CCNA Database and Application Forensics Questions

17 questions · Database and Application Forensics · All types, answers revealed

1
MCQhard

You are investigating a suspected data exfiltration incident at a financial institution. The database is MySQL 8.0 running on Linux. The security team suspects that a user with administrative privileges exported sensitive customer records via SELECT INTO OUTFILE and then deleted the output file. The MySQL general log is enabled and located at /var/log/mysql/mysql.log. However, the log file appears to be truncated and only contains entries from the last hour. The binary log is also enabled, and the binary log files are stored in /var/lib/mysql/binlog.000001 through binlog.000005. The database is actively being used. Which of the following is the BEST course of action to recover evidence of the SELECT INTO OUTFILE command that may have occurred 3 hours ago?

A.Parse the binary log files using mysqlbinlog to extract all statements from the relevant time period
B.Analyze the general log file using grep and tail to search for SELECT INTO OUTFILE
C.Examine the InnoDB redo log files to find the SELECT INTO OUTFILE command
D.Enable MySQL audit logging and wait for the activity to reoccur
AnswerA

Binary logs contain historical SQL statements including SELECT INTO OUTFILE.

Why this answer

The binary log records all data-changing statements (including DDL and DML) and is not truncated like the general log. Since the incident occurred 3 hours ago and the general log only covers the last hour, the binary log files (binlog.000001–000005) are the only persistent record. Using mysqlbinlog to parse these files can recover the SELECT INTO OUTFILE statement from the relevant time period, even if the output file was deleted.

Exam trap

EC-Council often tests the misconception that the general log is the primary source for all SQL statements, but here the trap is that candidates overlook the binary log's persistence and time-range filtering capability, assuming only the general log can capture SELECT INTO OUTFILE.

How to eliminate wrong answers

Option B is wrong because the general log is truncated to the last hour, so it cannot contain entries from 3 hours ago; grep and tail would find nothing. Option C is wrong because InnoDB redo logs record physical changes to data pages (e.g., row modifications) and do not log SQL statements like SELECT INTO OUTFILE, which is a logical operation that writes to the filesystem, not to InnoDB tables. Option D is wrong because enabling audit logging now would only capture future activity, not the historical command that occurred 3 hours ago; it provides no retrospective evidence.

2
MCQeasy

Refer to the exhibit. An investigator runs the queries on an Oracle database during a live forensic acquisition. What does the output indicate about the database transaction state?

A.The transaction has been rolled back
B.The transaction has been committed
C.No transactions are currently active
D.Exactly one transaction is currently active
AnswerD

The query returns one row with status ACTIVE.

Why this answer

The query `SELECT COUNT(*) FROM v$transaction;` returns a count of 1, which indicates that exactly one transaction is currently active in the Oracle database. The `v$transaction` view shows only uncommitted or unrolled-back transactions; a committed transaction is removed from this view. Therefore, the output confirms that one transaction is active and has not yet been committed or rolled back.

Exam trap

Cisco often tests the misconception that `v$transaction` shows all transactions including committed ones, leading candidates to incorrectly select 'No transactions are currently active' when the count is 0, or to misinterpret a count of 1 as a committed transaction.

How to eliminate wrong answers

Option A is wrong because a rolled-back transaction is no longer present in `v$transaction`, so the count would be 0, not 1. Option B is wrong because a committed transaction is also removed from `v$transaction` immediately upon commit, resulting in a count of 0. Option C is wrong because the count of 1 directly contradicts the statement that no transactions are active; the query explicitly shows one active transaction.

3
MCQmedium

Refer to the exhibit. An analyst recovers this binary log entry from a MySQL server. What does the timestamp '190101 10:00:00' represent?

A.The time the DELETE statement was executed on the MySQL server
B.The time the client sent the query to the server
C.The time the binary log file was written to disk
D.The time the transaction was committed
AnswerA

The timestamp records when the server executed the statement.

