CCNA OS and Network Forensics Questions

66 of 216 questions · Page 3/3 · OS and Network Forensics · Answers revealed

151
MCQmedium

Which of the following Windows registry keys is commonly used by malware to achieve persistence by executing a program at user logon?

A.HKEY_LOCAL_MACHINE\SAM\SAM
B.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
C.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
D.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
AnswerC

Run keys launch programs at logon.

Why this answer

The Run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run is a common persistence location; it runs the specified program when the user logs in.

152
MCQmedium

During a forensic investigation of a Linux system, you need to determine which commands a user executed in their shell session. Which file would you examine to find this information?

A./var/log/auth.log
B./etc/passwd
C./var/log/syslog
D./home/username/.bash_history
AnswerD

This file contains the command history for the user's bash shell.

Why this answer

The bash_history file in the user's home directory (e.g., /home/username/.bash_history) records commands entered by the user in bash. Note that history may not be complete if the user opened multiple sessions or the file was cleared.

153
MCQhard

A forensic examiner uses Plaso (log2timeline) to create a timeline from a disk image. Which of the following artifacts would NOT be included in the timeline by default using the 'all' parser?

A.Event Log entries (evtx)
B.Registry SAM hive entries
C.Windows Prefetch files
D.Chrome browser history
AnswerB

SAM hive is not included in default Plaso parsing; it must be manually selected.

Why this answer

Plaso includes many parsers (WinReg, Windows Event Log, etc.) but the SAM registry hive (user accounts) is not parsed by default for timeline entries; it requires a specific parser and is not included in the 'all' set.

154
MCQhard

A forensics examiner finds a suspicious entry in the Windows Registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run pointing to a PowerShell command. Which persistence mechanism does this represent, and what is the MOST likely impact?

A.Registry run key persistence; the command executes each time the user logs in.
B.Service persistence; the malware runs as a system service.
C.Scheduled task persistence; the command runs at a scheduled time.
D.Bootkit persistence; the malware loads before the OS.
AnswerA

Run keys run programs at user logon, providing persistence.

Why this answer

The Run key is a common persistence mechanism that executes programs at user logon. A PowerShell command here could execute malicious code each time the user logs in.

155
MCQeasy

In Linux forensics, which file contains information about user account passwords in hashed form?

A./etc/passwd
B./etc/shadow
C./etc/group
D./var/log/auth.log
AnswerB

/etc/shadow contains hashed passwords and password policy information.

Why this answer

The /etc/shadow file stores password hashes (in modern Linux systems). It is readable only by root.

156
MCQmedium

During a Windows forensic analysis, you find a suspicious LNK file in a user's Recent folder. Which of the following is NOT typically retrievable from an LNK file?

A.Username of the user who created the LNK file
B.Target file creation timestamp
C.Volume serial number of the target drive
D.Target file path
AnswerA

LNK files do not store the username; they store machine and volume, but not user identity.

Why this answer

LNK (shortcut) files store metadata including creation/modification timestamps, target path, volume serial, and network share information, but they do not include the username of the user who accessed it.

157
MCQhard

A forensic analyst finds an LNK file on a Windows system pointing to a script located in a temporary folder. The LNK file's timestamps show creation time after the script's known execution time. What does this discrepancy likely indicate?

A.The system clock was changed
B.The file system is corrupted
C.The LNK file was planted by an attacker to mislead timeline analysis
D.The script was executed normally
AnswerC

An attacker may create a backdated or post-dated LNK to confuse forensic timelines.

Why this answer

LNK files are created when a file is accessed through certain methods; if the LNK creation time is after execution, it may have been created manually or by malware to hide evidence.

158
Multi-Selecteasy

A forensic analyst reviews a Windows system for signs of malware persistence. Which TWO registry locations are commonly used to achieve persistence via auto-start programs?

Select 2 answers
A.HKLM\SAM\SAM\Domains\Account\Users
B.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
C.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
D.HKLM\SYSTEM\CurrentControlSet\Services
E.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AnswersC, E

This registry key automatically launches programs for all users at logon.

Why this answer

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\Run are standard auto-start locations for all users and current user respectively. RunOnce keys execute once and are also used. But the most common are Run keys.

159
MCQmedium

A security analyst observes multiple Event ID 4625 logon failures for a single user account within a short time frame, followed by Event ID 4624 logon success. Which attack technique is MOST likely indicated?

