Why this answer

Packing is an anti-forensic technique that compresses or encrypts the malware's executable code, making static analysis difficult by obfuscating the original binary signature and strings. This allows malware to evade signature-based detection by antivirus and forensic tools until the packed code is unpacked at runtime.

Exam trap

Cisco often tests the distinction between anti-forensic techniques (which actively hide or destroy forensic evidence) and general security mechanisms (like encryption of communication) that do not directly target forensic artifacts.

106
MCQmedium

A malware analyst is using a tool to monitor registry and file system changes during the execution of a suspicious binary. Which tool is specifically designed to take snapshots of the registry and file system before and after execution to identify changes?

A.Regshot
B.Cuckoo Sandbox
C.Process Explorer
D.Process Monitor
AnswerA

Regshot creates before/after snapshots of the registry and file system.

Why this answer

Regshot is a lightweight open-source tool designed specifically to compare registry hives and file system snapshots taken before and after executing a binary. It generates a detailed report of added, modified, or deleted keys and files, making it ideal for malware analysis to quickly identify persistence mechanisms or configuration changes.

Exam trap

Cisco often tests the distinction between snapshot-based comparison tools (Regshot) and real-time monitoring tools (Process Monitor), leading candidates to confuse Process Monitor's live logging capability with the before-and-after snapshot functionality required by the question.

How to eliminate wrong answers

Option B is wrong because Cuckoo Sandbox is an automated dynamic malware analysis environment that executes binaries in a virtual machine and logs system calls, network traffic, and memory dumps, but it does not specialize in taking before-and-after registry and file system snapshots like Regshot does. Option C is wrong because Process Explorer is a task manager and process analysis tool from Sysinternals that shows detailed process information, handles, and DLLs, but it does not capture registry or file system snapshots for comparison. Option D is wrong because Process Monitor (Procmon) is a real-time monitoring tool that logs registry, file system, process, and thread activity as it happens, but it does not provide a before-and-after snapshot comparison; it requires manual filtering and analysis of a continuous event stream.

107
Multi-Selectmedium

A forensic examiner is analyzing an Android device for potential evidence of a specific app’s data. Which TWO locations within the device’s file system would MOST likely contain application-specific data?

Select 2 answers
A./data/data/<package_name>/
B./recovery/
C./ (root directory)
D./sdcard/Android/data/<package_name>/
E./system/app/
AnswersA, D

This directory contains private app data, databases, and shared preferences.

Why this answer

Option A is correct because `/data/data/<package_name>/` is the primary internal storage directory for an Android app's private data, including databases, shared preferences, and cached files. This directory is sandboxed per app and requires root access or a backup to read, making it a key forensic target for application-specific evidence.

Exam trap

EC-Council often tests the misconception that `/system/app/` contains user app data, when in fact it only holds pre-installed APK files, not runtime or user-generated data.

108
MCQeasy

Which Android file system location is MOST likely to contain user-installed app data, preferences, and cached information?

A./vendor/
B./data/data/
C./system/
D./mnt/sdcard/
AnswerB

Standard location for app-specific data on Android.

Why this answer

The /data/data/ directory on Android devices stores application-specific data for user-installed apps, including preferences (shared preferences XML files), databases, and cached information. This location is part of the internal storage partition and is sandboxed per app, ensuring that each app can only access its own data directory. It is the primary repository for runtime app data, making it the most relevant for forensic analysis of user-installed app artifacts.

Exam trap

EC-Council often tests the misconception that user-installed app data is stored on the SD card (/mnt/sdcard/) because users commonly see app files there, but in Android's security model, private app data is strictly kept in /data/data/ and not on external storage.

How to eliminate wrong answers

Option A is wrong because /vendor/ contains proprietary firmware and system-level binaries provided by the device manufacturer, not user-installed app data. Option C is wrong because /system/ holds the Android operating system files (e.g., framework, core apps) and is read-only in normal operation; user-installed app data is never stored here. Option D is wrong because /mnt/sdcard/ (or /sdcard) is the external or emulated storage mount point for user-accessible files like photos and downloads, but it does not contain app-specific private data, preferences, or cached information that is sandboxed per app.

109
MCQhard

A malware analyst is examining a suspicious Windows executable. Running 'strings' reveals references to 'C:\Windows\System32\drivers\etc\hosts' and IP addresses 185.130.5.21 and 192.168.1.1. Dynamic analysis in a sandbox shows the binary modifies the hosts file and creates a mutex named 'Global\Mtx_Update'. Which behavioral indicator is MOST clearly associated with persistence?

A.Modifying the hosts file with an entry for 192.168.1.1
B.Connecting to IP 185.130.5.21 on port 443
C.Writing temporary files to %TEMP%
D.Creating the mutex 'Global\Mtx_Update'
AnswerA

Modifying the hosts file persists across reboots and can be used for traffic redirection, but it is not a typical auto-start persistence; however, among the options, it is the only persistent system change.

Why this answer

Option A is correct because modifying the hosts file to redirect a legitimate domain to 192.168.1.1 is a classic persistence mechanism: the malware ensures that every time the system resolves that domain, it points to the attacker-controlled IP, effectively hijacking network traffic persistently across reboots without needing to run at startup. This behavior directly maintains unauthorized control over name resolution, which is a hallmark of persistence.

Exam trap

EC-Council often tests the distinction between persistence (surviving reboot) and other behavioral indicators like mutex creation or network connections, so the trap here is confusing a mutex (used for single-instance control) with a persistence mechanism.

How to eliminate wrong answers

Option B is wrong because connecting to an external IP (185.130.5.21) on port 443 is a network communication indicator (C2 beaconing), not a persistence mechanism—it does not ensure the malware survives a reboot. Option C is wrong because writing temporary files to %TEMP% is a common execution artifact (e.g., dropping payloads or logs) but does not by itself guarantee the malware will re-execute after a system restart. Option D is wrong because creating a mutex (Global\Mtx_Update) is a synchronization primitive used to prevent multiple instances of the malware from running simultaneously; it does not provide any mechanism for automatic re-execution upon boot.

110
Multi-Selectmedium

A forensic investigator is analyzing a Windows system suspected of malware infection. Which TWO of the following are common persistence mechanisms that malware may use?

Select 2 answers
A.Scheduled Tasks via schtasks
B.Creating a Windows service
C.Adding an entry to the hosts file
D.Modifying the boot.ini file
E.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AnswersA, E

Malware can create tasks to run at specific times or logon.

Why this answer

Scheduled Tasks via schtasks (Option A) are a common persistence mechanism because malware can create a task that runs at system startup or at regular intervals to re-infect or maintain a foothold. The schtasks command allows creating tasks with SYSTEM privileges, often triggered by logon or system boot events, making it a stealthy way to survive reboots.

Exam trap

Cisco often tests the distinction between persistence mechanisms and other system modifications (like hosts file or boot.ini) that do not automatically execute code on startup, leading candidates to mistakenly select options that alter system behavior but do not achieve persistence.

111
MCQmedium

An iOS forensic examiner recovers a Keychain dump from an iPhone. Which of the following types of data is typically NOT stored in the iOS Keychain?

A.Wi-Fi passwords
B.Safari saved passwords
C.SMS message content
D.VPN credentials
AnswerC

SMS messages are stored in the SMS.db database, not in the Keychain.

Why this answer

The iOS Keychain is designed to store small, sensitive credentials such as passwords, keys, and certificates. SMS message content is stored in the SMS/MMS database (sms.db) under the protected /private/var/mobile/Library/SMS/ directory, not in the Keychain. Keychain items are encrypted per-app or per-service, whereas SMS messages are managed by the Messages app and stored in a SQLite database with its own encryption layer.

Exam trap

EC-Council often tests the misconception that all sensitive user data (including messages) is stored in the Keychain, but the Keychain is strictly for credentials and secrets, not for bulk message content.

