CCNA OS and File System Forensics Questions

10 questions · OS and File System Forensics · All types, answers revealed

1
MCQmedium

You are a forensic investigator responding to a security incident at a medium-sized company. The incident involved an attacker gaining unauthorized access to a Windows Server 2019 system. The server was taken offline by the IT team immediately after detection. Your task is to acquire forensic evidence from the server's hard drive. The server has a single 500 GB NTFS partition. You have a forensic workstation with a write blocker, a SATA-to-USB adapter, and a forensic imaging tool that supports both dd and EWF (E01) formats. The server is still physically in the server room, and the IT team has powered it off. You need to create a forensic image that preserves the integrity of the evidence and allows for efficient analysis. Which of the following is the most appropriate course of action?

A.Boot the server using a forensic live CD, connect an external USB drive to the server, and use 'dd' to create a raw image on the external drive.
B.Use the server's built-in backup utility to create a system state backup and copy it to a network share.
C.Remove the hard drive, connect it via a write blocker to the forensic workstation, and then use 'dd' over a network connection to send the image to a remote server.
D.Remove the hard drive, connect it via a write blocker to the forensic workstation, and create an EWF (E01) image stored locally on the forensic workstation's internal drive.
AnswerD

This method uses a write blocker to preserve integrity, and EWF format provides compression and metadata for efficient analysis.

Why this answer

Option D is correct because it follows best practices for forensic acquisition: removing the hard drive and connecting it via a write blocker ensures that no data is altered during imaging. Using EWF (E01) format provides compression, metadata, and integrity checks (e.g., CRC32, MD5, SHA-1), which are essential for efficient analysis and evidence preservation. Storing the image locally on the forensic workstation avoids network latency and potential data corruption.

Exam trap

EC-Council often tests the misconception that using a forensic live CD is sufficient for write protection, but without a hardware write blocker, the OS may still write to the drive (e.g., via journaling or mount operations), compromising evidence integrity.

How to eliminate wrong answers

Option A is wrong because booting the server with a forensic live CD and using dd to an external USB drive risks modifying the system's volatile data and does not guarantee write-blocking at the hardware level; the live CD's kernel may still write to the internal drive. Option B is wrong because a system state backup is not a forensic image; it captures only system files and registry, not the entire partition, and it modifies the original drive during the backup process. Option C is wrong because using dd over a network connection introduces potential data integrity issues due to network latency, packet loss, or interception, and it is less efficient than local storage; the image should be stored on a trusted forensic workstation drive.

2
Drag & Dropmedium

Drag and drop the steps to perform a forensic analysis of a Windows registry using RegRipper into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Registry analysis requires acquiring hives, running RegRipper with profiles, and correlating results.

3
MCQhard

A forensic analyst is examining a Windows 10 system and needs to determine the last boot time of the system. Which registry hive and key should the analyst query to find this information?

A.NTUSER.DAT hive, key 'Control Panel\Desktop\'
B.SYSTEM hive, key 'CurrentControlSet\Control\Windows\', value 'ShutdownTime'
C.SOFTWARE hive, key 'Microsoft\Windows NT\CurrentVersion\'
D.SAM hive, key 'SAM\Domains\Account\Users\'
AnswerB

The 'ShutdownTime' value in this key records the last system shutdown time, which can be used to infer the last boot time (as the system boots after shutdown).

Why this answer

The SYSTEM hive stores system-wide configuration data, and the key 'CurrentControlSet\Control\Windows\' contains the 'ShutdownTime' value, which records the last system shutdown time. Since the last boot time is effectively the time after the last shutdown, querying this value provides the necessary information. This is a standard forensic artifact for determining system uptime and boot events on Windows 10.

Exam trap

EC-Council often tests the misconception that the SOFTWARE hive or NTUSER.DAT hive stores boot-related timestamps, but only the SYSTEM hive's 'CurrentControlSet\Control\Windows\' key contains the official 'ShutdownTime' value for determining last boot time.

How to eliminate wrong answers

Option A is wrong because NTUSER.DAT is the per-user registry hive, and 'Control Panel\Desktop\' contains user-specific desktop settings (like wallpaper or screen saver), not system boot or shutdown times. Option C is wrong because the SOFTWARE hive's 'Microsoft\Windows NT\CurrentVersion\' key stores OS version and installation details (e.g., product name, build number), not boot or shutdown timestamps. Option D is wrong because the SAM hive's 'SAM\Domains\Account\Users\' key contains user account security identifiers and password hashes, with no relation to system boot or shutdown events.

4
Matchingmedium

Match each forensic acquisition method to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Collecting data from a running system

Collecting data from powered-off media

Copying only active files and metadata

Bit-for-bit copy of entire storage device

Collecting only fragments of unallocated space

Why these pairings

These methods differ in scope and when they are performed.