A.Kerberos golden ticket attack
B.SQL injection attack on the authentication database
C.Brute-force or password spraying attack
D.Pass-the-hash attack
AnswerC

Multiple failed logins (4625) followed by a success (4624) is classic brute-force or password spraying behavior.

Why this answer

Event ID 4625 indicates failed logon attempts, and a series of these followed by a success (4624) is characteristic of a brute-force or password spraying attack where the attacker eventually guesses the correct password.

160
MCQeasy

In Linux forensics, an investigator examines /var/log/auth.log and finds repeated entries of "Failed password for root from 10.0.0.5 port 22 ssh2". Which type of attack is most likely indicated?

A.DNS cache poisoning attack
B.SQL injection attack
C.ARP spoofing attack
D.Brute force attack on SSH
AnswerD

Multiple failed password attempts on SSH indicate a brute force or password guessing attack.

Why this answer

Repeated failed SSH login attempts for the root user from a single IP address is a classic sign of a brute force attack against SSH.

161
MCQmedium

An investigator finds a webshell on a compromised web server. Which artifact would be MOST useful to determine what commands were executed through the webshell?

A.Firewall logs
B.System event logs
C.Web server access logs
D.Prefetch files
AnswerC

Access logs record HTTP requests, including those sent to the webshell, which may contain commands in query strings or POST data.

Why this answer

Web server access logs record every HTTP request made to the server, including the URI, method, user-agent, and response status. When a webshell is accessed, commands are typically passed via GET or POST parameters in the request URL or body, so the access log will contain the exact command strings executed. This makes it the most direct artifact for reconstructing attacker actions.

Exam trap

EC-Council often tests the distinction between network-level logs (firewall) and application-level logs (web server), and the trap here is that candidates mistakenly choose firewall logs because they think 'commands' imply network traffic, ignoring that webshell commands are embedded in HTTP requests captured only by the web server.

How to eliminate wrong answers

Option A is wrong because firewall logs only show network-level metadata (source/destination IP, port, protocol) and do not capture the application-layer payload or command parameters sent to a webshell. Option B is wrong because system event logs record OS-level events (logins, service starts, crashes) but do not log individual HTTP requests or the command strings passed to a web application. Option D is wrong because Prefetch files track application startup and module loading on Windows, not the execution of commands within a running web server process; they would show that the web server ran, but not what commands were issued through the webshell.

162
MCQeasy

A security analyst is reviewing Windows Event Logs and notices multiple Event ID 4625 entries for a single user account within a short time frame. What does this most likely indicate?

A.Successful user logins
B.Account creation events
C.A brute-force password guessing attack
D.Service installation
AnswerC

Multiple failed logon attempts (Event ID 4625) in a short time for the same user is typical of a brute-force attack.

Why this answer

Event ID 4625 indicates a failed logon attempt. Multiple such events for the same user in a short period strongly suggest a brute-force password guessing attack.

163
MCQmedium

During a forensic investigation, you find a file named ntuser.dat.LOG1 in a user's profile directory. What is the primary purpose of this file?

A.It contains the user's Internet browsing history
B.It logs changes to the user's registry hive for recovery purposes
C.It is a backup copy of the user's registry hive
D.It stores the user's recently accessed files
AnswerB

NTUSER.DAT.LOG1 records pending changes to the NTUSER.DAT hive to maintain integrity.

Why this answer

NTUSER.DAT.LOG1 is a transaction log file used to ensure registry consistency in case of a crash. It records changes before they are committed.

164
Multi-Selecthard

Which THREE of the following are indicators of a web shell on a web server? (Select three.)

Select 3 answers
A.Unexpected file modifications in web directories, especially .php, .asp, or .jsp files
B.Presence of processes like cmd.exe or /bin/bash running under the web server user
C.An increase in 404 errors due to directory traversal attempts
D.Regular successful logins from multiple IP addresses
E.Atypical HTTP requests containing system commands (e.g., ?cmd=whoami)
AnswersA, B, E

Attackers may modify or upload web shell files.

Why this answer

Web shells often allow attackers to execute commands, resulting in atypical HTTP requests with system commands, processes like cmd.exe or /bin/bash, and file modifications. Normal web activity does not include these.

165
MCQmedium

A forensic analyst is investigating a macOS system and wants to review a timeline of past application launches and file accesses across multiple days. Which forensic artifact is BEST suited for this purpose?

A.FSEvents log files
B.Unified logging (log show)
C..plist files in ~/Library/Preferences
D.~/Library/Application Support/com.apple.sharedfilelist
AnswerB

Correct. Unified logging provides a comprehensive timeline of system activity.