How to eliminate wrong answers

Option A is wrong because Wi-Fi passwords are stored in the iOS Keychain as network credentials, accessible via the System Keychain. Option B is wrong because Safari saved passwords are stored in the Keychain under the iCloud Keychain or local Keychain for autofill. Option D is wrong because VPN credentials (e.g., L2TP, IPSec shared secrets, or certificate-based authentication) are stored in the Keychain as part of the VPN configuration payload.

112
MCQhard

After a factory reset on an Android device, a forensic examiner attempts to recover user data. Which of the following statements is most accurate regarding the recoverability of data?

A.Some user data may be recoverable from the /data partition if it has not been overwritten
B.Data in /data/data/ is securely wiped using TRIM commands, making recovery impossible
C.All user data is permanently destroyed and cannot be recovered
D.Only Google account tokens are recoverable after a factory reset
AnswerA

Factory reset does not overwrite all blocks, so data may persist and be recoverable.

Why this answer

A factory reset on Android typically performs a fast format of the /data partition, which only erases the file system metadata (e.g., ext4 journal and inode tables) but does not overwrite the actual data blocks. Therefore, user data may remain on the flash storage and be recoverable using forensic tools until those blocks are overwritten by new writes. This is why option A is correct: some user data may be recoverable from the /data partition if it has not been overwritten.

Exam trap

Cisco often tests the misconception that a factory reset performs a full secure wipe, when in reality it only removes file system pointers and does not overwrite the underlying data, making recovery possible until overwritten.

How to eliminate wrong answers

Option B is wrong because TRIM commands are issued by the file system to the eMMC/NAND controller to mark blocks as unused, but they do not securely wipe data; they only allow the controller to garbage-collect blocks, and data remnants can often be recovered before physical erasure. Option C is wrong because a factory reset does not perform a secure erase or overwrite of all user data; it only removes file system pointers, leaving the underlying data intact until overwritten. Option D is wrong because not only Google account tokens but also other user data (e.g., app data, cached files, photos) may be recoverable from the /data partition after a factory reset.

113
MCQhard

A security analyst observes a suspicious process creating multiple mutexes with names like 'XxX_12345' and 'XxX_67890' and making outbound connections to an IP address 185.130.5.1 on port 443. Which behavioral indicator is MOST consistent with malware communication?

A.The process is performing data exfiltration via DNS tunneling
B.The process is attempting to spread to other machines via SMB
C.The mutexes indicate an attempt to prevent multiple instances, and outbound connections suggest C2 activity
D.The process is a legitimate application using mutexes for inter-process communication
AnswerC

Mutexes are often used for single-instance protection, and outbound connections are typical for C2.

Why this answer

The creation of mutexes with a consistent naming pattern (e.g., 'XxX_12345') is a classic anti-replication mechanism used by malware to ensure only one instance runs on a system, preventing conflicts and detection. The outbound connections to a specific IP on port 443 (HTTPS) are highly indicative of command-and-control (C2) communication, as malware often uses encrypted channels to blend in with legitimate traffic. Option C correctly identifies both the mutex's purpose (preventing multiple instances) and the network behavior (C2 activity), making it the most consistent with malware communication.

Exam trap

Cisco often tests the misconception that any outbound connection on port 443 is automatically legitimate HTTPS traffic, but the trap here is that malware frequently uses this port for C2, and the mutex pattern is a key differentiator from benign software.

How to eliminate wrong answers

Option A is wrong because DNS tunneling involves encoding data in DNS queries/responses, typically on UDP port 53, not outbound HTTPS connections on port 443; the mutex names also have no relation to DNS. Option B is wrong because SMB propagation uses port 445 (or 139) for file and printer sharing, not port 443, and mutexes are not a standard mechanism for spreading via SMB. Option D is wrong because while legitimate applications do use mutexes for inter-process communication, the combination of suspicious mutex names (e.g., 'XxX_') and outbound connections to an external IP on a common C2 port (443) is not typical of benign software; legitimate apps rarely hardcode such patterns for external communication.

114
MCQmedium

A security analyst detects that a known malware sample writes to the registry key 'HKLM\SYSTEM\CurrentControlSet\Services\<malware>\ImagePath' and creates a service. This behavior is characteristic of which type of persistence mechanism?

A.Scheduled task
B.AppInit_DLLs
C.Startup folder entry
D.Windows service
AnswerD

The registry path under Services indicates the malware is installed as a service, which runs automatically at boot.

Why this answer

The malware writes to 'HKLM\SYSTEM\CurrentControlSet\Services\<malware>\ImagePath' and creates a service, which is the exact mechanism for registering a Windows service. This persistence method ensures the malware runs automatically when the system boots, as the Service Control Manager (SCM) loads services based on this registry key. Option D is correct because this behavior directly corresponds to the Windows service persistence technique.

Exam trap

Cisco often tests the distinction between registry-based persistence mechanisms; the trap here is that candidates confuse the 'Services' registry key with other common persistence locations like 'Run' keys or 'AppInit_DLLs', but the specific 'ImagePath' value under a service subkey uniquely identifies Windows service persistence.

How to eliminate wrong answers

Option A is wrong because scheduled tasks are configured via the Task Scheduler and stored in 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule' or XML files in '\Windows\System32\Tasks', not under the Services registry key. Option B is wrong because AppInit_DLLs persistence uses the 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs' registry value to load DLLs into every user-mode process, not by creating a service entry. Option C is wrong because the Startup folder entry involves placing a shortcut or executable in 'C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' or the All Users startup folder, not modifying the Services registry hive.

115
Multi-Selectmedium

A forensic examiner is analyzing a mobile device that may have been tampered with to erase evidence. Which TWO anti-forensic techniques are commonly encountered in mobile forensics? (Select TWO.)

Select 2 answers
A.Encryption
B.Steganography
C.Factory reset
D.Log wiping
E.Timestomping
AnswersC, E

Factory reset is a common method to erase evidence on mobile devices.

Why this answer

Factory reset (option C) is a common anti-forensic technique in mobile forensics because it wipes user data partitions and resets the device to its original state, often using the 'wipe_data' command in recovery mode or via settings. This removes user-installed applications, accounts, and files, making data recovery difficult unless a physical or chip-off method is used. Timestomping (option E) is also common, as attackers modify file timestamps (e.g., using 'touch -t' on rooted devices or manipulating EXT4 metadata) to mislead forensic timelines and hide the sequence of events.

Exam trap

EC-Council often tests the distinction between anti-forensic techniques (active evidence destruction or manipulation) and general security controls (like encryption), leading candidates to incorrectly select encryption as an anti-forensic method.

116
MCQeasy

Which of the following is the primary purpose of performing static analysis on a suspicious binary?

A.Capturing network traffic generated by the binary
B.Observing the binary's runtime behaviour in a sandbox
C.Analysing the binary's code and structure without executing it
D.Modifying the binary to bypass anti-analysis techniques
AnswerC

Static analysis involves examining the binary file itself, including headers, strings, and disassembly, without running it.

Why this answer

Static analysis examines a binary's code and structure without executing it, allowing analysts to identify malicious indicators such as embedded strings, import tables, and cryptographic constants. This approach avoids triggering anti-analysis mechanisms that activate upon execution, making it a foundational step in malware forensics.

Exam trap

EC-Council often tests the distinction between static and dynamic analysis, trapping candidates who confuse observing runtime behavior (dynamic) with examining code without execution (static).

How to eliminate wrong answers

Option A is wrong because capturing network traffic is a dynamic analysis technique that requires executing the binary to observe its communication, not static analysis. Option B is wrong because observing runtime behavior in a sandbox is dynamic analysis, which executes the binary and risks triggering anti-VM or anti-sandbox code. Option D is wrong because modifying the binary to bypass anti-analysis is an active evasion technique, not a purpose of static analysis; static analysis is non-invasive and does not alter the binary.