Why this answer

In MySQL binary logs, the timestamp in the 'Query' event header (e.g., '190101 10:00:00') records the server's local time when the statement began executing. This is the time the DELETE statement was actually processed by the MySQL server, not when the client sent it or when the log was written. The binary log captures the exact moment the server starts executing the query, making option A correct.

Exam trap

Cisco often tests the distinction between 'execution time on server' vs 'client send time' or 'commit time', and the trap here is that candidates confuse the binary log event timestamp with the client-side query submission time or the transaction commit time, which are recorded differently in MySQL's binary log format.

How to eliminate wrong answers

Option B is wrong because the timestamp in the binary log event header reflects the server's execution start time, not the client's query send time; client-side timestamps are not recorded in the binary log. Option C is wrong because the binary log file write time is recorded in the file header or as a separate 'Rotate' event, not in the individual query event timestamps. Option D is wrong because the transaction commit time is recorded in a 'Xid' event or 'Query' event with a 'COMMIT' statement, not in the timestamp of a DELETE statement event; the timestamp here marks the start of the statement execution, not the commit.

4
MCQhard

A forensic analyst is examining a PostgreSQL database server that was compromised. The attacker gained superuser access and deleted several rows from a critical table. The database is configured with WAL (Write-Ahead Log) archiving. Which method would allow the analyst to identify the exact time the deletions occurred?

A.Review the pg_stat_activity view to see the history of queries executed.
B.Examine the archive_status directory to find the timestamp of the WAL file that contains the deletion.
C.Query the pg_audit table to retrieve a log of all DELETE statements.
D.Use the pg_waldump utility to parse the WAL files and identify DELETE operations with timestamps.
AnswerD

pg_waldump can decode WAL records, showing the exact operations and timestamps.

Why this answer

D is correct because `pg_waldump` is the PostgreSQL utility specifically designed to parse Write-Ahead Log (WAL) files and display their contents in a human-readable format, including the exact timestamps and operation types (e.g., DELETE). Since the database uses WAL archiving, the archived WAL segments will contain a record of every data modification, allowing the analyst to pinpoint when the deletions occurred.

Exam trap

Cisco often tests the misconception that PostgreSQL has a built-in audit table or that `pg_stat_activity` retains historical query logs, leading candidates to choose A or C without understanding that WAL is the definitive forensic source for past DML operations.

How to eliminate wrong answers

Option A is wrong because `pg_stat_activity` shows only currently running or recently active queries, not a historical log of past queries; it does not retain a history of completed DELETE statements. Option B is wrong because the `archive_status` directory only indicates whether a WAL file has been archived (e.g., `.ready` or `.done` markers), not the content or timestamp of specific operations within the file. Option C is wrong because PostgreSQL does not have a built-in `pg_audit` table; auditing requires the `pg_audit` extension to be explicitly installed and configured, and even then, it logs statements in a separate audit log file, not a table named `pg_audit`.

5
Matchingmedium

Match each file carving technique to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses file signatures to find start and end

Uses internal file structure metadata

Reassembles fragmented files

Uses statistical models to identify file types

Handles files split into two fragments

Why these pairings

These techniques recover files without filesystem metadata.

6
MCQeasy

A forensic analyst is investigating a compromised web application that uses an Oracle database. The analyst suspects that SQL injection was used to extract sensitive data. Which Oracle log source would provide evidence of the injected SQL statements?

A.Control file
B.Redo log files
C.Listener log (listener.log)
D.Alert log (alert_SID.log)
AnswerC

With audit enabled, the listener log can capture SQL statements.

Why this answer

The listener.log is the correct source because Oracle's listener records all client connections and SQL*Net traffic, including the raw SQL statements sent to the database. When SQL injection is performed, the injected payload is transmitted as part of the SQL query over the network, and the listener log captures these exact statements, providing direct evidence of the attack.

