CCNA Mobile and Malware Forensics Questions

14 of 164 questions · Page 3/3 · Mobile and Malware Forensics · Answers revealed

151
MCQmedium

During dynamic analysis of a malware sample, an analyst uses Process Monitor to monitor file system activity. The malware creates a file named 'C:\Users\Admin\AppData\Roaming\svchost.exe'. What does this likely indicate?

A.The malware is a legitimate Windows update
B.The malware is extracting an archive
C.The malware is cleaning up temporary files
D.The malware is attempting to achieve persistence by placing a copy in a user directory
AnswerD

Creating a file with a system process name in AppData is a common persistence technique.

Why this answer

The creation of a file named 'svchost.exe' in the user's AppData\Roaming directory is a classic persistence technique. By placing a copy of itself with the name of a legitimate Windows system process (svchost.exe) in a user-writable location, the malware aims to execute automatically at startup (e.g., via a registry Run key or scheduled task) while evading suspicion. This is not a legitimate Windows update, as system files reside in C:\Windows\System32, not in a user profile directory.

Exam trap

Cisco often tests the misconception that any file named 'svchost.exe' is legitimate, but the key indicator is the path — a system process should never run from a user profile directory like AppData\Roaming.

How to eliminate wrong answers

Option A is wrong because legitimate Windows updates are delivered via Windows Update and stored in C:\Windows\SoftwareDistribution or System32, not created by malware in a user's AppData folder. Option B is wrong because extracting an archive would typically produce multiple files or a temporary extraction folder, not a single executable masquerading as a system process. Option C is wrong because cleaning up temporary files would involve deleting files (e.g., .tmp files) from Temp folders, not creating a new executable in AppData\Roaming.

152
MCQmedium

In malware static analysis, a PE file is examined. The section names include '.text', '.rdata', '.data', and '.rsrc'. The entry point is in the .text section. Which tool would be MOST appropriate to identify any packer that might be obfuscating the code?

A.strings
B.Ghidra
C.PEiD
D.IDA Pro
AnswerC

PEiD is designed to identify packers, cryptors, and compilers using signatures.

Why this answer

PEiD is specifically designed to detect packers, cryptors, and compilers by scanning PE files for known signatures in the entry point and section headers. Since the question asks for identifying a packer that obfuscates code, PEiD's signature-based detection directly targets this need, unlike general-purpose disassemblers or string extractors.

Exam trap

EC-Council often tests the distinction between tools for packer detection versus general reverse engineering; the trap here is that candidates choose IDA Pro or Ghidra because they are powerful, but the question specifically asks for the *most appropriate* tool to *identify* a packer, not to analyze the unpacked code.

How to eliminate wrong answers

Option A is wrong because `strings` only extracts readable ASCII/Unicode sequences from a file and cannot identify packer signatures or obfuscation algorithms. Option B is wrong because Ghidra is a full reverse-engineering framework focused on disassembly and decompilation, not packer detection; it would require manual analysis to spot packer artifacts. Option D is wrong because IDA Pro is an interactive disassembler/debugger for deep code analysis, but it lacks automated packer signature scanning and is overkill for simply identifying a packer.

153
MCQmedium

In malware forensics, which of the following is an indicator of compromise (IoC) that can be used to detect a specific malware strain across multiple systems?

A.The file's size in bytes reported by the filesystem
B.The file's MD5 hash computed from its binary contents
C.The file's copyright metadata embedded in the PE header
D.The file's creation timestamp as recorded by the operating system
AnswerB

Cryptographic hashes uniquely identify file content and are reliable IoCs.

Why this answer

The MD5 hash of a file's binary contents is a unique cryptographic fingerprint that remains consistent across all copies of the exact same malware strain, regardless of where it is stored or what metadata the filesystem assigns. This makes it a reliable indicator of compromise (IoC) for identifying a specific malware sample across multiple systems, as the hash will match even if file names, sizes, or timestamps differ.

Exam trap

EC-Council often tests the misconception that file metadata like timestamps or sizes are reliable IoCs, when in fact they are easily altered or inconsistent across systems, whereas a cryptographic hash of the binary content provides a deterministic and verifiable identifier.

How to eliminate wrong answers

Option A is wrong because the file's size in bytes can vary due to padding, compression, or different file system cluster sizes, and multiple distinct malware strains can have identical file sizes, making it non-unique and unreliable as a specific IoC. Option C is wrong because copyright metadata embedded in the PE header is optional, easily stripped or modified by malware authors, and is not a consistent or trustworthy identifier across different samples of the same strain. Option D is wrong because the file's creation timestamp is set by the operating system at the time of file extraction or download, which varies per system and can be manipulated via timestomping, so it cannot uniquely identify a specific malware strain across multiple environments.