117
Multi-Selecteasy

Which TWO of the following are primary purposes of using the GrayKey tool in iOS forensics?

Select 2 answers
A.Perform static analysis of iOS malware
B.Decrypt iOS application binaries for analysis
C.Extract the full file system from a locked iOS device
D.Bypass the iOS passcode to gain access to the device
E.Create an encrypted iTunes backup
AnswersC, D

After bypass, GrayKey can perform a full file system extraction.

Why this answer

Option C is correct because GrayKey is a specialized hardware/software tool designed to perform a full file system extraction from locked iOS devices, including those with passcodes. It exploits vulnerabilities in the iOS Secure Enclave or bootrom to bypass security mechanisms and retrieve a bit-for-bit copy of the device's storage, which is critical for forensic acquisition.

Exam trap

EC-Council often tests the distinction between 'bypassing the passcode' (option D) and 'extracting the file system' (option C) as separate but complementary purposes, leading candidates to incorrectly select only one when both are primary functions of GrayKey.

118
Multi-Selecthard

During dynamic analysis of a suspected malware sample, an analyst observes the following behaviors: (1) The process creates a service named 'WindowsDefender' that starts automatically. (2) It writes an encrypted payload to the registry under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. (3) It injects code into explorer.exe. (4) It attempts to resolve the domain 'malware-update.com'. (5) It creates a mutex named 'Global\MyMutex'. Which THREE behaviors are indicators of malware persistence? (Select THREE.)

Select 3 answers
A.Injecting code into explorer.exe
B.Writing an encrypted payload to the registry under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
C.Creating a mutex named 'Global\MyMutex'
D.Creating a service named 'WindowsDefender' that starts automatically
E.Attempting to resolve the domain 'malware-update.com'
AnswersA, B, D

Code injection into a commonly running process helps maintain persistence.

Why this answer

Injecting code into explorer.exe (option A) is a persistence mechanism because the injected code runs within the context of a trusted system process that starts automatically at user logon. By hijacking explorer.exe, the malware ensures its malicious code executes every time the user logs into the system, surviving a reboot without needing a separate startup entry.

Exam trap

The trap here is that candidates confuse indicators of execution or communication (like mutex creation or DNS resolution) with persistence mechanisms, which specifically ensure the malware re-executes automatically after a reboot or logon.

119
Multi-Selectmedium

An analyst is investigating a potential data breach on an Android device. Which TWO artefacts are MOST useful for determining which third-party apps were installed and used? (Select TWO.)

Select 2 answers
A.Full system dump (dd image)
B.packages.xml file in /data/system/
C.Wi-Fi connection logs
D./data/data/ directory listing
E.SMS database (mmssms.db)
AnswersB, D

This file lists all installed packages (apps) on the device.

Why this answer

The packages.xml file in /data/system/ records all installed packages, including third-party apps, their permissions, and installation metadata. The /data/data/ directory contains per-package subdirectories with application-specific data, confirming actual usage and stored data. Together, these two artefacts provide definitive evidence of which third-party apps were installed and used on the device.

Exam trap

Cisco often tests the misconception that a full system dump (dd image) is the most useful artefact for app analysis, when in reality the structured packages.xml and /data/data/ directory provide more direct and actionable evidence.

120
MCQmedium

During a malware analysis, a suspicious executable is detected. The analyst runs `strings` on the binary and finds references to `SOFTWARE\Microsoft\Windows\CurrentVersion\Run` and a URL `http://evil.com/beacon`. What does this indicate?

A.The malware is a file infector that modifies system binaries
B.The malware uses a mutex for synchronization
C.The malware establishes persistence and communicates with a remote server
D.The malware performs privilege escalation via a known vulnerability
AnswerC

Registry Run key for persistence; URL for C2.

Why this answer

The presence of a registry key reference to `SOFTWARE\Microsoft\Windows\CurrentVersion\Run` indicates the malware is configured to launch automatically at system startup, establishing persistence. The embedded URL `http://evil.com/beacon` suggests the malware will make outbound HTTP requests to a remote command-and-control (C2) server for beaconing or data exfiltration. Together, these artifacts confirm persistence and remote communication, making option C correct.

Exam trap

EC-Council often tests the distinction between persistence mechanisms (like registry Run keys) and other malware behaviors (like file infection or privilege escalation), so candidates mistakenly associate any registry reference with file infection or confuse a URL with an exploit payload.

How to eliminate wrong answers

Option A is wrong because a file infector modifies system binaries (e.g., .exe or .dll files) to inject malicious code, but the `strings` output shows no evidence of file modification or infection routines—only a registry run key and a URL. Option B is wrong because a mutex is a synchronization object used to prevent multiple instances of malware from running, and no mutex name or reference is present in the provided strings; the artifacts shown are purely persistence and network indicators. Option D is wrong because privilege escalation exploits target vulnerabilities (e.g., CVE-XXXX) to gain higher access, but the strings reveal no exploit code, DLL injection paths, or UAC bypass techniques—only a registry autorun key and a beacon URL.

121
MCQmedium

A forensic analyst is examining an Android device and wants to recover Google account artefacts, such as the last sync timestamp and cached email addresses. Where on the device (in /data/data/) would these artefacts MOST likely be stored?

A.com.google.android.gms
B.com.android.providers.telephony
C.com.android.providers.contacts
D.com.android.settings
AnswerA

Google Play Services (gms) manages account sync and stores related artefacts.

Why this answer

The Google account artefacts, including the last sync timestamp and cached email addresses, are stored within the package 'com.google.android.gms' (Google Play Services). This package manages authentication tokens, sync settings, and account metadata in its databases (e.g., 'accounts.db' or 'gms_credentials.db') under /data/data/com.google.android.gms/databases/. The last sync timestamp is typically recorded in the 'sync_state' table, while cached email addresses appear in the 'accounts' table.

Exam trap

EC-Council often tests the misconception that account-related artefacts are stored in the Contacts or Telephony providers, but the correct location is the Google Play Services package because it centrally manages authentication and sync for all Google services.

How to eliminate wrong answers

Option B is wrong because 'com.android.providers.telephony' handles SMS/MMS and carrier-related data (e.g., APN settings), not Google account sync artefacts. Option C is wrong because 'com.android.providers.contacts' stores contact data (names, phone numbers) from various sources, but it does not hold Google account metadata like sync timestamps or cached email addresses; those are managed by Google Play Services. Option D is wrong because 'com.android.settings' contains system settings UI data and preferences, not the underlying Google account authentication or sync state databases.

122
MCQhard

During dynamic analysis of a suspicious executable in Cuckoo Sandbox, the report shows that the process created a registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run named 'WindowsUpdate' and dropped a file 'svchost.exe' in %AppData%. Which conclusion is MOST consistent with these indicators?

A.The executable is cleaning up after itself by deleting temporary files
B.The executable is a dropper that installs a rootkit
C.The executable is a legitimate Windows update component
D.The executable is attempting to establish persistence via a Run key and masquerading as a system process
AnswerD

Run key persistence and masquerading as svchost.exe indicates malware.

Why this answer

The creation of a Run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run is a classic persistence mechanism that causes the executable to launch automatically at user logon. Dropping a file named 'svchost.exe' in %AppData% is a common masquerading technique, as the legitimate svchost.exe (Service Host) resides in C:\Windows\System32, not in the user's AppData folder. Together, these actions indicate the executable is establishing persistence and disguising itself as a trusted system process.

Exam trap

EC-Council often tests the distinction between persistence mechanisms and other malware behaviors, and the trap here is that candidates may confuse a dropper with a rootkit or assume any file named 'svchost.exe' is legitimate, ignoring the abnormal file path.