Exam trap

EC-Council often tests the misconception that redo logs or alert logs capture SQL statements, when in fact only the listener log records the actual SQL text sent over the network, while redo logs store only the resulting data changes and alert logs store administrative events.

How to eliminate wrong answers

Option A is wrong because the control file stores metadata about the physical structure of the database (datafile locations, checkpoint information) and does not log SQL statements. Option B is wrong because redo log files record changes made to data blocks for recovery purposes, not the original SQL text that caused those changes. Option D is wrong because the alert log (alert_SID.log) records significant database events (startups, shutdowns, errors) and administrative actions, but does not capture the actual SQL statements executed by users or applications.

7
MCQhard

You are a forensic investigator responding to an incident at a financial institution. The organization uses Microsoft SQL Server 2016 for its transaction processing system. The database is configured with full recovery model and transaction log backups are taken every 15 minutes. The incident response team has identified that an attacker gained access to the database server via compromised credentials and executed a series of malicious SQL statements, including data exfiltration and deletion of critical records. The time of the attack is estimated to be between 2:00 PM and 2:05 PM. The last full backup was taken at 12:00 AM (midnight) the same day. Transaction log backups are available for the entire day. The last transaction log backup before the attack was taken at 1:45 PM. The next transaction log backup after the attack was taken at 2:15 PM. The database is still online and being used by the business. Management wants to recover the database to a point just before the attack (2:00 PM) to minimize data loss, while preserving evidence for investigation. Which of the following actions should you take FIRST?

A.Perform a tail-log backup of the database using the NORECOVERY option to capture all transactions since the last log backup.
B.Immediately restore the full backup from midnight and all transaction log backups up to 1:45 PM to a separate server for forensic analysis.
C.Shut down the SQL Server service to prevent further changes and then restore the database from backup.
D.Restore the database to a point in time using the full backup and all transaction log backups up to 1:45 PM, then apply the 2:15 PM backup to recover lost data.
AnswerA

This captures the current state, enabling point-in-time recovery and preserving evidence.

Why this answer

Performing a tail-log backup with NORECOVERY captures all transactions committed after the last log backup (1:45 PM) up to the current point in time, including the attack period. This preserves the database in a restoring state, preventing further changes while allowing point-in-time recovery to just before 2:00 PM. It is the mandatory first step to minimize data loss and maintain forensic integrity before any restore operations.

Exam trap

Cisco often tests the misconception that you should immediately restore from the last known good backup or shut down the server, when the correct first action is always to secure the current transaction log via a tail-log backup to capture all recent changes and enable precise point-in-time recovery.

How to eliminate wrong answers

Option B is wrong because restoring backups to a separate server for forensic analysis is a valid subsequent step, but it should not be performed first; the immediate priority is to capture the tail of the transaction log from the live database to avoid losing transactions that occurred after the last log backup. Option C is wrong because shutting down the SQL Server service would abruptly terminate the database and could corrupt the transaction log, potentially losing the tail-log data needed for point-in-time recovery; a controlled tail-log backup is required instead. Option D is wrong because applying the 2:15 PM backup would include the attacker's malicious transactions and deletions, which would reintroduce the compromised data and fail to achieve recovery to just before the attack.

8
MCQhard

An organization uses Microsoft SQL Server 2019 with full recovery model. A database administrator accidentally executed a DROP TABLE statement. The transaction log was backed up immediately after the incident. Which forensic technique would allow the analyst to restore the dropped table?

A.Restore the transaction log backup taken after the DROP TABLE and apply it to the database.
B.Use the RESTORE LOG statement with the NO_TRUNCATE option to recover the table.
C.Perform a tail-log backup, then restore the full backup and all subsequent transaction log backups, stopping before the DROP TABLE.
D.Restore the most recent full backup and ignore subsequent transaction log backups.
AnswerC

Point-in-time restore allows recovery to just before the drop.