5
MCQmedium

During a forensic investigation of a compromised Linux server, an investigator needs to recover deleted files from an ext4 filesystem. Which method should the investigator use to maximize recovery of file content, considering the filesystem may have been partially overwritten?

A.Use 'foremost' to carve files based on file headers and footers.
B.Use 'grep -a' to search the raw disk for file signatures.
C.Use 'scalpel' to perform a deep scan of the filesystem.
D.Use 'extundelete' to recover files from the ext4 filesystem.
AnswerA

Foremost is a file carving tool that recovers files by scanning for known headers/footers, making it effective for partially overwritten filesystems.

Why this answer

Foremost is the correct choice because it performs file carving based on headers and footers, which can recover file content even when the filesystem metadata (such as inodes) is damaged or partially overwritten. Unlike undelete tools that rely on intact filesystem structures, foremost scans the raw disk blocks for known file signatures, making it effective for recovering files from an ext4 filesystem that has experienced partial overwriting.

Exam trap

EC-Council often tests the distinction between file carving tools (like foremost) and filesystem-specific recovery tools (like extundelete), trapping candidates who assume that a filesystem utility is always the best choice for recovery, even when the filesystem metadata is compromised.

How to eliminate wrong answers

Option B is wrong because 'grep -a' treats the raw disk as text and searches for patterns, but it does not reconstruct files based on headers and footers, so it cannot reliably recover complete file content. Option C is wrong because 'scalpel' is a file carving tool similar to foremost, but it is not the best choice here as it is less actively maintained and may not support as many file types out of the box; foremost is the more standard and recommended tool for this scenario. Option D is wrong because 'extundelete' relies on the ext4 filesystem's journal and inode metadata to recover deleted files, and if the filesystem has been partially overwritten, this metadata may be corrupted or missing, leading to incomplete or failed recovery.

6
Multi-Selectmedium

During a forensic investigation of a Windows 10 system, you need to analyze the file system to recover deleted files. Which TWO file system artifacts would be most useful for this purpose?

Select 2 answers
A.$LogFile
B.$Boot file
C.$MFT (Master File Table)
D.$Volume
E.$Bitmap
AnswersA, C

The $LogFile records metadata changes, including deletions; can help reconstruct file history.

Why this answer

$LogFile (A) records metadata changes to the NTFS volume, including transactions that can be replayed to recover file names and directory entries for recently deleted files. $MFT (C) contains the master file table entries for every file and directory; even after deletion, the MFT entry often remains until overwritten, allowing recovery of file attributes and data runs.

Exam trap

EC-Council often tests the misconception that $Bitmap is the primary artifact for file recovery, but it only shows which clusters are free, not the file names or metadata needed to reconstruct deleted files.

7
Multi-Selectmedium

Which TWO of the following are valid locations in a Windows system where forensic evidence of USB device connection can be found?

Select 2 answers
A.SYSTEM\CurrentControlSet\Enum\USBSTOR registry key
B.Amcache.hve file
C.SetupAPI.dev.log file
D.Event Logs with source 'Device Setup'
E.C:\Windows\Prefetch folder
AnswersA, C

This key enumerates all USB storage devices that have been connected to the system.

Why this answer

The SYSTEM\CurrentControlSet\Enum\USBSTOR registry key is a primary location where Windows records every USB storage device that has been connected to the system. Each device is listed under this key with a unique instance ID, including the vendor ID, product ID, and serial number, providing persistent evidence of USB connections even after the device is removed.

Exam trap

Cisco often tests the distinction between persistent device enumeration records (USBSTOR) and installation logs (SetupAPI.dev.log) versus volatile or indirect artifacts like prefetch files or misnamed event sources, leading candidates to incorrectly select Amcache.hve or Prefetch as valid USB connection evidence.

8
MCQeasy

You are a forensic investigator responding to an incident on a Windows 10 workstation used by a finance manager. The user reports that a critical spreadsheet containing quarterly budget data was accidentally deleted from the Desktop yesterday at approximately 3:00 PM. The system has been used normally since then, and the user has not emptied the Recycle Bin. You have created a forensic image of the drive using FTK Imager. The Recycle Bin contains a file named 'Quarterly_Budget.xlsx', but it appears to be a shortcut (size 1 KB). The user insists the original file was several megabytes. You need to recover the original file. Which action should you take next?

A.Search the $Recycle.Bin folder on the forensic image to locate the original file data, which may be stored under a different name.
B.Restore a previous version of the Desktop folder from Volume Shadow Copy.
C.Use file carving techniques to recover the file from unallocated space on the Desktop.
D.Check the Recycle Bin on the live system; the file should be there and can be restored.
AnswerA

The Recycle Bin stores original file data in the $Recycle.Bin folder, often with a renamed file. The shortcut is just a reference.