154
MCQeasy

Which of the following is an indicator of compromise (IoC) that is LEAST likely to change when malware mutates through polymorphic techniques?

A.MD5 hash of the malware file
B.File name of the malware
C.Registry key created by the malware
D.Import hash (IMPHASH)
AnswerC

Behavioural IoCs like registry keys, file paths, and C2 domains often persist across polymorphic variants.

Why this answer

Registry keys created by malware are often tied to persistence mechanisms (e.g., Run keys) or configuration storage that remain consistent across polymorphic mutations. While the malware's code and file hash change with each mutation, the registry key path and value name typically stay the same to ensure the malware can re-launch or maintain its foothold. This makes the registry key a stable indicator of compromise (IoC) that is least likely to change.

Exam trap

EC-Council often tests the misconception that file-based attributes like hashes or names are reliable IoCs for polymorphic malware, when in fact behavioral artifacts (e.g., registry keys, mutexes, network patterns) are more stable across mutations.

How to eliminate wrong answers

Option A is wrong because the MD5 hash is computed from the file's binary content; polymorphic malware changes its code with each mutation, producing a different MD5 hash every time. Option B is wrong because the file name is easily changed by the attacker or during delivery (e.g., random naming), and polymorphic variants often use different file names to evade detection. Option D is wrong because the Import Hash (IMPHASH) is derived from the import address table (IAT) of a PE file; polymorphic techniques can alter the order or selection of imported functions, changing the IMPHASH even if the core functionality remains the same.

155
MCQhard

A forensic analyst is examining an Android device that has been factory reset. Which of the following artefacts is MOST likely to persist after a factory reset and provide valuable evidence?

A.Google account authentication tokens and sync settings
B.Deleted SMS messages from the mmssms.db WAL file
C.The contents of the SD card's Android/data directory
D.The user's pattern lock hash stored in gatekeeper.password.key
AnswerA

Google account tokens and sync settings often remain in the /data partition and can be recovered through physical extraction, providing critical evidence of user identity and cloud activity.

Why this answer

Google account authentication tokens and sync settings are stored in the device's internal flash memory within the 'accounts.db' database and the 'authtoken' table, which are not wiped by a standard factory reset because the reset only clears user data partitions but does not overwrite the underlying NAND flash blocks. These tokens can survive a reset if the device was previously synced with Google servers, allowing recovery of the Google account credentials and sync configurations, which are critical for linking the device to a user identity.

Exam trap

EC-Council often tests the misconception that a factory reset completely erases all data, but the trap here is that authentication tokens stored in the internal flash memory can survive because the reset only wipes the filesystem pointers, not the underlying data blocks, especially on devices with unmanaged NAND storage.

How to eliminate wrong answers

Option B is wrong because the mmssms.db WAL (Write-Ahead Log) file is stored in the user data partition, which is fully erased during a factory reset via the 'wipe data/factory reset' operation that deletes the /data partition, including all SQLite databases and their associated WAL files. Option C is wrong because the SD card's Android/data directory is on external storage, which is typically not affected by a factory reset (the reset only targets internal storage), but the contents of this directory are app-specific cache and data that are often cleared by the apps themselves after a reset or are not directly tied to user authentication evidence. Option D is wrong because the gatekeeper.password.key file, which stores the hashed pattern lock, is located in the /data/system/ directory and is deleted during a factory reset, as the entire /data partition is wiped, removing all lock screen credentials.

156
MCQhard

In an Android forensic investigation, an examiner extracts the /data/data/com.whatsapp/databases/msgstore.db file. The database contains a table 'messages' with columns 'key_remote_jid', 'data', and 'timestamp'. Which SQL query would retrieve all messages sent to a specific contact with a phone number ending in '1234'?

A.SELECT * FROM messages WHERE key_remote_jid = '%1234%'
B.SELECT * FROM messages WHERE key_remote_jid LIKE '%1234%'
C.SELECT * FROM messages WHERE data LIKE '%1234%'
D.SELECT * FROM messages WHERE timestamp LIKE '%1234%'
AnswerB

'key_remote_jid' contains the recipient's JID; LIKE '%1234%' matches any JID ending in 1234.

Why this answer

Option B is correct because the `key_remote_jid` column stores the remote party's identifier (e.g., a phone number with country code), and the `LIKE '%1234%'` pattern matches any value containing '1234' anywhere in the string. This retrieves all messages where the contact's phone number ends with '1234', as required by the question.

