CCNA Chfi App Email Cloud Questions

5 of 155 questions · Page 3/3 · Chfi App Email Cloud topic · Answers revealed

151
MCQhard

A forensic analyst is examining Docker container logs and finds a container that ran the command 'rm -rf /' and then stopped. The container was based on a custom image. Which of the following is the most effective way to recover deleted files from the container's filesystem?

A.Restore the container from a backup snapshot
B.Use data carving tools on the container's writable layer
C.Run 'docker commit' to create an image from the container and then extract files
D.Recover files from the image layers using 'docker history' and 'docker export'
AnswerD

Image layers are immutable; files deleted in the container are still present in the underlying layers. 'docker export' can extract the container's filesystem but layers contain original data.

Why this answer

Docker images consist of layers. Even if a container deletes files, the underlying image layers are read-only and contain the original files. Inspecting the image layers can recover them.

152
Multi-Selectmedium

Which TWO pieces of information can be obtained from an email's Received headers to help trace the email's origin? (Select TWO)

Select 2 answers
A.The DKIM signature hash
B.The sender's email client version
C.The IP address of the originating mail server
D.The subject line of the email
E.The timestamp when the email was processed by each server
AnswersC, E

The first Received header often contains the originating IP.

Why this answer

Received headers show each mail server the email passed through, including its IP address and timestamp.

153
MCQeasy

Which of the following email authentication protocols uses a digital signature to verify the sender's domain and that the email has not been tampered with?

A.DMARC
B.DKIM
C.SPF
D.STARTTLS
AnswerB

DKIM adds a digital signature to the email headers, allowing verification of the domain and message integrity.

Why this answer

DKIM (DomainKeys Identified Mail) uses a digital signature to authenticate the email's domain and integrity.

154
MCQmedium

Which Azure log source should an investigator query to identify who deleted a virtual machine and when?

A.Azure Activity Log
B.Azure Active Directory sign-in logs
C.Azure Diagnostic Settings for the VM
D.Network Security Group flow logs
AnswerA

Activity Log records resource management operations (create, update, delete).

Why this answer

Azure Activity Log (now called Monitor Activity Log) records control-plane operations like VM deletion. Azure AD logs are for authentication. NSG flow logs are for network traffic.

Diagnostic settings for VMs capture OS-level logs.

155
Multi-Selecthard

Which THREE of the following are challenges specific to cloud forensics compared to traditional digital forensics? (Select 3)

Select 3 answers
A.Chain of custody documentation
B.Data jurisdiction and legal compliance across regions
C.Multi-tenancy and co-mingling of data
D.Volatile evidence and lack of persistent storage
E.Physical access to the hard drive
AnswersB, C, D

Data may be stored in multiple countries with different laws.

Why this answer

Cloud forensics involves multi-tenancy (shared resources), data jurisdiction (legal across regions), and volatile evidence (data may be ephemeral). These are distinct from traditional forensics.

← PreviousPage 3 of 3 · 155 questions total

Ready to test yourself?

Try a timed practice session using only Chfi App Email Cloud questions.