CCNA Chfi Mobile Malware Questions

75 of 164 questions · Page 1/3 · Chfi Mobile Malware topic · Answers revealed

1
MCQhard

An analyst runs 'regshot' before and after executing a suspicious binary. The report shows that the binary added a value to HKLM\SYSTEM\CurrentControlSet\Services\MyService with 'ImagePath' pointing to C:\Windows\system32\malware.exe and 'Start' set to 2. What is the MOST likely purpose?

A.Hiding network connections
B.Encrypting files
C.Disabling a legitimate service
D.Persistence as a service
AnswerD

Setting Start=2 means the service starts automatically at boot, ensuring persistence.

Why this answer

The binary added a service entry under HKLM\SYSTEM\CurrentControlSet\Services\MyService with 'ImagePath' pointing to malware.exe and 'Start' set to 2 (SERVICE_AUTO_START). This ensures the malware launches automatically at system boot, which is a classic persistence mechanism. The 'Start' value of 2 specifically configures the service to start automatically, making it persist across reboots.

Exam trap

EC-Council often tests the distinction between creating a new service for persistence versus modifying an existing service's startup type or disabling it, and candidates may confuse the 'Start' value of 2 (auto-start) with a disabled state (value 4).

How to eliminate wrong answers

Option A is wrong because hiding network connections is typically achieved by rootkits, API hooking, or manipulating network stack components (e.g., NDIS drivers), not by simply adding a service entry. Option B is wrong because encrypting files is a ransomware behavior that would involve file system operations or cryptographic API calls, not merely creating a service with an ImagePath. Option C is wrong because disabling a legitimate service would involve modifying the 'Start' value of an existing service (e.g., setting it to 4 for disabled) or deleting it, not creating a new service with a malicious ImagePath.

2
MCQmedium

During an iOS forensic examination, an analyst extracts the iTunes backup of a suspect iPhone. The analyst wants to review deleted SMS messages. Which SQLite database file should be examined?

A.AddressBook.db
B.Keyboard.db
C.SMS.db
D.call_history.db
AnswerC

SMS.db is the database containing SMS and iMessage conversations, including deleted entries (until overwritten).

Why this answer

In iOS forensics, deleted SMS messages are stored in the SMS.db SQLite database located within the iTunes backup. This database contains the `message` table, which retains deleted messages until overwritten by new data, making it the primary target for recovering deleted iMessages and SMS texts.

Exam trap

EC-Council often tests the misconception that deleted SMS messages are stored in a separate 'deleted items' database or that call_history.db contains SMS data, leading candidates to overlook the primary SMS.db file.

How to eliminate wrong answers

Option A is wrong because AddressBook.db stores contact information (names, phone numbers, emails), not SMS message content. Option B is wrong because Keyboard.db stores keyboard usage data (e.g., learned words, autocorrect entries), not SMS messages. Option D is wrong because call_history.db contains call logs (incoming, outgoing, missed calls), not SMS text messages.

3
Multi-Selecthard

A malware analyst is performing dynamic analysis of a trojan. Which THREE of the following tools are commonly used to monitor system changes during execution?

Select 3 answers
A.Process Monitor
B.Ghidra
C.PEiD
D.Regshot
E.Process Explorer
AnswersA, D, E

Captures registry, file system, and process activity in real time.

Why this answer

Process Monitor (A) is correct because it is a real-time system monitoring tool that captures file system, registry, and process/thread activity, allowing analysts to observe changes made by a trojan during execution. It uses kernel-mode drivers to log operations such as CreateFile, RegSetValue, and CreateProcess, which are essential for dynamic analysis.

Exam trap

EC-Council often tests the distinction between static and dynamic analysis tools, so the trap here is that candidates confuse tools like Ghidra or PEiD (static) with runtime monitoring tools like Process Monitor or Regshot (dynamic).

4
MCQhard

During malware analysis, an analyst discovers that a sample uses a technique to modify its own code at runtime to evade signature detection. Which anti-forensic technique does this describe?

A.Log wiping
B.Packing/Obfuscation
C.Encryption
D.Timestomping
AnswerB

Packing and obfuscation techniques modify the code to evade detection; self-modifying code is a form of obfuscation.