Exam trap

The trap here is that candidates often confuse `=` with `LIKE` for pattern matching, or mistakenly filter on the `data` column (message content) instead of the contact identifier column `key_remote_jid`.

How to eliminate wrong answers

Option A is wrong because `=` performs an exact match, not a substring search; `'%1234%'` would be treated as a literal string, not a wildcard pattern, so it would return no rows unless a JID is literally '%1234%'. Option C is wrong because the `data` column contains message content (text, media metadata), not the contact identifier; filtering on `data` would find messages containing '1234' in the message body, not messages sent to a specific contact. Option D is wrong because `timestamp` stores Unix epoch time in milliseconds, not a phone number; using `LIKE '%1234%'` on a numeric column would cause a type mismatch or return no meaningful results.

157
MCQmedium

During a forensic investigation of an Android device, the examiner uses ADB to extract data. Which command would create a full backup of the device's data partition, including app data and shared storage?

A.adb backup -f backup.ab -apk -shared -all
B.adb shell dd if=/dev/block/mmcblk0 of=/data/backup.img
C.adb pull /data/data/
D.adb restore backup.ab
AnswerA

This command creates a full backup including APKs, shared storage, and all app data to 'backup.ab'.

Why this answer

Option A is correct because the `adb backup -f backup.ab -apk -shared -all` command creates a full Android backup that includes both app data (via `-apk`) and shared storage (via `-shared`), outputting a single `.ab` file. This is the standard ADB method for non-rooted devices to capture a comprehensive backup of the data partition, including user-installed apps and their data, as well as internal shared storage like `/sdcard`.

Exam trap

Cisco often tests the distinction between backup creation (`adb backup`) and restoration (`adb restore`), or between logical backups (ADB backup) and physical imaging (`dd`), leading candidates to confuse the purpose of each command.

How to eliminate wrong answers

Option B is wrong because `adb shell dd if=/dev/block/mmcblk0 of=/data/backup.img` attempts to create a raw block-level image of the entire device (mmcblk0), which requires root access and is not a standard ADB backup command; it also writes to a path that may not be writable without root. Option C is wrong because `adb pull /data/data/` only copies the app-specific data directory, missing shared storage and system data, and typically requires root access on modern Android devices due to permissions. Option D is wrong because `adb restore backup.ab` is used to restore a backup, not to create one, and thus does not extract data from the device.

158
MCQmedium

During an iOS forensic analysis, an examiner recovers the Keychain data from a backup. Which type of information is commonly stored in the iOS Keychain and can be extracted during analysis?

A.Text message content and attachments
B.Call log timestamps and durations
C.Contact photos and thumbnails
D.Wi-Fi passwords and website login credentials
AnswerD

Keychain stores credentials like Wi-Fi passwords and website logins.

Why this answer

The iOS Keychain is a secure, encrypted database designed to store sensitive user credentials and secrets. Wi-Fi passwords and website login credentials are explicitly stored in the Keychain to protect them from unauthorized access, making them recoverable during forensic analysis of a backup.

Exam trap

Cisco often tests the misconception that the Keychain stores all app data or media, when in fact it is strictly limited to credentials, tokens, and secrets, while other data types reside in separate databases.

How to eliminate wrong answers

Option A is wrong because text message content and attachments are stored in the SMS/MMS SQLite database (sms.db) and the attachments directory, not in the Keychain. Option B is wrong because call log timestamps and durations are stored in the CallHistory.storedata SQLite database, not in the Keychain. Option C is wrong because contact photos and thumbnails are stored in the AddressBook framework's SQLite database (AddressBook.sqlitedb) and the filesystem, not in the Keychain.

159
MCQmedium

An Android device is seized as evidence. The screen is locked with a PIN. Which tool or method is MOST appropriate for acquiring a physical image of the device without bypassing the lock screen, assuming the device is rooted?

A.Boot into recovery mode and use ADB to dd the userdata partition
B.Use Cellebrite UFED with a lock screen bypass exploit
C.Remove the microSD card and image it separately
D.Perform an ADB backup to obtain app data only
AnswerA

With root and recovery mode, dd can create a physical image even if the screen is locked.

Why this answer

Option A is correct because booting into recovery mode on a rooted Android device allows you to use ADB to execute the `dd` command, which can create a bit-for-bit physical image of the userdata partition without needing to bypass the lock screen. Since the device is rooted, you have the necessary privileges to read the raw block device, and recovery mode ensures the filesystem is not mounted, preventing data corruption during acquisition.