Why this answer

Option C is correct because, under the full recovery model, point-in-time recovery is required to undo the DROP TABLE. By performing a tail-log backup (to capture any transactions after the last log backup), then restoring the full backup and all subsequent transaction log backups with STOPAT or STOPBEFOREMARK to the moment just before the DROP TABLE, the analyst can recover the table without losing other transactions. This is the only method that preserves the dropped table's data while maintaining database consistency.

Exam trap

The trap here is that candidates often think a simple transaction log restore (Option A) or a full backup restore (Option D) will suffice, failing to recognize that point-in-time recovery with a tail-log backup and STOPAT is required to skip the destructive DDL statement.

How to eliminate wrong answers

Option A is wrong because restoring only the transaction log backup taken after the DROP TABLE would apply the DROP TABLE operation again, permanently removing the table. Option B is wrong because the NO_TRUNCATE option is used to back up a tail of the log when the database is damaged or offline, not to recover a dropped table; it does not provide point-in-time recovery to skip the DROP. Option D is wrong because restoring only the most recent full backup would lose all changes made after that backup, including the data that existed before the DROP, and would not recover the dropped table.

9
Drag & Dropmedium

Drag and drop the steps to perform a forensic examination of a mobile device (Android) using Cellebrite UFED into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Mobile forensics requires enabling debugging, selecting extraction method, and parsing data.

10
Multi-Selectmedium

Which THREE of the following are essential steps in the forensic analysis of a compromised web application that uses a MySQL backend?

Select 3 answers
A.Restore the database from the latest backup to ensure data integrity
B.Immediately change all database user passwords to prevent further access
C.Check for suspicious stored procedures, triggers, or user-defined functions
D.Analyze web server access logs to identify SQL injection attempts
E.Preserve the MySQL binary logs for timeline analysis
AnswersC, D, E

Attackers may create malicious objects for persistence.

Why this answer

Option C is correct because stored procedures, triggers, and user-defined functions (UDFs) in MySQL can be maliciously created or modified by an attacker to execute arbitrary code, escalate privileges, or maintain persistence. Forensic analysis must inspect these objects for unauthorized changes, as they are often overlooked but can contain backdoor logic that survives database restarts and backups.

Exam trap

Cisco often tests the principle of evidence preservation versus remediation — candidates mistakenly choose immediate corrective actions (like password changes or restores) instead of forensic preservation steps, confusing incident response with forensic analysis.

11
MCQmedium

During a database forensic investigation, an analyst recovers a MySQL binary log file (binlog.000012) from a compromised server. Which command should the analyst use to extract the actual SQL statements from this binary log in a human-readable format?

A.mysqldump --binlog binlog.000012
B.mysqlimport --binlog binlog.000012
C.mysqlcheck --binlog binlog.000012
D.mysqlbinlog binlog.000012
AnswerD

mysqlbinlog converts binary log to SQL text.

Why this answer

The `mysqlbinlog` utility is specifically designed to parse MySQL binary log files and output the contained SQL statements in a human-readable format. Binary logs record all data-changing operations (e.g., INSERT, UPDATE, DELETE) in a proprietary binary format, so only `mysqlbinlog` can decode them back into readable SQL for forensic analysis.

Exam trap

EC-Council often tests the distinction between MySQL administrative utilities (mysqldump, mysqlcheck, mysqlimport) and the forensic-specific tool mysqlbinlog, exploiting the common misconception that any MySQL command with 'binlog' in its name can read binary logs.

How to eliminate wrong answers

Option A is wrong because `mysqldump` is a backup tool that exports database schemas and data as SQL text, not a binary log reader; it has no `--binlog` option. Option B is wrong because `mysqlimport` is used to load data from text files into tables using LOAD DATA INFILE, and it does not interact with binary logs. Option C is wrong because `mysqlcheck` is a maintenance utility for checking, repairing, and optimizing tables; it cannot decode binary log files.