Why this answer

The technique of modifying code at runtime to evade signature detection is known as packing or obfuscation. Packers compress or encrypt the original executable and wrap it with a small stub that decompresses or decrypts the code in memory during execution, thereby altering the static file signature. This runtime modification allows the malware to bypass signature-based antivirus and forensic tools that rely on static analysis of the binary on disk.

Exam trap

Cisco often tests the distinction between encryption as a general concept and packing/obfuscation as a specific anti-forensic technique that combines encryption with runtime code modification to evade static signature detection.

How to eliminate wrong answers

Option A is wrong because log wiping refers to the deliberate deletion or alteration of system, application, or security logs (e.g., clearing Windows Event Logs or /var/log/messages) to cover tracks, not to modifying code at runtime. Option C is wrong because encryption, while used in packing, is a broader cryptographic concept that protects data confidentiality; the specific anti-forensic technique described here is packing/obfuscation, which combines encryption/compression with a runtime stub to alter the executable's static signature. Option D is wrong because timestomping is the act of modifying file timestamps (e.g., using SetFileTime on Windows or touch -t on Linux) to mislead timeline analysis, not modifying code at runtime.

5
MCQmedium

A forensic analyst is examining an iOS backup taken from a suspect's iPhone using iTunes. Which of the following SQLite databases would contain the suspect's call history?

A.AddressBook.db
B.call_history.db
C.Calendar.sqlitedb
D.SMS.db
AnswerB

call_history.db stores call logs.

Why this answer

The call history on an iOS device is stored in a SQLite database named `call_history.db` (or `call_history.db` within the root domain of the user's backup). When an iTunes backup is created, this database is included in the backup manifest and can be extracted and queried to retrieve call logs, including timestamps, durations, and phone numbers. Option B is correct because it is the specific database that contains call history records.

Exam trap

EC-Council often tests the distinction between `SMS.db` (messages) and `call_history.db` (calls), leading candidates to mistakenly choose `SMS.db` because they associate phone communication with SMS rather than call logs.

How to eliminate wrong answers

Option A is wrong because `AddressBook.db` (now `Contacts.sqlitedb` in modern iOS) stores contact information (names, phone numbers, email addresses), not call history. Option C is wrong because `Calendar.sqlitedb` stores calendar events and reminders, not call logs. Option D is wrong because `SMS.db` stores SMS and iMessage conversations, not call history records.

6
MCQhard

A forensic analyst is examining a malware sample that uses packing to obfuscate its code. Which static analysis tool is BEST suited to identify the packer used and potentially unpack the executable?

A.PEiD
B.Cuckoo Sandbox
C.Ghidra
D.IDA Pro
AnswerA

PEiD uses signatures to detect packers, cryptors, and compilers. It can also assist in unpacking by identifying the entry point.

Why this answer

PEiD (Portable Executable Identifier) is specifically designed to detect packers, cryptors, and compilers used in PE files by scanning for known signatures in the executable's entry point. It is the best static analysis tool for identifying the packer and can often unpack the executable using its built-in generic unpacker or by invoking the packer's own unpacking stub. This makes it ideal for the initial triage of packed malware samples.

Exam trap

EC-Council often tests the distinction between static and dynamic analysis tools, and the trap here is that candidates may confuse a dynamic analysis sandbox (Cuckoo) or a general-purpose disassembler (Ghidra, IDA Pro) with a specialized static packer identifier like PEiD.

How to eliminate wrong answers

Option B is wrong because Cuckoo Sandbox is a dynamic analysis tool that executes the malware in a controlled environment to observe behavior, not a static analysis tool for identifying packers. Option C is wrong because Ghidra is a reverse engineering framework focused on disassembly and decompilation, but it lacks a dedicated packer signature database and automated unpacking capabilities like PEiD. Option D is wrong because IDA Pro is a powerful interactive disassembler and debugger, but it does not have a built-in packer identification database; while plugins can add this functionality, it is not the best-suited tool out of the box for this specific task.

7
MCQhard

A security analyst runs the command `regshot64.exe compare` after executing malware. Regshot reports that the following registry key was created: `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SecureUpdate`. Which conclusion is MOST likely?

A.The malware encrypted the user's documents
B.The malware installed a persistence mechanism
C.The malware deleted a system file
D.The malware modified a network configuration
AnswerB

Run key = persistence.