Why this answer

When a file is moved to the Recycle Bin on Windows 10, the original file data is not stored in the Recycle Bin itself; instead, a hidden file (with a random name) is created in the `$Recycle.Bin` folder on the volume, and a shortcut (the visible entry) is placed in the Recycle Bin. The shortcut points to the hidden file, which retains the original data. Since the visible entry is only 1 KB, the actual file content must be located in the `$Recycle.Bin` folder under a different name, making option A the correct next step.

Exam trap

The trap here is that candidates assume the Recycle Bin contains the actual file data, but Cisco tests the understanding that the Recycle Bin only stores a shortcut, and the real data is hidden in the `$Recycle.Bin` folder under a different name.

How to eliminate wrong answers

Option B is wrong because restoring a previous version from Volume Shadow Copy would only work if the file was deleted via a system restore point or if the Desktop folder had versioning enabled, which is not guaranteed and is not the primary mechanism for Recycle Bin recovery. Option C is wrong because file carving from unallocated space is a last-resort technique for when the file is not recoverable via the Recycle Bin or file system metadata; here, the file is still logically present in the Recycle Bin structure, so carving is unnecessary and less reliable. Option D is wrong because the user has already created a forensic image, and checking the live system could alter evidence; moreover, the Recycle Bin on the live system would show the same shortcut, not the original data.

9
MCQeasy

During a forensic investigation, an analyst needs to preserve the integrity of evidence on a hard drive. Which of the following is the best practice for acquiring an image of the drive?

A.Use the 'dd' command to create a raw image without a write blocker.
B.Connect the drive to a forensic workstation and use the operating system's copy command.
C.Use a hardware write blocker and create a bit-stream image.
D.Format the drive before imaging to ensure no hidden data is missed.
AnswerC

A write blocker ensures no data is altered on the original drive during acquisition.

Why this answer

Option C is correct because using a hardware write blocker ensures that no write commands from the forensic workstation reach the suspect drive, preserving its integrity at the physical level. Creating a bit-stream image (sector-by-sector copy) captures all data, including slack space and unallocated clusters, which is essential for thorough forensic analysis. This combination is the gold standard in digital forensics, as mandated by best practices like those from NIST and the ACPO principles.

Exam trap

Cisco often tests the misconception that a software-based approach (like dd) is sufficient for imaging, but the trap is that without a hardware write blocker, the forensic workstation's OS may inadvertently write to the suspect drive (e.g., via automount or journaling), compromising evidence integrity.

How to eliminate wrong answers

Option A is wrong because using the 'dd' command without a write blocker risks modifying the evidence drive (e.g., by the OS mounting it or writing temporary files), which breaks chain of custody and can render evidence inadmissible. Option B is wrong because the operating system's copy command (e.g., cp or copy) only copies visible files and does not capture deleted data, slack space, or file system metadata; it also does not prevent write operations to the source drive. Option D is wrong because formatting the drive destroys all existing data, including evidence, and is the antithesis of preservation; it would permanently eliminate any chance of recovering hidden or deleted information.

10
MCQhard

A forensic analyst is reviewing the syslog from a compromised Linux server. Based on the exhibit, what does the 'orphan inode deleted' message indicate?

A.A hidden file was permanently removed from the filesystem.
B.A file was deleted while still open, and the filesystem has cleaned up the orphan inode.
C.A rootkit has attempted to hide files by marking them as orphan inodes.
D.A critical system file has been deleted, and the filesystem is warning the administrator.
AnswerB

Orphan inodes occur when a file is deleted while open; the filesystem cleans them on mount.

Why this answer

The 'orphan inode deleted' message in syslog indicates that a file was deleted while it was still open by a process. The kernel's inode cleanup mechanism (part of the VFS layer) detected the orphaned inode—an inode with no directory entry but still referenced by an open file descriptor—and removed it after the last file descriptor was closed. This is standard behavior in Linux filesystems (e.g., ext4) and is not indicative of hidden files, rootkits, or critical system file alerts.

Exam trap

EC-Council often tests the misconception that 'orphan inode deleted' is a security alert or sign of malicious activity, when in fact it is a normal filesystem housekeeping message that occurs whenever a file is deleted while still open by a process.

How to eliminate wrong answers

Option A is wrong because 'orphan inode deleted' does not imply a hidden file; hidden files (dot files) are simply files with names starting with a period and are not related to orphan inodes. Option C is wrong because rootkits may hide files by manipulating directory entries or using kernel modules, but they do not mark files as orphan inodes—orphan inodes are a natural consequence of deleting an open file, not a hiding technique. Option D is wrong because the message is a routine informational log from the filesystem cleanup process, not a warning about critical system file deletion; it does not indicate administrator action is required.

Ready to test yourself?

Try a timed practice session using only OS and File System Forensics questions.