How to eliminate wrong answers

Option A is wrong because creating a Run key and dropping a file are actions that establish persistence, not cleanup; deleting temporary files would involve removing artifacts, not adding them. Option B is wrong because while the executable is a dropper (it drops a file), there is no evidence of a rootkit—rootkits typically hide processes or files via kernel-level hooks, not by simply adding a Run key and a masqueraded executable. Option C is wrong because legitimate Windows Update components do not write themselves to HKCU\Run or drop svchost.exe in %AppData%; Windows Update uses trusted system paths like C:\Windows\System32 and is managed by Windows Update service, not user-level Run keys.

123
Multi-Selectmedium

A mobile forensic examiner is analyzing an Android device that has been factory reset. Which TWO of the following artefacts are MOST likely to still be recoverable after a factory reset? (Select TWO)

Select 2 answers
A.SMS messages
B.Deleted applications' data
C.Call logs
D.Google account tokens
E.Photos stored in internal storage
AnswersA, D

SMS messages are stored in SQLite databases that may leave remnants in unallocated space.

Why this answer

SMS messages (A) are stored in the Android internal database file `/data/data/com.android.providers.telephony/databases/mmssms.db`. A factory reset typically only marks the database file's storage blocks as free in the ext4 filesystem without performing a secure wipe, leaving the raw data recoverable via forensic tools like Cellebrite or Oxygen Forensic until overwritten. Google account tokens (D) are stored in the AccountManager service's SQLite database under `/data/system/users/0/accounts.db` and in the `authtoken` table; even after a factory reset, the underlying NAND flash memory may retain these tokens due to wear-leveling and garbage collection delays, allowing recovery with chip-off or JTAG techniques.

Exam trap

Cisco often tests the misconception that a factory reset securely erases all data, but the trap here is that the reset only performs a logical deletion and filesystem-level wipe, not a secure overwrite, so residual data like SMS and authentication tokens can persist in unallocated space or NAND flash cells.

124
Multi-Selectmedium

A forensic analyst is examining an Android device for evidence of a specific app's usage. Which TWO locations are MOST likely to contain app-specific data that can be recovered through a logical acquisition?

Select 2 answers
A./system/bin/
B./data/data/
C./mnt/sdcard/Android/data/
D./proc/
E./init.rc
AnswersB, C

Main internal storage for app data.

Why this answer

Option B is correct because /data/data/ is the primary directory on Android devices where installed applications store their private data, including databases, shared preferences, and cache files. This directory is accessible through logical acquisition (e.g., ADB backup) and contains app-specific evidence such as user credentials, chat logs, and configuration files.

Exam trap

Cisco often tests the misconception that /system/bin/ or /proc/ contain app-specific data because they sound like common storage locations, but in Android forensics, only /data/data/ and external storage paths like /mnt/sdcard/Android/data/ hold recoverable app artifacts during logical acquisition.

125
MCQmedium

A security analyst suspects a mobile device is infected with malware that exfiltrates data via DNS queries. Which tool or technique would be MOST effective for detecting this behavior during dynamic analysis?

A.PEiD to detect packers in the mobile app binary
B.Regshot to compare registry snapshots before and after execution
C.Process Monitor to observe registry and file system changes
D.Wireshark to capture and analyze network packets for anomalous DNS queries
AnswerD

Wireshark can capture DNS traffic and detect exfiltration patterns.

Why this answer

D is correct because DNS exfiltration involves encoding stolen data into DNS query fields (e.g., subdomains or TXT records) and sending them to a malicious server. Wireshark captures and analyzes raw network packets, allowing the analyst to inspect DNS query payloads for anomalous patterns such as unusually long hostnames, high query volume, or queries to suspicious domains, which are hallmarks of DNS tunneling.

Exam trap

EC-Council often tests the misconception that dynamic analysis of malware behavior requires host-based monitoring (like Process Monitor) rather than network-based analysis, but for data exfiltration via DNS, packet capture is essential.

How to eliminate wrong answers

Option A is wrong because PEiD is a tool for detecting packers and compilers in Windows PE files, not for analyzing mobile app binaries or network behavior; it cannot capture DNS queries. Option B is wrong because Regshot compares Windows registry snapshots, which is irrelevant for mobile device analysis and does not monitor network traffic. Option C is wrong because Process Monitor (Procmon) monitors Windows registry, file system, and process activity on a local system, not network packets; it cannot detect DNS exfiltration over the wire.

126
MCQeasy

Which mobile forensic tool is commonly used to perform a physical extraction of an iOS device, including bypassing the lock screen on certain models?

A.Magnet AXIOM
B.GrayKey
C.Oxygen Forensic Detective
D.FTK Imager
AnswerB

GrayKey is designed for iOS physical extraction and passcode bypass.

Why this answer

GrayKey is a specialized hardware tool designed by Grayshift that performs physical extraction of iOS devices, including bypassing the lock screen on certain models (e.g., iPhone 5 through iPhone X) by exploiting bootrom vulnerabilities or using brute-force techniques. It is widely used in law enforcement for forensic acquisition of iOS devices where logical extraction is insufficient.

Exam trap

EC-Council often tests the distinction between logical extraction tools (like Magnet AXIOM or Oxygen Forensic Detective) and hardware-based physical extraction tools (like GrayKey), leading candidates to mistakenly choose a familiar forensic suite that cannot bypass iOS lock screens.

How to eliminate wrong answers

Option A is wrong because Magnet AXIOM is a comprehensive digital forensics platform that supports logical and file system extractions from iOS devices but does not natively perform physical extraction or lock screen bypass; it relies on other tools (like GrayKey or checkra1n) for that capability. Option C is wrong because Oxygen Forensic Detective is a forensic suite that can extract data from iOS devices via logical or advanced logical methods, but it does not include hardware-based physical extraction or lock screen bypass; it depends on third-party tools or jailbreaks for deeper access. Option D is wrong because FTK Imager is a disk imaging tool for creating forensic images of storage media (e.g., hard drives, SD cards) and does not support mobile device extraction, let alone iOS physical extraction or lock screen bypass.

127
MCQeasy

Which of the following mobile forensic tools is specifically known for its ability to perform advanced extractions on iOS devices, including bypassing the lock screen on many models?

A.Cellebrite UFED
B.Magnet AXIOM
C.Oxygen Forensic Detective
D.GrayKey
AnswerD

GrayKey is known for iOS lock screen bypass and advanced extraction.

Why this answer

GrayKey is specifically designed for advanced iOS extractions, leveraging a combination of hardware and software exploits to bypass the lock screen on many iPhone models, including recent ones. Unlike general-purpose forensic tools, GrayKey focuses exclusively on iOS and uses techniques like checkm8 bootrom exploit or brute-force attacks via USB to gain access to encrypted device data.

Exam trap

EC-Council often tests the distinction between general-purpose forensic tools (like Cellebrite UFED) and specialized hardware-based extraction tools (like GrayKey), leading candidates to choose Cellebrite because of its brand recognition, even though GrayKey is the only option specifically designed for advanced iOS lock-screen bypass.

How to eliminate wrong answers

Option A is wrong because Cellebrite UFED is a versatile tool supporting many mobile OSes, but its iOS lock-screen bypass capabilities are limited compared to GrayKey, often relying on known vulnerabilities or physical extraction methods that may not work on newer iOS versions. Option B is wrong because Magnet AXIOM is a comprehensive digital forensics platform that processes data from multiple sources (mobile, cloud, computer), but it does not perform direct iOS lock-screen bypass; it relies on other tools or pre-extracted images. Option C is wrong because Oxygen Forensic Detective is a strong mobile forensic tool with advanced analysis features, but its iOS extraction capabilities typically require the device to be unlocked or use logical extraction methods, lacking the dedicated hardware-based lock-screen bypass that GrayKey offers.

128
MCQeasy

During a mobile device investigation, an examiner needs to acquire the maximum amount of data from a locked iOS device without modifying it. Which acquisition type should be used?