Why this answer

Unified logging in macOS contains a chronological log of system events including application launches, file accesses, and network connections. It can be queried with `log show`.

166
MCQmedium

A security analyst is investigating a potential intrusion and finds a webshell on a Linux web server. Which of the following logs would be MOST useful to determine how the webshell was uploaded?

A./var/log/syslog
B./var/log/apache2/access.log
C./var/log/auth.log
D./var/log/kern.log
AnswerB

Access logs record all HTTP requests, including file uploads.

Why this answer

Web server access logs (e.g., Apache access.log) record HTTP requests, including file uploads to the server, which can show the source IP and the method used to upload the webshell.

167
Multi-Selectmedium

A forensic analyst is investigating a Windows system and wants to identify recently executed programs. Which TWO artifacts should the analyst examine?

Select 2 answers
A.MRU lists
B.Prefetch files
C.UserAssist
D.ShellBags
E.Jump lists
AnswersB, C

Prefetch files record execution information for applications.

Why this answer

Prefetch files and UserAssist registry keys are both used to track program execution. Prefetch stores execution count and timestamps; UserAssist logs programs launched from the Start Menu or desktop.

168
MCQeasy

Which Wireshark filter should an analyst use to display only TCP packets that have the SYN flag set and the ACK flag not set?

A.tcp.flags.syn == 1 or tcp.flags.ack == 0
B.tcp.flags.syn == 1 and tcp.flags.ack == 0
C.tcp.flags.syn == 1
D.tcp.flags == 0x002
AnswerB

This correctly isolates initial SYN packets by requiring SYN=1 and ACK=0.

Why this answer

A TCP SYN packet has SYN=1 and ACK=0. The Wireshark display filter 'tcp.flags.syn == 1 and tcp.flags.ack == 0' precisely matches this condition.

169
MCQhard

During a forensic investigation of a Windows 10 system, an examiner finds the following registry key: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count. The values contain Rot‑13 encoded data. What is the primary purpose of this artifact?

A.Store recently opened documents (MRU list)
B.Track programs executed by the user
C.Record USB device insertion history
D.Log network share connections
AnswerB

UserAssist records the execution count and last run time of applications started via the UI.

Why this answer

The UserAssist key tracks applications launched via the Windows shell (Start Menu, Run, etc.). The data is Rot‑13 encoded to obscure the count and last execution time.

170
MCQeasy

Which tool is commonly used for timeline analysis in digital forensics, combining multiple artifacts into a super timeline?

A.Plaso
B.Autopsy
C.Sleuth Kit
D.Wireshark
AnswerA

Plaso (formerly log2timeline) creates comprehensive timelines from forensic artifacts.

Why this answer

Plaso (log2timeline) is a tool that parses various log files and artifacts to create a super timeline for forensic analysis.

171
MCQmedium

An investigator finds a suspicious LNK file on a Windows desktop pointing to an executable in the Temp folder. What is the significance of LNK files in forensic analysis?

A.They provide evidence of file access and execution
B.They store network share credentials in plaintext
C.They contain the full content of the target file
D.They are used exclusively for system files
AnswerA

LNK files are created when a user opens a file or runs a program, recording access.

Why this answer

LNK files are shortcuts that contain metadata including target path, creation time, and sometimes volume information, indicating user activity.

172
Multi-Selecteasy

Which TWO of the following are primary locations for browser history artifacts in a Windows 10 system? (Select TWO.)

Select 2 answers
A.%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files
B.%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History
C.%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
D.%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\places.sqlite
E.%USERPROFILE%\AppData\Local\Temp
AnswersB, C

Chrome stores history in a SQLite database named History.

Why this answer

Chrome history is in SQLite database files; Edge uses WebCacheV01.dat; Firefox uses places.sqlite.

173
MCQmedium

A network forensics analyst captures traffic from a suspected data exfiltration. In Wireshark, filtering for DNS queries containing a long subdomain with base64-encoded text suggests which technique?

A.DNS tunneling
B.DNS hijacking
C.DNS poisoning
D.DNS amplification
AnswerA

DNS tunneling uses DNS queries/responses to transfer data covertly.

Why this answer

DNS tunneling encodes data in DNS queries to exfiltrate information, often using base64 in subdomains.

174
MCQmedium

A security analyst reviewing Windows Security Event Logs sees multiple Event ID 4625 entries for a single user account, followed by a successful Event ID 4624. The account is a domain administrator. What is the MOST likely explanation?