Exam trap

EC-Council often tests the distinction between physical and logical acquisition methods, and the trap here is that candidates may choose ADB backup (Option D) thinking it is a valid physical acquisition, when in fact it only captures a logical subset of data and cannot recover deleted or system-level artifacts.

How to eliminate wrong answers

Option B is wrong because Cellebrite UFED with a lock screen bypass exploit is designed to bypass the lock screen, which contradicts the question's requirement of not bypassing the lock screen; additionally, such exploits may not be available or reliable for all devices. Option C is wrong because removing the microSD card and imaging it separately only captures external storage, not the internal userdata partition where the majority of forensic evidence (e.g., app data, messages) resides, and it does not acquire a physical image of the device's internal storage. Option D is wrong because an ADB backup only extracts app data via Android's backup mechanism, which is a logical acquisition that does not capture deleted data, system files, or the full physical image of the userdata partition.

160
MCQeasy

Which tool is specifically designed for performing physical extraction of iOS devices and is widely used by law enforcement for bypassing passcode restrictions on modern iPhones?

A.Cellebrite UFED
B.GrayKey
C.Magnet AXIOM
D.Oxygen Forensic Detective
AnswerB

GrayKey is purpose-built for iOS physical extraction and passcode bypass, widely used by law enforcement.

Why this answer

GrayKey is specifically designed for physical extraction of iOS devices, leveraging advanced techniques to bypass passcode restrictions on modern iPhones, including those with Secure Enclave and full-disk encryption. It is widely adopted by law enforcement for its ability to perform brute-force attacks on the device's passcode without triggering the auto-wipe feature, making it the correct answer.

Exam trap

Cisco often tests the distinction between general-purpose forensic suites (like Cellebrite UFED or Magnet AXIOM) and specialized hardware tools (like GrayKey) that are purpose-built for iOS passcode bypass, leading candidates to choose a familiar name like Cellebrite instead of the correct specialized tool.

How to eliminate wrong answers

Option A is wrong because Cellebrite UFED is a versatile forensic tool that supports both physical and logical extraction across many mobile platforms, but it is not specifically designed for iOS physical extraction and does not specialize in bypassing passcode restrictions on modern iPhones as GrayKey does. Option C is wrong because Magnet AXIOM is a comprehensive digital forensic platform for analyzing data from computers, mobile devices, and cloud sources, but it relies on third-party tools for physical extraction and does not directly perform hardware-level passcode bypass on iOS devices. Option D is wrong because Oxygen Forensic Detective is a mobile forensic tool that supports logical and file system extractions, but it lacks the specialized hardware and software capabilities for brute-forcing iOS passcodes on modern iPhones with Secure Enclave protection.

161
MCQhard

An iOS forensic analyst extracts the Keychain from an iTunes backup. Within the Keychain, they find an entry with class 'Generic Password', service 'com.apple.sbd', and account 'iCloud'. What type of data does this entry MOST likely contain?

A.Wi-Fi password
B.Device passcode
C.iCloud credentials
D.SMS encryption key
AnswerC

The service 'com.apple.sbd' and account 'iCloud' strongly suggest iCloud authentication data.

Why this answer

The entry with class 'Generic Password', service 'com.apple.sbd', and account 'iCloud' corresponds to the iCloud credentials stored in the iOS Keychain. The service identifier 'com.apple.sbd' is the bundle ID for Apple's 'sbd' daemon, which handles iCloud syncing and authentication. This Keychain entry stores the user's iCloud account password, not a Wi-Fi password, device passcode, or SMS encryption key.

Exam trap

The trap here is that candidates confuse the 'Generic Password' class with any password type, but the specific service 'com.apple.sbd' uniquely identifies iCloud credentials, not generic Wi-Fi or device passcode entries.

How to eliminate wrong answers

Option A is wrong because Wi-Fi passwords are stored under class 'AirPort' or 'Generic Password' with service 'com.apple.wifi' or 'AirPort', not 'com.apple.sbd'. Option B is wrong because the device passcode is never stored in the Keychain; it is stored in a separate hardware-backed Secure Enclave and is not extractable from an iTunes backup. Option D is wrong because SMS encryption keys are managed by the iMessage subsystem and stored under service 'com.apple.icloud.sms' or 'com.apple.madrid', not 'com.apple.sbd'.

162
MCQmedium

An investigator examines an iPhone backup file. Inside the backup manifest, they find a file path 'AppDomainGroup-group.com.example.app'. This indicates the data belongs to which type of app container?

A.System container for iOS system apps
B.The app's sandbox container
C.A shared container for multiple apps from the same developer
D.Temporary container for app data
AnswerC

AppDomainGroup indicates a shared container for app groups.