A.Manual acquisition
B.Physical acquisition
C.Logical acquisition
D.File system acquisition
AnswerB

Physical acquisition provides a complete bit-for-bit copy, including deleted data, and can often bypass lock screens with tools like GrayKey or Cellebrite UFED.

Why this answer

Physical acquisition is the correct choice because it creates a bit-for-bit copy of the entire flash storage, including the operating system, user data, and deleted file remnants, without relying on the iOS operating system to be unlocked or cooperative. This method bypasses the lock screen by exploiting hardware or software vulnerabilities (e.g., checkm8 bootrom exploit) or using advanced forensic tools (e.g., Cellebrite, GrayKey) to read the raw NAND memory, ensuring maximum data extraction while maintaining forensic integrity.

Exam trap

EC-Council often tests the misconception that logical acquisition is sufficient for locked devices because it can extract backups, but the trap is that logical acquisition still requires the device to be unlocked or have a trusted relationship established, whereas physical acquisition is the only method that can bypass the lock screen to capture the entire storage image.

How to eliminate wrong answers

Option A is wrong because manual acquisition requires the device to be unlocked and interactive, which is impossible with a locked iOS device and only captures visible data on the screen, not the full storage. Option C is wrong because logical acquisition only extracts files and databases accessible through the iOS operating system’s APIs (e.g., via iTunes backup or libimobiledevice), which requires the device to be unlocked and does not capture deleted data or system partitions. Option D is wrong because file system acquisition, while more detailed than logical, still requires the device to be unlocked (e.g., via jailbreak or trusted connection) and only retrieves the file system hierarchy, not the raw blocks of the storage, missing unallocated space and hidden partitions.

129
MCQmedium

Which mobile forensic acquisition method is MOST likely to retrieve deleted text messages from an iPhone that was not jailbroken and has no passcode?

A.Physical acquisition via forensic tool like Cellebrite UFED
B.Logical acquisition via iTunes backup
C.Manual acquisition by browsing the device
D.File system acquisition via AFC (Apple File Conduit)
AnswerA

Physical acquisition recovers full flash including deleted data.

Why this answer

Physical acquisition (A) creates a bit-for-bit copy of the entire flash storage, including unallocated space where deleted text messages (stored in SQLite WAL/SHM/journal files) often reside. Since the iPhone has no passcode, the forensic tool can bypass the lock screen and access the raw NAND, allowing recovery of deleted records that logical or file-system methods cannot reach because they only copy allocated files.

Exam trap

Cisco often tests the misconception that logical or file-system methods can recover deleted data because they access the file system, but in iOS, only physical acquisition reaches the unallocated space where deleted messages persist.

How to eliminate wrong answers

Option B is wrong because logical acquisition via iTunes backup only retrieves files that are currently allocated and backed up; deleted text messages are not included in the backup, as iTunes does not capture unallocated space or SQLite write-ahead logs. Option C is wrong because manual acquisition by browsing the device only shows visible, undeleted content through the user interface; deleted messages are not displayed and cannot be recovered by simply scrolling or tapping. Option D is wrong because file system acquisition via AFC (Apple File Conduit) only provides access to the media partition and certain app sandboxes over USB, but it does not grant raw block-level access to the NAND or unallocated space, so deleted SQLite records remain unrecoverable.

130
MCQhard

During dynamic analysis of a Windows malware sample, Process Monitor shows repeated writes to 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'. What does this behaviour indicate?

A.The malware is disabling Windows Defender
B.The malware is establishing persistence to run at system startup
C.The malware is modifying network configuration
D.The malware is performing log wiping
AnswerB

The 'Run' key is used to automatically start programs when a user logs in.

Why this answer

The registry key 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' is a standard Windows autorun location. Malware writing to this key ensures that its executable is launched automatically every time the system boots, which is a classic persistence mechanism. Process Monitor capturing repeated writes confirms the malware is actively establishing this startup persistence.

Exam trap

EC-Council often tests the distinction between persistence mechanisms (like Run keys) and other malware behaviors (like disabling security or log wiping), so the trap here is that candidates confuse the Run key's purpose with system configuration changes or defensive countermeasures.

How to eliminate wrong answers

Option A is wrong because disabling Windows Defender typically involves modifying security center settings or stopping services (e.g., via 'sc stop WinDefend' or writing to 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender'), not writing to the Run key. Option C is wrong because modifying network configuration involves changes to TCP/IP parameters, DNS settings, or firewall rules (e.g., via netsh or registry keys under 'HKLM\SYSTEM\CurrentControlSet\Services\Tcpip'), not the Run key. Option D is wrong because log wiping involves clearing event logs (e.g., via 'wevtutil cl' or 'Clear-EventLog') or deleting log files, not writing to the Run registry key.

131
MCQmedium

An iOS forensic analyst is examining data from an iCloud backup and finds a file named 'call_history.db'. Which SQLite table within this database is MOST likely to contain the duration and timestamp of each phone call?

A.ZCONTACT
B.ZOBJECT
C.call
D.ZCALL
AnswerC

The 'call' table stores call records including date, duration, and phone number.

Why this answer

In iOS, call history data is stored in the 'call_history.db' SQLite database, and the primary table containing call duration and timestamps is named 'call'. The 'call' table includes columns such as 'duration' (in seconds) and 'date' (as a Cocoa Core Data timestamp). This is the standard schema used by Apple's Phone app since iOS 4.

Exam trap

EC-Council often tests the misconception that iOS uses Core Data entity names with a 'Z' prefix (like ZCALL) for all databases, but the call_history.db uses a simple legacy table named 'call' without the prefix.

How to eliminate wrong answers

Option A is wrong because ZCONTACT is a table in the iOS AddressBook or Contacts database (e.g., AddressBook.sqlitedb), not in call_history.db, and it stores contact names and IDs, not call metadata. Option B is wrong because ZOBJECT is a table found in the KnowledgeC database (e.g., knowledgeC.db) used for app usage and behavior logging, not for call history records. Option D is wrong because ZCALL does not exist as a standard table in iOS call_history.db; the correct table is simply 'call', and the 'Z' prefix is used in Core Data entity names but not in this legacy SQLite schema.

132
MCQeasy

In static malware analysis, what is the purpose of using a tool like PEiD?

A.To monitor registry changes during execution
B.To detect packers or compilers used in the PE file
C.To disassemble the binary into assembly code
D.To analyze network traffic generated by the malware
AnswerB

PEiD identifies packers like UPX, ASPack.

Why this answer

PEiD is a static analysis tool that identifies packers, cryptors, and compilers embedded in Portable Executable (PE) files by scanning for known signatures in the file's entry point and section headers. This helps an analyst understand whether the malware is packed (obfuscated) and what tool was used to create or compress it, which is critical before attempting dynamic analysis or unpacking.

Exam trap

EC-Council often tests the distinction between static and dynamic analysis tools, and the trap here is that candidates confuse PEiD with a disassembler or a runtime monitor, because they see 'analysis' and assume it covers all phases of malware examination.

How to eliminate wrong answers

Option A is wrong because monitoring registry changes during execution is a dynamic analysis technique, not static; tools like Regshot or Process Monitor are used for that purpose. Option C is wrong because disassembling a binary into assembly code is the function of a disassembler such as IDA Pro or Ghidra, not PEiD, which only identifies packers/compilers. Option D is wrong because analyzing network traffic generated by malware is a dynamic analysis task performed with tools like Wireshark or tcpdump, not a static analysis tool like PEiD.

133
MCQeasy

Which of the following is a key difference between static and dynamic malware analysis?

A.Static analysis executes the malware, dynamic does not
B.Static analysis requires an internet connection, dynamic does not
C.Static analysis examines code without execution, dynamic analysis executes the sample
D.Static analysis is always automated, dynamic is manual
AnswerC

Static involves disassembly and code review; dynamic involves running the malware.