A.The user typed their password incorrectly several times before succeeding
B.The system experienced a denial of service attack
C.An attacker performed a brute-force password attack and succeeded
D.A misconfigured application caused repeated logon attempts
AnswerC

Multiple failed logon attempts followed by a successful logon, especially on a privileged account, strongly suggests a brute-force attack.

Why this answer

This pattern indicates a successful brute-force attack where the attacker guessed the password and then logged in successfully. Event ID 4625 indicates failed logon attempts, and Event ID 4624 indicates a successful logon.

175
MCQmedium

A network analyst captures traffic and sees an HTTP request containing: GET /wp-content/uploads/evil.php?cmd=id HTTP/1.1. Which of the following is MOST likely occurring?

A.Webshell access
B.SQL injection attack
C.Cross-site scripting (XSS) attack
D.Directory traversal attack
AnswerA

The request to a PHP file with a cmd parameter suggests a webshell that allows command execution.

Why this answer

The request attempts to execute a command (id) via a PHP file in the uploads directory, indicating a webshell. Webshells allow attackers to execute commands on the server.

176
MCQmedium

An investigator is analyzing a Windows 10 system suspected of malware persistence. Which registry key is commonly used by malware to achieve persistence by running a program at every user logon?

A.HKLM\SAM\SAM
B.HKLM\SYSTEM\CurrentControlSet\Services
C.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
D.HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall
AnswerC

This Run key specifies programs that run automatically when the user logs on.

Why this answer

The Run key under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is a common persistence mechanism that starts programs when the user logs on.

177
MCQmedium

An attacker has compromised a Linux server and edited the /etc/passwd file to change a user's UID to 0. What is the likely goal of this modification?

A.To lock the user account
B.To escalate privileges to root
C.To enable password-less login
D.To hide the user account from the system
AnswerB

UID 0 gives root-level access.

Why this answer

UID 0 is the root user. Changing a user's UID to 0 grants that user root privileges, providing privileged access.

178
MCQhard

A forensic examiner is analyzing a compromised Linux server and notices that /etc/cron.daily contains a script named 'sysupdate.sh' that runs a base64-encoded command. Which persistence mechanism is being used?

A.LD_PRELOAD library injection
B.Cron job for daily execution
C.Systemd service
D.SSH authorized_keys backdoor
AnswerB

The script is in /etc/cron.daily, indicating a daily cron job.

Why this answer

Cron jobs in /etc/cron.daily are scheduled tasks that run daily. Malicious scripts placed there provide persistence by re-executing at regular intervals.

179
MCQeasy

Which Windows Event ID is generated when a new service is installed on the system?

A.4648
B.4720
C.7045
D.4624
AnswerC

7045 indicates a new service installation.

Why this answer

Event ID 7045 is logged in the System event log when a service is installed on a Windows system.

180
Multi-Selectmedium

Which TWO Linux log files are MOST relevant for investigating authentication events and user login activity? (Choose TWO.)

Select 2 answers
A./var/log/boot.log
B./var/log/dmesg
C./var/log/kern.log
D./var/log/auth.log
E./var/log/syslog
AnswersD, E

Primary log for authentication events on Debian/Ubuntu systems.

Why this answer

/var/log/auth.log records authentication attempts (login, sudo, SSH). /var/log/syslog contains general system logs including some auth messages. /var/log/kern.log is for kernel messages, /var/log/boot.log for boot, and /var/log/dmesg for kernel ring buffer.

181
Multi-Selecteasy

During a Windows forensic investigation, an analyst finds prefetch files with the .pf extension. Which TWO pieces of information can the analyst obtain from analyzing prefetch files?

Select 2 answers
A.The number of times the application has been executed
B.The exact date and time of each execution
C.The username that executed the application
D.The command-line arguments used to launch the program
E.The IP addresses the application connected to
AnswersA, B

Prefetch stores a run counter.

Why this answer

Prefetch files contain metadata about application execution including the full path to the executable, run count, and last run time. They can also list DLLs loaded. The run count and last run time are useful for forensic timeline.

182
MCQeasy

In Linux forensics, which file contains user account information including the user ID, group ID, home directory, and default shell?

A./etc/passwd
B./var/log/auth.log
C./etc/shadow
D./proc/cpuinfo
AnswerA

/etc/passwd contains user account information.

Why this answer

/etc/passwd stores user account details. /etc/shadow stores password hashes.

183
MCQeasy

A forensic analyst is performing timeline analysis on a compromised system. Which tool is specifically designed to parse multiple log sources and create a super timeline?