Why this answer

The registry key `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SecureUpdate` is a standard Windows Run key, which automatically executes the specified program at user logon. By creating this key, the malware ensures it runs every time the user logs in, establishing persistence. This is a classic persistence mechanism, not an action related to encryption, file deletion, or network changes.

Exam trap

Cisco often tests the distinction between persistence mechanisms (like Run keys) and other malware behaviors (like encryption or network changes), trapping candidates who assume any registry change indicates data destruction or system modification rather than survival.

How to eliminate wrong answers

Option A is wrong because encryption of user documents would typically involve file system changes (e.g., appending .encrypted extensions) or cryptographic API calls, not the creation of a Run registry key. Option C is wrong because deleting a system file would leave evidence in file system logs or cause immediate system instability, not create a Run key for persistence. Option D is wrong because modifying a network configuration (e.g., changing DNS settings, proxy, or firewall rules) involves different registry paths (e.g., `HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters`) or netsh commands, not the user-level Run key.

8
Multi-Selectmedium

A forensic examiner is analyzing an Android device that was factory reset. Which TWO artefacts or methods could the examiner use to potentially recover or identify data from before the reset?

Select 2 answers
A.Performing a logical extraction via ADB
B.Recovering deleted apps via ADB backup
C.Examining the device manually through the UI
D.Analyzing Google account artefacts synced to the cloud
E.Using a physical extraction tool like Cellebrite UFED
AnswersD, E

Google account may have synced contacts, calendar, and app data before reset, recoverable via account access.

Why this answer

Option D is correct because Google account artifacts synced to the cloud (e.g., contacts, calendar, app data via Google Drive backup) persist independently of the device's local storage. Even after a factory reset, these cloud-stored artifacts can be accessed by logging into the same Google account, providing a forensic trail of pre-reset data. This leverages Google's cloud synchronization services, which are not erased by a device reset.

Exam trap

EC-Council often tests the misconception that a factory reset permanently destroys all data, but candidates must recognize that cloud-synced artifacts and physical extraction methods can recover pre-reset data, while logical methods (ADB, UI) are rendered useless by the reset.

9
MCQhard

During a forensic investigation of a Windows system infected with ransomware, the analyst discovers that the malware deleted volume shadow copies using vssadmin.exe. Which anti-forensic technique does this represent, and what is its primary purpose?

A.Encryption; to encrypt the shadow copies to prevent analysis
B.Log wiping; to remove forensic evidence of file changes and prevent data recovery
C.Timestomping; to alter timestamps of the shadow copy files
D.Data hiding; to conceal the malware's files within shadow copies
AnswerB

Deleting shadow copies removes logs that could be used for recovery, a form of log wiping.

Why this answer

Option B is correct because deleting Volume Shadow Copies using vssadmin.exe is a classic example of log wiping (anti-forensic technique). The primary purpose is to remove forensic evidence of file changes and prevent data recovery, as shadow copies contain previous versions of files that could be used to restore encrypted data or track the ransomware's activity.

Exam trap

The trap here is that candidates may confuse 'deleting shadow copies' with 'data hiding' or 'encryption' because shadow copies are often used for recovery, but the technique is specifically log wiping (anti-forensic) aimed at destroying evidence and preventing restoration.

How to eliminate wrong answers

Option A is wrong because encryption is not performed by vssadmin.exe; vssadmin.exe is a command-line tool for managing shadow copies, and deleting them does not involve encryption. Option C is wrong because timestomping refers to altering file timestamps (e.g., using tools like SetMace or timestomp), not deleting shadow copies. Option D is wrong because data hiding involves concealing files (e.g., using alternate data streams or steganography), not deleting shadow copies to prevent recovery.

10
MCQeasy

During a mobile forensic investigation of an iPhone, an examiner needs to recover deleted SMS messages. Which acquisition method provides the highest likelihood of retrieving deleted data from the device's flash memory?

A.Manual acquisition by taking screenshots
B.File system acquisition via iOS file system extraction
C.Physical acquisition via JTAG or chip-off
D.Logical acquisition via iTunes backup
AnswerC

Physical acquisition copies the entire flash memory, enabling recovery of deleted data.