Why this answer

Static malware analysis involves examining the malware's code (e.g., disassembly, strings, headers) without executing it, while dynamic analysis runs the sample in a controlled environment (e.g., sandbox, debugger) to observe its runtime behavior. Option C correctly captures this fundamental distinction: static analysis is code-centric and non-executional, whereas dynamic analysis is behavior-centric and executional.

Exam trap

The trap here is that candidates often confuse the terms 'static' and 'dynamic' by associating 'static' with 'not moving' (incorrectly thinking it means no analysis) or misremembering which one involves execution, leading them to pick Option A.

How to eliminate wrong answers

Option A is wrong because it reverses the definitions: static analysis does NOT execute the malware, while dynamic analysis does. Option B is wrong because neither analysis inherently requires an internet connection; dynamic analysis often uses simulated network services (e.g., INetSim) to avoid real internet traffic, and static analysis can be performed offline. Option D is wrong because both static and dynamic analysis can be automated (e.g., YARA rules for static, Cuckoo Sandbox for dynamic) or performed manually, so automation is not a distinguishing factor.

134
MCQeasy

Which of the following is an example of an anti-forensics technique used to hide malicious activity?

A.Timestomping
B.Running a sandbox
C.Creating a mutex
D.Generating a hash
AnswerA

Alters timestamps to evade detection.

Why this answer

Timestomping is an anti-forensics technique that deliberately modifies file timestamps (e.g., MAC times: Modified, Accessed, Created) using tools like `touch` on Linux or `SetFileTime` on Windows. By altering these timestamps, an attacker can hide the true timeline of malicious file creation, modification, or access, thereby evading forensic timeline analysis and making it appear that malicious activity occurred at a different time or was part of legitimate system operations.

Exam trap

Cisco often tests the misconception that any technique used by malware (like creating a mutex) is automatically an anti-forensics technique, when in fact anti-forensics specifically targets the forensic process itself (e.g., data hiding, evidence destruction, or timeline manipulation).

How to eliminate wrong answers

Option B is wrong because running a sandbox is a security analysis technique used to execute suspicious code in an isolated environment to observe its behavior, not an anti-forensics technique to hide malicious activity. Option C is wrong because creating a mutex (mutual exclusion object) is a common programming construct used by both legitimate software and malware for synchronization or to prevent multiple instances, but it is not inherently an anti-forensics technique; while some malware uses mutexes as infection markers, this does not hide activity from forensic tools. Option D is wrong because generating a hash (e.g., MD5, SHA-1) is a standard integrity verification method used in forensics to ensure evidence has not been altered, not a technique to conceal malicious activity.

135
MCQmedium

A forensic analyst receives a mobile device that has been factory reset. Which of the following types of data is MOST likely to be recoverable using advanced forensic techniques?

A.Deleted text messages and call logs, but not app data
B.All user data, as factory reset only deletes file pointers
C.Google account tokens and cached credentials
D.No data is recoverable after a factory reset on modern devices
AnswerC

Some tokens may persist in NVRAM or other storage; advanced techniques like chip-off may recover them.

Why this answer

Option C is correct because a factory reset typically does not overwrite the flash memory where Google account tokens and cached credentials are stored. Advanced forensic techniques, such as chip-off or JTAG, can recover these remnants from the NAND flash memory, as the reset only marks the storage blocks as available for reuse without physically erasing the data.

Exam trap

EC-Council often tests the misconception that a factory reset is equivalent to a secure wipe, but in reality, it only deletes file pointers and leaves residual data in unallocated flash memory, which advanced forensic techniques can recover.

How to eliminate wrong answers

Option A is wrong because deleted text messages and call logs are also stored in unallocated flash memory and can be recovered alongside app data using advanced techniques, not exclusively excluded. Option B is wrong because a factory reset does not preserve all user data; it clears user data partitions and file pointers, but some residual data may remain in unallocated space, not the entire dataset. Option D is wrong because modern devices still leave recoverable data in unallocated NAND flash blocks after a factory reset, especially tokens and credentials, due to the lack of secure erase commands like eMMC sanitize being executed.

136
Multi-Selectmedium

A malware sample creates the following registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MalwareName. Which THREE of the following are appropriate next steps for the analyst?

Select 3 answers
A.Run a full system antivirus scan
B.Document the registry key as an IoC for future detection
C.Check for similar persistence keys in other Run locations and scheduled tasks
D.Delete the registry key to remove the persistence mechanism
E.Contact law enforcement immediately
AnswersB, C, D

Registry keys are valuable IoCs for detection and threat intelligence.

Why this answer

The registry key indicates persistence. The analyst should document it as an IoC, delete the key to remove persistence, and examine other common persistence locations. Running a full system scan may be helpful but is less specific; contacting law enforcement is premature unless required.

137
MCQeasy

Which of the following tools is designed specifically for dynamic analysis of malware by executing it in a controlled, isolated environment?

A.PEiD
B.Ghidra
C.Cuckoo Sandbox
D.IDA Pro
AnswerC

Cuckoo Sandbox is a dynamic analysis tool that runs malware in an isolated environment and monitors behavior.

Why this answer

Cuckoo Sandbox is an open-source automated malware analysis system designed specifically for dynamic analysis. It executes suspicious files in a controlled, isolated environment (a virtual machine) and monitors their behavior, including system calls, file system changes, registry modifications, and network traffic, to produce a comprehensive report without risking the host system.

Exam trap

EC-Council often tests the distinction between static analysis tools (like PEiD, Ghidra, IDA Pro) and dynamic analysis sandboxes (like Cuckoo), so the trap is that candidates may confuse a debugger or disassembler (which can execute code step-by-step) with a fully automated, isolated sandbox environment.

How to eliminate wrong answers

Option A (PEiD) is wrong because it is a static analysis tool that detects packers, cryptors, and compilers in PE files by scanning signatures; it does not execute malware. Option B (Ghidra) is wrong because it is a reverse-engineering framework focused on static analysis and disassembly/decompilation of binaries, not on executing malware in an isolated environment. Option D (IDA Pro) is wrong because it is an interactive disassembler and debugger used for static and limited dynamic analysis (via its debugger), but it is not designed as a sandbox for automated, isolated execution of malware.

138
MCQmedium

During a mobile forensic investigation, an examiner finds that the seized iPhone is locked with a passcode but is running iOS 11. Which acquisition method should the examiner prioritize to obtain the most data without bypassing the passcode?

A.Physical acquisition using a JTAG tool
B.Logical acquisition via iTunes backup
C.File system acquisition using Cellebrite UFED
D.Manual acquisition by photographing the screen
AnswerB

iTunes backup can be initiated without passcode if device is trusted, and provides access to many artefacts including SMS, contacts, and call history.

Why this answer

On iOS 11, a locked device prevents physical and file system acquisitions due to hardware encryption and the Secure Enclave. Logical acquisition via iTunes backup is the recommended method because it can extract most user data (contacts, messages, photos) without requiring the passcode to be bypassed, as the backup process is authorized by the device's trust relationship with a previously paired computer.

Exam trap

Cisco often tests the misconception that physical acquisition is always superior, but on modern iOS devices, logical acquisition via iTunes backup is the only viable method for locked devices without bypassing the passcode.

How to eliminate wrong answers

Option A is wrong because JTAG physical acquisition requires physical access to the device's circuit board and is typically used for older devices or when the device is disabled; on iOS 11, the Secure Enclave and full-disk encryption make JTAG impractical for locked devices without passcode bypass. Option C is wrong because file system acquisition using Cellebrite UFED on iOS 11 requires either a jailbreak or a known passcode to decrypt the file system; without bypassing the passcode, UFED cannot access the encrypted file system. Option D is wrong because manual acquisition by photographing the screen only captures visible data and is not a forensic acquisition method; it fails to retrieve deleted data, metadata, or data not currently displayed.