A.Sleuth Kit
B.log2timeline
C.Volatility
D.Wireshark
AnswerB

log2timeline (part of Plaso) is designed to create super timelines from multiple sources.

Why this answer

log2timeline (and Plaso) is a toolset for creating super timelines from various forensic artifacts.

184
Multi-Selecteasy

A network forensic investigator is analyzing traffic from a compromised web server. Which TWO artifacts are MOST likely to indicate the presence of a web shell? (Select TWO.)

Select 2 answers
A.Multiple DNS queries to external domains
B.Excessive SYN-ACK packets
C.Presence of a suspicious .aspx or .php file in web directories
D.Unusual HTTP POST requests to non-standard scripts
E.High volume of ICMP traffic
AnswersC, D

Web shells are often uploaded as .php, .aspx, etc.

Why this answer

Web shells are often uploaded as scripts and generate unusual HTTP requests; logs will show these patterns.

185
MCQhard

During a Linux forensic investigation, you find that the file /etc/cron.d/evil contains the entry: '* * * * * root /bin/bash /root/backdoor.sh'. What persistence mechanism is being used?

A.Systemd service
B.Init script
C.Cron job
D.At job
AnswerC

Cron jobs in /etc/cron.d execute on schedule.

Why this answer

Cron jobs in /etc/cron.d are system-wide scheduled tasks. This entry runs a script every minute as root, providing persistence.

186
Multi-Selectmedium

Which TWO Windows Event IDs are associated with successful and failed logon events? (Select two.)

Select 2 answers
A.4720
B.7045
C.4625
D.4648
E.4624
AnswersC, E

4625 is event ID for failed logon.

Why this answer

Event ID 4624 indicates a successful logon, and 4625 indicates a failed logon. These are standard security audit events.

187
Multi-Selecteasy

Which TWO of the following are persistence mechanisms commonly found in Windows forensics? (Select two.)

Select 2 answers
A.Jump lists
B.ShellBags
C.Scheduled Tasks
D.Prefetch files
E.Registry Run keys (e.g., HKLM\Software\Microsoft\Windows\CurrentVersion\Run)
AnswersC, E

Scheduled tasks can run at specific times or events.

Why this answer

Registry Run keys and Scheduled Tasks are common persistence techniques that allow malware to automatically execute on system startup or at scheduled times.

188
MCQmedium

An analyst is examining a Linux server and issues the command: cat /var/log/auth.log | grep 'Failed password' | awk '{print $1,$2,$3,$9,$11}' | sort | uniq -c. What is the analyst most likely trying to determine?

A.The list of all sudo commands executed
B.The number of distinct users who successfully logged in
C.The IP addresses with the most failed SSH login attempts
D.The total number of successful logins
AnswerC

Correct. It counts failed attempts grouping by date, user, and IP, showing top attackers.

Why this answer

The command extracts timestamps, usernames, and IP addresses from failed SSH login attempts, then counts unique occurrences. This identifies the most frequent source of brute‑force attempts.

189
MCQhard

During a forensic examination of a Windows 10 system, you find a file named "chrome_000001.jumplist" in the user's AppData directory. What does the presence of this file indicate?

A.The file is a Chrome extension
B.The user has installed Chrome via a jump list installer
C.The file contains Chrome bookmarks
D.The file stores recent items accessed through Chrome, such as downloaded files
AnswerD

Jump lists track recently opened files for the associated application, including downloads opened from Chrome.

Why this answer

Jump lists are created by Windows to show recently opened files for applications pinned to the taskbar or start menu. The file name indicates it is a jump list for Google Chrome, revealing recently accessed files or URLs within Chrome.

190
MCQeasy

Which Windows registry hive should be examined to determine the last time a specific external USB drive was connected to a system?

A.HKLM\SAM
B.HKLM\SYSTEM
C.HKLM\SOFTWARE
D.HKLM\SECURITY
AnswerB

Correct. USBSTOR key under SYSTEM enumerates connected USB devices.

Why this answer

The SYSTEM hive (specifically HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR) contains identifiers and timestamps for every USB device that has been attached.

191
MCQmedium

A Linux system administrator notices unusual outbound connections from a server. Which log file should be examined FIRST to identify authentication attempts related to the compromised account?

A./var/log/messages
B./var/log/auth.log
C./var/log/secure
D./var/log/syslog
AnswerB

Auth.log is the default log for authentication events on many Linux distributions.