12
MCQeasy

A forensic investigator is analyzing a Microsoft SQL Server instance that was compromised. The investigator wants to identify all login attempts that failed due to incorrect passwords. Which system function or view should be queried?

A.sys.dm_exec_sessions
B.sys.dm_tran_locks
C.xp_readerrorlog with filter for 'Login failed'
D.sys.dm_exec_requests
AnswerC

Reads SQL Server error log for failed logins.

Why this answer

The xp_readerrorlog extended stored procedure reads the SQL Server error log, which records all login attempts, including failures. By filtering for 'Login failed', the investigator can retrieve the exact entries where authentication failed due to incorrect passwords. This is the standard method for auditing failed logins in SQL Server.

Exam trap

EC-Council often tests the misconception that dynamic management views (DMVs) like sys.dm_exec_sessions store historical authentication data, when in fact they only reflect current state, not past events.

How to eliminate wrong answers

Option A is wrong because sys.dm_exec_sessions shows current active sessions, not historical login failures; it only reflects successful connections. Option B is wrong because sys.dm_tran_locks provides information about current lock states and transactions, not authentication events. Option D is wrong because sys.dm_exec_requests displays currently executing requests, not past login attempts or failures.

13
MCQmedium

During a database forensic investigation, an analyst discovers that multiple rows in a MySQL table have been deleted. The binary logs are enabled. Which approach should the analyst use to recover the deleted data?

A.Restore the transaction log files from backup and mount them to recover the deleted rows.
B.Use the 'SHOW UNDO' command to retrieve the deleted rows from undo tablespace.
C.Query the information_schema database to retrieve deleted rows from the data dictionary.
D.Parse the binary logs using mysqlbinlog to extract the DELETE statements and reconstruct the lost data.
AnswerD

Binary logs record all data changes; mysqlbinlog can output the SQL statements, including deletes.

Why this answer

MySQL binary logs record all changes to the database, including DELETE statements. The mysqlbinlog utility can parse these logs to reconstruct the exact DELETE operations, allowing the analyst to reverse-engineer the deleted rows by extracting the row data from the log events. This is the standard forensic method for recovering deleted data when binary logging is enabled.

Exam trap

EC-Council often tests the misconception that MySQL has a direct 'UNDO' command or that the information_schema stores row-level data, leading candidates to choose those plausible-sounding but incorrect options.

How to eliminate wrong answers

Option A is wrong because MySQL does not have a separate 'transaction log file' that can be mounted like a file system; the transaction log (redo log) is not designed for point-in-time recovery of individual rows, and restoring from backup would require a full restore, not a targeted row recovery. Option B is wrong because MySQL does not support a 'SHOW UNDO' command; undo tablespace is used internally for rollback operations and is not directly queryable for deleted row recovery. Option C is wrong because the information_schema database contains metadata about database objects (tables, columns, etc.), not the actual row data or deleted rows; it cannot be used to retrieve deleted records.

14
Multi-Selectmedium

During a database forensic investigation, an analyst finds that the SQL Server transaction log contains gaps. Which TWO actions should the analyst take to preserve evidence integrity and recover missing transactions?

Select 2 answers
A.Perform a transaction log backup using BACKUP LOG
B.Run DBCC CHECKDB to verify database consistency
C.Restart the SQL Server service to flush pending transactions
D.Truncate the transaction log to free space
E.Use DBCC PAGE or fn_dblog to read the transaction log
AnswersA, E

Preserves the current log state for analysis.

Why this answer

Option A is correct because performing a transaction log backup using BACKUP LOG captures the active portion of the transaction log, preserving evidence of all committed and uncommitted transactions. This ensures that the log is not truncated and that the forensic integrity of the transaction history is maintained for later analysis. Without this backup, subsequent operations could overwrite or lose critical transaction records.

Exam trap

EC-Council often tests the misconception that restarting the service or running consistency checks will help recover transactions, when in fact these actions can destroy or overwrite the very evidence needed for forensic analysis.