139
MCQeasy

During a malware investigation, a forensic analyst observes that a suspicious process creates a mutex named 'Global\MyMutex' and writes to the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. What behavioral indicator does this represent?

A.Persistence mechanism to survive reboot
B.Encryption of sensitive data
C.Establishment of a C2 channel
D.Attempt to evade sandbox detection
AnswerA

The Run registry key is a standard persistence location; malware adds itself to launch automatically at system startup.

Why this answer

Writing to the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run is a classic persistence mechanism. This key is processed by the Windows Session Manager (smss.exe) and the Winlogon process at every user logon, causing the specified executable to launch automatically. Combined with the creation of a named mutex (Global\MyMutex) to prevent multiple instances, this behavior indicates the malware is ensuring it survives a system reboot and maintains a single running copy.

Exam trap

EC-Council often tests the distinction between persistence mechanisms and other malware behaviors, so candidates mistakenly associate any registry write with C2 or evasion, when the specific Run key is explicitly designed for automatic startup after reboot.

How to eliminate wrong answers

Option B is wrong because writing to the Run registry key does not involve any cryptographic operations; encryption of sensitive data would typically involve API calls like CryptEncrypt or BCryptEncrypt, not registry modifications. Option C is wrong because establishing a C2 channel requires network communication (e.g., HTTP/S, DNS, or raw socket connections), not the creation of a local mutex or a registry run key. Option D is wrong because evading sandbox detection often involves techniques like checking for debuggers, virtual machine artifacts, or delaying execution, not simply creating a mutex and writing to a well-known persistence location.

140
MCQmedium

During an iOS forensic examination, an analyst extracts an iTunes backup and finds a file named 'SMS.db'. Which of the following tools is BEST suited to parse and analyze this SQLite database for SMS and iMessage content?

A.GrayKey
B.Oxygen Forensic Detective
C.Cellebrite UFED
D.SQLite Browser
AnswerD

SQLite Browser is a free tool that can directly open and query SQLite databases such as SMS.db.

Why this answer

SQLite Browser is the best tool for parsing and analyzing the 'SMS.db' file because it is a free, open-source SQLite database viewer that allows direct querying and inspection of the database schema, tables, and records. Since 'SMS.db' is a standard SQLite database containing SMS and iMessage data in iOS backups, SQLite Browser provides the most straightforward and cost-effective method for manual forensic analysis without relying on proprietary extraction tools.

Exam trap

EC-Council often tests the misconception that commercial forensic suites like Cellebrite or GrayKey are always the best tools for every forensic task, when in fact a simple, free database browser is more appropriate for analyzing a standard SQLite file after extraction.

How to eliminate wrong answers

Option A is wrong because GrayKey is a specialized hardware tool for bypassing iOS passcodes and extracting full file system images, not for parsing individual SQLite databases like 'SMS.db' after extraction. Option B is wrong because Oxygen Forensic Detective is a comprehensive forensic suite that can parse SMS.db, but it is overkill for simply analyzing a single extracted database file and is not the 'best suited' tool for this specific task due to its cost and complexity. Option C is wrong because Cellebrite UFED is primarily a physical extraction and decoding tool for mobile devices, not a dedicated SQLite database browser; while it can parse SMS data from extractions, it is not the optimal choice for directly opening and querying an already extracted 'SMS.db' file.

141
MCQmedium

A security analyst is using Wireshark during a malware analysis session. The analyst observes a series of DNS queries to a domain 'malware-c2.example.com' every 60 seconds. This behavior is indicative of which malware characteristic?

A.Data exfiltration
B.DNS tunneling
C.Command and control (C2) communication
D.Propagation via network scanning
AnswerC

Regular beaconing to a domain suggests C2 communication for instructions or status updates.

Why this answer

The periodic DNS queries to 'malware-c2.example.com' every 60 seconds are a classic heartbeat or beaconing mechanism used by malware to maintain persistent communication with its command and control (C2) server. This regular check-in allows the attacker to send commands or receive stolen data without requiring the malware to initiate a direct connection, which could be blocked by firewalls. The fixed interval and specific domain indicate a programmed C2 channel rather than a one-time data transfer or tunneling technique.

Exam trap

EC-Council often tests the distinction between DNS tunneling and C2 beaconing, where candidates mistakenly choose DNS tunneling because they see DNS queries, but the key differentiator is the regular, low-frequency pattern (beaconing) versus high-volume or encoded data in queries (tunneling).

How to eliminate wrong answers

Option A is wrong because data exfiltration typically involves sending stolen data (e.g., files, credentials) to an external server, often using HTTP POST, FTP, or DNS tunneling, but the periodic DNS queries alone do not indicate data transfer; they are just keep-alive signals. Option B is wrong because DNS tunneling encodes data within DNS query and response fields (e.g., subdomains or TXT records) to bypass network filters, but the described behavior—simple queries every 60 seconds—lacks the high volume or encoded payloads characteristic of tunneling. Option D is wrong because propagation via network scanning involves probing for vulnerable hosts using protocols like SMB, RDP, or SSH, not sending DNS queries to a fixed domain at regular intervals.

142
MCQeasy

Which of the following tools is BEST suited for performing static analysis of a malware binary to identify strings, headers, and imported functions without executing the file?

A.Cuckoo Sandbox
B.Any.run
C.Process Monitor
D.IDA Pro
AnswerD

IDA Pro is a static analysis tool for disassembling and analyzing binaries.

Why this answer

IDA Pro is the correct choice because it is a disassembler and debugger specifically designed for static analysis of binary executables. It allows an analyst to examine strings, PE/ELF headers, and imported functions without executing the file, making it ideal for malware reverse engineering. In contrast, the other options require execution or focus on runtime behavior.

Exam trap

EC-Council often tests the distinction between static and dynamic analysis, and the trap here is that candidates confuse sandbox tools (Cuckoo, Any.run) or process monitors (Procmon) with static analysis because they are commonly used in malware forensics, but they all require execution.

How to eliminate wrong answers

Option A is wrong because Cuckoo Sandbox is an automated dynamic analysis system that executes the malware in a sandboxed environment, not a static analysis tool. Option B is wrong because Any.run is a cloud-based interactive malware analysis platform that also executes samples to observe behavior, not a static analyzer. Option C is wrong because Process Monitor (Procmon) is a real-time system monitoring tool that captures file system, registry, and process activity during execution, requiring the malware to run.

143
Multi-Selecthard

During a malware investigation, an analyst examines a suspicious file that appears to have been timestomped. Which THREE of the following techniques or tools can be used to detect timestamp manipulation on Windows?

Select 3 answers
A.Examining the file’s $STANDARD_INFORMATION vs $FILE_NAME timestamps using tools like MFT2CSV
B.Capturing network traffic with Wireshark
C.Using Regshot to compare registry snapshots
D.Running the Timestomp tool to analyze the file’s timestamp attributes
E.Analyzing the USN journal for file modification records
AnswersA, D, E

Timestomping often changes $SI but not $FN; comparing them can reveal manipulation.

Why this answer

Option A is correct because timestomping modifies the $STANDARD_INFORMATION attribute, but the $FILE_NAME attribute retains the original timestamps from when the file was created or renamed. Tools like MFT2CSV parse the MFT to compare these two sets of timestamps; a discrepancy indicates manipulation.

Exam trap

Cisco often tests the distinction between filesystem metadata attributes (SI vs FN) and common forensic tools, leading candidates to mistakenly think network or registry analysis can detect timestamp manipulation.

144
Multi-Selectmedium

An incident responder is analyzing a compromised Windows workstation. Which TWO artifacts would provide the STRONGEST evidence of a malware persistence mechanism?

Select 2 answers
A.Event log entry for user login
B.Registry Run key referencing a suspicious path
C.Scheduled Task entry pointing to a malicious executable
D.Network share access logs
E.Browser history showing download of a suspicious file
AnswersB, C

Autorun persistence.