Why this answer

/var/log/auth.log records authentication-related events such as login attempts, SSH connections, and sudo commands. It is the primary log for investigating unauthorized access.

192
MCQhard

During a Linux forensic investigation, you find that the /var/log/auth.log file contains log entries showing multiple 'Failed password for root' messages from a single IP address, followed by a 'Accepted password for root' entry. What is the MOST likely conclusion?

A.An attacker successfully brute-forced the root password
B.The root user accidentally mistyped the password multiple times
C.The system was compromised via a privilege escalation exploit
D.The root account has been locked out due to multiple failures
AnswerA

Failed followed by accepted from same IP indicates successful brute force.

Why this answer

The pattern suggests a successful brute-force attack: multiple failed attempts and then a successful authentication from the same IP.

193
MCQmedium

A security team detects exfiltration via HTTP POST requests to a suspicious domain. Which network forensic technique would BEST identify the data being sent in these requests?

A.Firewall log review
B.IDS alert correlation
C.Wireshark packet capture with HTTP follow stream
D.NetFlow analysis
AnswerC

Wireshark captures full packets and can reassemble HTTP streams to view POST data.

Why this answer

Wireshark can capture and display the full packet contents, including HTTP POST body data, allowing analysis of exfiltrated data.

194
MCQhard

An analyst reviews Windows Registry for USB device usage history. Which registry hive and key contain the 'USBSTOR' key that logs unique serial numbers of connected USB drives?

A.HKLM\SAM\SAM\Domains\Account\Users
B.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
C.HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
D.HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
AnswerC

This is the correct location for USB storage device history.

Why this answer

USBSTOR is located under SYSTEM\CurrentControlSet\Enum\USBSTOR, which records USB storage device identifiers.

195
MCQmedium

During a Linux forensic investigation, you find that the file /var/log/auth.log has been deleted. Which of the following artefacts would BEST help determine recent SSH login attempts?

A.Contents of /etc/shadow
B.Bash history from /root/.bash_history
C.Cron job entries in /etc/crontab
D.Output of the 'last' command
AnswerD

'last' shows login records from /var/log/wtmp, useful for recent SSH attempts.

Why this answer

The 'last' command reads /var/log/wtmp, which records all logins and logouts, including SSH sessions.

196
MCQmedium

A forensic examiner finds a suspicious entry in the Linux file /etc/passwd: 'backdoor:x:0:0:root:/root:/bin/bash'. What is the MOST significant security issue with this entry?

A.The entry has no password hash
B.The home directory is set to /root
C.The UID is 0, granting root privileges
D.The shell is /bin/bash
AnswerC

UID 0 means root-level access; a backdoor account with UID 0 is a critical backdoor.

Why this answer

A UID of 0 gives root privileges; the username 'backdoor' with UID 0 indicates a backdoor account with superuser access.

197
Multi-Selecthard

Which THREE of the following are common indicators of a web shell presence on a compromised IIS web server? (Select THREE.)

Select 3 answers
A.Increased 404 errors in HTTP logs
B.Process w3wp.exe making outbound connections to an unknown IP
C.Scheduled tasks that execute cmd.exe or powershell.exe
D.Anomalous files with .asp or .aspx extensions in the wwwroot directory
E.Normal GET requests to static .html pages
AnswersB, C, D

w3wp.exe is the IIS worker process; outbound connections may indicate C2.

Why this answer

Web shells often create anomalous files in web directories, processes running as w3wp.exe executing suspicious commands, and outbound connections to C2 servers. Normal activity includes log entries for legitimate requests.

198
Multi-Selectmedium

Which TWO Windows Event IDs are associated with successful logon or explicit credential usage? (Choose TWO.)

Select 2 answers
A.4648
B.4720
C.4624
D.4625
E.7045
AnswersA, C

4648: A logon was attempted using explicit credentials.

Why this answer

4624 is a successful logon event. 4648 indicates a logon using explicit credentials (e.g., RunAs). 4625 is failed logon, 4720 is account creation, 7045 is service install.

199
Multi-Selectmedium

In a Mac forensic investigation, which TWO artifacts are valuable for determining the timeline of file access? (Select two.)

Select 2 answers
A.ShellBags
B.Prefetch files
C.Unified logging
D.NTUSER.DAT
E.FSEvents
AnswersC, E

Unified logging provides detailed system logs including file access.

Why this answer

FSEvents logs file system changes, and unified logging captures system events including file access.

200
MCQmedium

A Windows system is suspected of having malware that maintains persistence by starting every time a user logs in. Which registry key should be examined FIRST for this persistence mechanism?