15
Multi-Selecteasy

Which TWO of the following are valid methods for collecting volatile data from a live database server during an incident response?

Select 2 answers
A.Extract the file system journal
B.Take a backup of the database using mysqldump
C.Create a forensic image of the hard disk
D.Execute netstat -an to list active network connections
E.Capture a memory dump using a tool like LiME or FTK Imager
AnswersD, E

Netstat shows current connections, which are volatile.

Why this answer

Option D is correct because `netstat -an` lists all active network connections and listening ports without performing DNS resolution, which is critical for identifying unauthorized connections or ongoing data exfiltration from the live database server. This command retrieves data from the kernel's network stack, which is volatile and would be lost if the system were powered down.

Exam trap

Cisco often tests the misconception that database backups (like mysqldump) or disk imaging are valid for volatile data collection, when in fact volatile data must be captured from memory and network state before any persistent storage is touched.

16
MCQmedium

During a forensic investigation of a MongoDB database, the analyst needs to identify which user executed a particular write operation. Which MongoDB log or feature should the analyst examine?

A.Journal (journal directory)
B.System log (mongod.log)
C.Audit log (auditLog)
D.Oplog (local.oplog.rs)
AnswerC

Audit log records user actions when enabled.

Why this answer

The audit log (auditLog) is the correct source because it is specifically designed to record user authentication and database operations, including which user executed a write operation. MongoDB's audit system captures detailed events such as insert, update, and delete commands along with the authenticated user identity, making it the definitive forensic artifact for user attribution.

Exam trap

EC-Council often tests the misconception that the oplog or system log records user identity, when in fact only the audit log provides authenticated user attribution for database operations.

How to eliminate wrong answers

Option A is wrong because the journal (journal directory) records write-ahead redo logs for crash recovery and durability, not user identity or operation attribution. Option B is wrong because the system log (mongod.log) contains operational messages and errors but does not reliably capture per-operation user context or detailed write command attribution. Option D is wrong because the oplog (local.oplog.rs) is a capped collection used for replication tracking and contains operation details but does not include the authenticated user who executed the write.

17
MCQhard

Refer to the exhibit. A database administrator finds the above error log entries when attempting to start the MySQL service. The server was working fine yesterday. What is the most likely cause of this issue?

A.The MySQL user does not have write permissions to the data directory.
B.The binary log is full and cannot be rotated.
C.The server ran out of memory due to high innodb_buffer_pool_size.
D.The InnoDB system tablespace file (ibdata1) is corrupted.
AnswerD

Corrupt ibdata1 prevents InnoDB initialization.

Why this answer

The error log entries indicate that InnoDB is unable to open or read the system tablespace file (ibdata1), which is the core file storing the InnoDB data dictionary, undo logs, and doublewrite buffer. A corrupted ibdata1 prevents MySQL from starting because the storage engine cannot initialize its internal structures, even if the server was operational the previous day. This matches the symptom of a sudden failure without prior configuration changes.

Exam trap

EC-Council often tests the distinction between permission errors, disk-full errors, memory errors, and corruption errors, so the trap here is that candidates may confuse a 'cannot start' error with a permission issue or memory exhaustion, rather than recognizing the specific InnoDB corruption signature in the log.

How to eliminate wrong answers

Option A is wrong because if the MySQL user lacked write permissions to the data directory, the error would typically be 'Permission denied' or 'Can't create/write to file', not a corruption-related InnoDB error about ibdata1. Option B is wrong because a full binary log that cannot be rotated would cause a 'Binary log disk full' or 'Could not write to binlog' error, not an InnoDB system tablespace corruption error. Option C is wrong because running out of memory due to high innodb_buffer_pool_size would manifest as an out-of-memory (OOM) kill or allocation failure, not a specific corruption error for ibdata1.

Ready to test yourself?

Try a timed practice session using only Database and Application Forensics questions.