Why this answer

The Registry Run key (e.g., `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`) is a classic and widely used persistence mechanism. A suspicious path under this key directly indicates that the malware is configured to execute automatically at user logon, providing strong evidence of persistence. This is a core artifact in Windows forensics for identifying auto-starting malware.

Exam trap

Cisco often tests the distinction between infection vector artifacts (like browser history) and persistence mechanism artifacts (like Run keys or scheduled tasks), trapping candidates who confuse how malware arrives with how it survives a reboot.

145
MCQhard

An analyst extracts an iTunes backup from a Windows computer. The backup contains a file manifest.plist with cryptographic hashes. What is the primary purpose of these hashes in the backup process?

A.To compress the backup data
B.To verify the integrity of the backup files
C.To index the backup for faster searching
D.To encrypt the backup files
AnswerB

Hashes ensure files haven't been altered.

Why this answer

The cryptographic hashes in an iTunes backup's manifest.plist file are used to verify the integrity of the backup files. Each hash corresponds to a file in the backup, allowing the system to detect any corruption or tampering by comparing the stored hash against a newly computed hash of the file data.

Exam trap

EC-Council often tests the distinction between integrity verification (hashing) and confidentiality (encryption), so candidates may confuse the purpose of hashes with encryption or compression.

How to eliminate wrong answers

Option A is wrong because hashes do not compress data; compression is achieved through algorithms like zlib or LZMA, not cryptographic hashing. Option C is wrong because hashes are not used for indexing or searching; indexing is typically handled by separate metadata or database files (e.g., Manifest.db). Option D is wrong because hashes do not encrypt data; encryption in iTunes backups is performed using AES-256 with a key derived from the user's password, while hashes only provide integrity verification.

146
Multi-Selecteasy

Which TWO of the following are valid acquisition types in mobile forensics, ranked from most to least data recovered?

Select 2 answers
A.Manual
B.Physical
C.Cloud
D.Logical
E.File system
AnswersB, D

Bit-for-bit image of storage, recovers deleted data.

Why this answer

Physical acquisition (option B) captures the entire flash memory bit-for-bit, including deleted files and unallocated space, providing the most complete data recovery. Logical acquisition (option D) extracts only active files and system data via the operating system's API, yielding less data than physical but more than manual or cloud methods. Together, they represent the two valid acquisition types ranked from most to least data recovered in mobile forensics.

Exam trap

EC-Council often tests the distinction between primary acquisition types (physical and logical) and secondary methods (manual, cloud, file system), expecting candidates to recognize that file system acquisition is a subset of logical, not a separate category, and that cloud acquisition is not device-centric.

147
Multi-Selecthard

A malware analyst is performing dynamic analysis of a suspected trojan in a sandbox environment. Which of the following behaviours are strong indicators that the malware is establishing persistence on the infected system? (Select THREE.)

Select 3 answers
A.Creating a scheduled task that runs at system startup
B.Creating a Windows service named 'UpdateService'
C.Connecting to an IP address on port 443
D.Writing a value to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
E.Creating a mutex named 'Global\MyMutex'
AnswersA, B, D

Scheduled tasks can trigger at boot or logon, ensuring persistence.

Why this answer

Creating a scheduled task that runs at system startup is a classic persistence mechanism. The Task Scheduler API (taskschd.dll) allows malware to register a task that executes at boot or user logon, ensuring the trojan re-executes after a reboot. This is a direct indicator of persistence because it modifies the system's startup behavior.

Exam trap

EC-Council often tests the distinction between persistence mechanisms and other malware behaviors (like network communication or inter-process synchronization), so the trap here is confusing network activity (C) or mutex creation (E) with persistence, when only startup-modifying actions (A, B, D) qualify.

148
Multi-Selecthard

During dynamic analysis of a malware sample, an analyst observes the following: creation of a mutex named `Global\{9A2D7E1C-3F4B-4A5E-9B8C-1D2E3F4A5B6C}`, a registry key under `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` named `WindowsUpdate`, and outbound TCP traffic to `203.0.113.5:443`. Which THREE of the following indicators of compromise (IoCs) should be documented?

Select 3 answers
A.Outbound TCP to `203.0.113.5:443`
B.SHA256 hash of the malware sample
C.Mutex name `Global\{9A2D7E1C-3F4B-4A5E-9B8C-1D2E3F4A5B6C}`
D.File path `C:\Windows\System32\notepad.exe`
E.Registry key `HKCU\...\Run\WindowsUpdate`
AnswersA, C, E

C2 communication.

Why this answer

Option A is correct because outbound TCP traffic to a specific IP address and port (203.0.113.5:443) is a classic network-based indicator of compromise (IoC). During dynamic analysis, this demonstrates the malware's command-and-control (C2) communication, often using HTTPS over port 443 to blend with legitimate traffic. Documenting this IoC allows defenders to block the endpoint and detect similar infections via network monitoring.

Exam trap

Cisco often tests the distinction between static IoCs (like file hashes) and dynamic IoCs (like network traffic, mutex names, and registry modifications) to see if candidates understand that dynamic analysis focuses on behavioral artifacts, not file-level attributes.

149
MCQmedium

An investigator is analyzing an Android device and finds a database file in /data/data/com.whatsapp/databases/msgstore.db. Which type of information is MOST likely stored in this database?

A.WhatsApp chat messages
B.System call logs
C.GPS location history
D.Contact list from the device
AnswerA

msgstore.db is the WhatsApp message database.

Why this answer

The msgstore.db file in the WhatsApp package directory is the primary SQLite database that stores all WhatsApp chat messages, including text messages, media metadata, and message timestamps. This database is located at /data/data/com.whatsapp/databases/msgstore.db on Android devices and is a key artifact for forensic recovery of WhatsApp conversations.

Exam trap

EC-Council often tests the distinction between app-specific databases and system-level databases, and the trap here is that candidates confuse msgstore.db with a general-purpose database that might store contacts or location data, when in fact it is strictly for chat message storage within the WhatsApp application.

How to eliminate wrong answers

Option B is wrong because system call logs are stored in the Linux kernel's ring buffer or in /proc/ and /sys/ filesystem entries, not in an app-specific SQLite database like msgstore.db. Option C is wrong because GPS location history is typically stored in Google Play Services databases (e.g., /data/data/com.google.android.gms/databases/) or in the device's fused location provider, not in WhatsApp's msgstore.db (though WhatsApp may store location-sharing messages as part of chat content, the database itself is not a GPS history store). Option D is wrong because the contact list from the device is stored in the Contacts Provider database (e.g., /data/data/com.android.providers.contacts/databases/contacts2.db) or in WhatsApp's wa.db or axolotl.db, not in msgstore.db, which focuses on message threads.

150
Multi-Selecteasy

An Android forensic examiner performs a physical acquisition on a device. Which TWO of the following are typical artefacts that can be recovered from the /data/data/ directory on a non-rooted device if the acquisition method allows full file system access?

Select 2 answers
A.Bootloader configuration
B.Recovery mode logs
C.Kernel logs
D.App-specific SQLite databases
E.Shared preferences XML files
AnswersD, E

App databases (e.g., for WhatsApp, Facebook) are stored here.

Why this answer

On a non-rooted Android device, the /data/data/ directory contains application-specific data, including SQLite databases and Shared Preferences XML files. These are typical artefacts because apps store structured data (e.g., user credentials, chat logs) in SQLite databases and configuration settings in Shared Preferences XML files. A physical acquisition with full file system access can recover these files even without root, as the acquisition method bypasses normal permission restrictions.

Exam trap

EC-Council often tests the misconception that /data/data/ is inaccessible on non-rooted devices, but a physical acquisition with full file system access (e.g., via JTAG or chip-off) can read the raw NAND flash, allowing recovery of app data regardless of root status.

← PreviousPage 2 of 3 · 164 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Mobile and Malware Forensics questions.