A.ShellBags
B.NTUSER.DAT
C.Run keys
D.HKLM\SAM
AnswerC

Run keys under HKCU and HKLM specify programs that run at user logon, a common persistence mechanism.

Why this answer

Run keys (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run) specify programs to run at user logon.

201
MCQhard

During a Mac forensic examination, an investigator needs to find evidence of recently executed applications and accessed files. Which artifact should the investigator prioritize for reconstructing user activity?

A.bash_history
B.FSEvents
C.Unified logging
D..plist files in ~/Library/Preferences
AnswerB

FSEvents logs file system changes and is a key artifact for user activity on macOS.

Why this answer

FSEvents records file system changes including file access and execution on macOS, providing a timeline of user activity.

202
MCQeasy

A security analyst is reviewing Windows Security Event Logs and notices multiple Event ID 4625 entries for a single user account within a short time frame. What does this MOST likely indicate?

A.Brute-force password guessing attack
B.Service installation
C.Account lockout policy change
D.Successful account logon
AnswerA

Multiple failed logons in a short period are a classic indicator of a brute-force attack.

Why this answer

Event ID 4625 indicates a failed logon attempt. Multiple failures in a short time suggest a brute-force attack against the user account.

203
Multi-Selectmedium

During a Linux forensic investigation, an analyst examines the file /var/log/auth.log and finds repeated entries with 'Failed password for root from 192.168.1.200 port 22 ssh2'. Which TWO conclusions can the analyst draw from this evidence?

Select 2 answers
A.The source IP 192.168.1.200 belongs to a local subnet
B.The system is experiencing a brute-force attack on SSH
C.The SSH service is enabled and listening on port 22
D.The attacker attempted to exploit a vulnerability in the SSH version
E.An unauthorized user successfully logged in as root
AnswersB, C

Multiple failed login attempts from a single IP indicate a brute-force attack.

Why this answer

The log shows failed SSH login attempts for root from a specific IP, indicating a brute-force attack on SSH. The source IP is remote (not localhost). The attempts are unsuccessful (failed).

204
MCQeasy

Which Linux log file is the PRIMARY source for authentication-related events such as user logins, sudo usage, and failed authentication attempts?

A./var/log/kern.log
B./var/log/syslog
C./var/log/boot.log
D./var/log/auth.log
AnswerD

auth.log records authentication events.

Why this answer

/var/log/auth.log (or /var/log/secure on RHEL) stores authentication logs. /var/log/syslog contains general system messages. /var/log/kern.log is for kernel messages.

205
MCQmedium

A forensic examiner needs to extract timeline data from a compromised Linux system for analysis with log2timeline/Plaso. Which of the following command sequences should be used?

A.bulk_extractor -o timeline.csv /dev/sda1
B.plaso.py -i /var/log -o timeline.csv
C.log2timeline.py --partition /dev/sda1 timeline.plaso && psort.py -o l2tcsv timeline.plaso
D.sleuthkit_timeline -m /mnt/evidence -d timeline.csv
AnswerC

This sequence creates a storage file from a partition and then exports to CSV.

Why this answer

log2timeline (now Plaso) typically uses log2timeline.py to create a storage file, then psort.py to output the timeline in a readable format.

206
Multi-Selecthard

An analyst is reviewing a Linux system for signs of a rootkit. Which THREE of the following are common indicators of a rootkit infection? (Select THREE.)

Select 3 answers
A.Incorrect file permissions on /etc/passwd
B.Anomalies in the /proc filesystem
C.Large number of failed SSH login attempts
D.Suspicious loadable kernel modules
E.Modified system binaries like ls and ps
AnswersB, D, E

Rootkits may manipulate /proc to hide processes and files.

Why this answer

Loadable kernel modules (LKM) are a common rootkit technique. Modified system binaries and hidden processes are also typical indicators.

207
Multi-Selecthard

A security team is analyzing a compromised Linux server. Indicators suggest the attacker used a web shell. Which THREE of the following are common persistence mechanisms that may be found on the system? (Select THREE.)

Select 3 answers
A.Adding an SSH public key to /root/.ssh/authorized_keys
B.Cron jobs added to /etc/crontab
C.Modification of the NTUSER.DAT registry hive
D.Prefetch file creation
E.A systemd service in /etc/systemd/system/
AnswersA, B, E

Allows persistent SSH access.

Why this answer

Cron jobs, SSH authorized keys, and systemd services are common persistence mechanisms on Linux.