Why this answer

The file path 'AppDomainGroup-group.com.example.app' indicates a shared container used by App Groups, a feature that allows multiple apps from the same developer to share data. This is not a sandbox container for a single app, nor is it a system or temporary container. The 'group' prefix and the bundle identifier pattern confirm it belongs to a shared app group container.

Exam trap

EC-Council often tests the distinction between 'AppDomain-' (single app sandbox) and 'AppDomainGroup-' (shared container), and candidates mistakenly pick the sandbox container option because they overlook the 'group' keyword in the path.

How to eliminate wrong answers

Option A is wrong because system containers for iOS system apps use paths like '/System/Library' or '/var/containers/Bundle/System', not 'AppDomainGroup-'. Option B is wrong because an app's sandbox container uses the 'AppDomain-' prefix (e.g., 'AppDomain-com.example.app'), not 'AppDomainGroup-'. Option D is wrong because temporary containers use paths like 'tmp/' or 'Caches/' within the app's sandbox, not a dedicated 'AppDomainGroup-' domain.

163
MCQmedium

An incident responder finds a file named 'photo.jpg' on a compromised system. The file size is 2 MB and it is located in a temp directory. The file's SHA256 hash is 5d41402abc4b2a76b9719d911017c592. What is the BEST next step to determine if this file is malicious?

A.Delete the file to prevent potential harm
B.Perform static analysis using IDA Pro to disassemble the file
C.Compare the hash against known malware hashes in a threat intelligence database
D.Run the file in a sandbox environment to observe behavior
AnswerC

Hash lookup can immediately confirm if the file is known malicious.

Why this answer

Option C is correct because comparing the SHA256 hash of the file against a threat intelligence database (e.g., VirusTotal, AlienVault OTX) is the fastest, least intrusive method to determine if the file is known malware. Since the file is 2 MB and located in a temp directory, it could be a legitimate image or a disguised executable; hash comparison leverages existing threat intelligence without altering the evidence or risking system compromise.

Exam trap

Cisco often tests the principle of 'least intrusive first' in forensic workflows, and the trap here is that candidates impulsively choose to run the file in a sandbox (Option D) without first performing a simple, non-invasive hash lookup, which is the standard initial triage step.

How to eliminate wrong answers

Option A is wrong because deleting the file destroys potential evidence and violates forensic preservation principles (e.g., maintaining chain of custody). Option B is wrong because IDA Pro is a disassembler for executable files (PE, ELF, Mach-O), not for image files like photo.jpg; static analysis of a non-executable file would be ineffective and premature without first confirming it is malicious. Option D is wrong because running the file in a sandbox could execute malware, potentially causing network propagation or data exfiltration, and is resource-intensive; it should only be done after hash analysis fails to identify the file.

164
MCQmedium

A forensic analyst needs to acquire evidence from an iPhone 12 running iOS 15. The device is passcode-locked and cannot be unlocked. Which acquisition method should be used to obtain the MOST data possible?

A.Physical acquisition via GrayKey or Cellebrite
B.Logical acquisition via iTunes backup
C.Manual acquisition by photographing the screen
D.File system acquisition via jailbreak
AnswerA

These tools can perform physical extraction even on locked devices, using advanced exploits.

Why this answer

GrayKey and Cellebrite perform physical acquisition by exploiting bootrom or iBoot vulnerabilities (e.g., checkm8 on older devices) or using advanced brute-force techniques to extract the full file system image, including encrypted keychain data and deleted files. This method bypasses the passcode lock and retrieves the maximum amount of data from an iPhone 12 running iOS 15, as logical and manual methods are severely limited by the locked state.

Exam trap

Cisco often tests the misconception that a logical backup (Option B) is sufficient for locked devices, but the trap is that iTunes backups require the device to be unlocked and trusted, making them impossible on a passcode-locked iPhone 12 running iOS 15.

How to eliminate wrong answers

Option B is wrong because a logical acquisition via iTunes backup requires the device to be unlocked and trusted with the host computer; a passcode-locked iPhone 12 cannot be backed up without the passcode, and even if possible, it only retrieves user data, not system files or deleted artifacts. Option C is wrong because manual acquisition by photographing the screen only captures visible content and cannot access internal storage, encrypted data, or deleted information, making it the least comprehensive method. Option D is wrong because file system acquisition via jailbreak requires the device to be jailbroken, which is not possible on iOS 15 for a locked device without first bypassing the passcode; jailbreaking also voids security and is not a standard forensic method for locked iPhones.

← PreviousPage 3 of 3 · 164 questions total

Ready to test yourself?

Try a timed practice session using only Mobile and Malware Forensics questions.