208
MCQeasy

A security analyst needs to examine network traffic for signs of a data exfiltration attempt. Which tool is specifically designed for deep packet inspection and can reconstruct TCP streams?

A.Tcpdump
B.Wireshark
C.Netstat
D.Nmap
AnswerB

Wireshark performs deep packet inspection and TCP stream reassembly.

Why this answer

Wireshark is the primary tool for packet capture and analysis, including TCP stream reconstruction.

209
MCQeasy

Which tool is commonly used in timeline analysis for digital forensics to parse various artifacts and create a super timeline?

A.Volatility
B.Wireshark
C.Sleuth Kit
D.log2timeline / Plaso
AnswerD

log2timeline (now Plaso) is designed to create super timelines from multiple sources.

Why this answer

log2timeline (and its successor Plaso) is a tool designed to parse multiple forensic artifacts and output a timeline. Plaso is the current version.

210
MCQmedium

A security analyst detects a sudden spike in failed logon events with Event ID 4625 on a Windows domain controller. The source IP addresses are random and from various external subnets. Which type of attack is MOST likely occurring?

A.Pass‑the‑hash attack
B.Kerberos ticket forgery (Golden Ticket)
C.Insider threat with compromised credentials
D.Brute‑force attack
AnswerD

Correct. Many failed logons from varied IPs indicate a brute‑force attempt.

Why this answer

Event ID 4625 indicates failed logon attempts. A sudden spike from random external IPs is characteristic of a brute‑force attack, where an attacker tries many passwords across multiple accounts.

211
MCQmedium

A security analyst reviews Windows Security event logs and finds Event ID 4625 with Logon Type 10. What does this indicate?

A.Failed remote interactive logon (e.g., RDP)
B.Failed service logon attempt
C.Successful network logon
D.Successful local logon
AnswerA

Logon Type 10 is RemoteInteractive, and 4625 is failed authentication.

Why this answer

Event ID 4625 with Logon Type 10 indicates a failed remote interactive logon attempt, typically via Remote Desktop (RDP).

212
MCQhard

During a Mac forensic investigation, you examine the unified log for process execution around the time of an incident. Which command-line tool is used to query the macOS unified log?

A.log
B.journalctl
C.dmesg
D.syslog
AnswerA

The 'log' command is used to access the unified log on macOS.

Why this answer

The 'log' command is the native tool to query the unified logging system on macOS.

213
MCQhard

An analyst reviews proxy logs and sees repeated requests to a known malicious domain from multiple internal hosts, each using a different User-Agent string. The requests are all GET requests for /images/icon.png. What technique is most likely being used to evade detection?

A.User-Agent randomization
B.HTTPS tunneling
C.IP spoofing
D.Domain generation algorithm (DGA)
AnswerA

Randomizing User-Agent helps evade detection by making traffic appear as coming from diverse browsers.

Why this answer

Using different User-Agent strings per request is a common evasion technique to avoid signature-based detection that relies on a single User-Agent.

214
MCQmedium

In Mac forensics, which artifact stores system-wide and per-user application preferences, often used to determine configured settings and recently accessed files?

A.Unified logging
B..plist files
C.Sqlite databases
D.FSEvents
AnswerB

.plist files store preferences and user data for applications.

Why this answer

.plist files (property lists) are used on macOS to store application preferences and configuration data. They can be analyzed to extract user activity and settings.

215
MCQmedium

During a forensic investigation of a Windows system, an analyst examines the NTUSER.DAT registry hive. Which artifact would MOST likely be found to identify recently accessed documents and folders via the Windows Explorer GUI?

A.ShellBags
B.Run keys
C.MRU lists
D.UserAssist
AnswerA

ShellBags record folder names and paths accessed via Windows Explorer.

Why this answer

ShellBags store folder view settings and paths of accessed folders, making them useful for tracking user folder navigation.

216
MCQmedium

A forensic analyst is examining a Mac system for evidence of recent file access. Which artifact provides a timeline of file system events with high precision and is commonly analyzed using tools like mac_apt?

A.bash_history
B.Unified Logging
C..plist files
D.FSEvents
AnswerD

FSEvents records file system changes with timestamps, essential for timeline analysis on macOS.

Why this answer

FSEvents (File System Events) on macOS records changes to the file system, including timestamps, and is stored in /.fseventsd. It is a primary artifact for timeline analysis on Mac.

← PreviousPage 3 of 3 · 216 questions total

Ready to test yourself?

Try a timed practice session using only OS and Network Forensics questions.