Why this answer

Physical acquisition via JTAG or chip-off provides the highest likelihood of recovering deleted SMS messages because it accesses the raw NAND flash memory at the hardware level, bypassing the iOS file system and logical abstractions. Deleted data on flash storage remains in unallocated blocks until overwritten, and physical imaging captures these remnants, including deleted SQLite records from the SMS database. In contrast, logical and file system methods only retrieve active files, missing the unallocated space where deleted messages reside.

Exam trap

EC-Council often tests the misconception that file system acquisition (Option B) can recover deleted data because it extracts the entire file system, but in iOS, the file system extraction does not include unallocated space due to the HFSX/APFS design and sandboxing, making physical acquisition the only method that accesses raw NAND for deleted SMS recovery.

How to eliminate wrong answers

Option A is wrong because manual acquisition via screenshots only captures visible, on-screen content and cannot access deleted data stored in unallocated flash memory. Option B is wrong because file system acquisition via iOS file system extraction retrieves only active files and metadata, not the raw NAND blocks containing deleted SMS records that have been marked as free but not yet overwritten. Option D is wrong because logical acquisition via iTunes backup only extracts files that are part of the backup manifest, which excludes deleted data that has been removed from the SQLite WAL or journal files and is not present in the backup snapshot.

11
Multi-Selecthard

During dynamic analysis of a malware sample in a sandbox, an analyst observes the following behaviours: (1) A file is created at C:\Windows\System32\drivers\etc\hosts, (2) A registry key is set at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateSvc, (3) Outbound TCP connections to 198.51.100.10 on port 8080. Which THREE of the following IoCs are MOST relevant to share with the threat intelligence team?

Select 3 answers
A.MD5 hash of the original malware file
B.Network connection to 198.51.100.10:8080
C.Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateSvc
D.Mutex name created by the malware
E.File path C:\Windows\System32\drivers\etc\hosts
AnswersB, C, E

This is a network-based IoC indicating C2.

Why this answer

Option B is correct because the outbound TCP connection to 198.51.100.10 on port 8080 is a direct network-based indicator of compromise (IoC) that threat intelligence teams can use to block or monitor malicious C2 traffic. This IP and port combination represents a specific command-and-control endpoint, making it highly actionable for network defense and threat hunting.

Exam trap

EC-Council often tests the distinction between observed behaviors (file creation, registry modification, network connections) and derived IoCs (hashes, mutexes), tricking candidates into selecting all listed options rather than only those directly tied to the observed actions.

12
Multi-Selecteasy

Which THREE of the following are common indicators of compromise (IoCs) that can be used to detect malware infections?

Select 3 answers
A.The user's favorite color
B.The brand of the victim's computer
C.Registry key created by malware for persistence
D.MD5 or SHA-256 hash of the malware file
E.IP address of the command and control server
AnswersC, D, E

Registry keys are host-based IoCs.

Why this answer

Option C is correct because malware often creates registry keys (e.g., under `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`) to achieve persistence, ensuring it executes automatically on system startup. Detecting such unauthorized registry modifications is a common indicator of compromise (IoC) in forensic investigations.

Exam trap

EC-Council often tests the distinction between user-specific or hardware-specific attributes (like favorite color or computer brand) and actual system-level artifacts that indicate compromise, leading candidates to mistakenly include irrelevant options if they do not focus on technical IoCs.

13
MCQeasy

Which of the following mobile forensics tools is specifically designed to extract data from iOS devices by exploiting the device's bootrom vulnerability (e.g., checkm8) to perform a physical extraction?

A.Oxygen Forensic Detective
B.Cellebrite UFED
C.Magnet AXIOM
D.GrayKey
AnswerD

GrayKey is a tool that leverages the checkm8 bootrom exploit for physical extraction.

Why this answer

GrayKey is correct because it is a mobile forensic tool specifically designed to exploit the checkm8 bootrom vulnerability (a permanent, unpatchable exploit affecting A5 to A11 chips) to perform a physical extraction of iOS devices. This allows bypassing the device's passcode and extracting the full file system, including encrypted data, without needing to jailbreak the device.

Exam trap

EC-Council often tests the distinction between tools that perform logical or file system extractions versus those that exploit hardware-level bootrom vulnerabilities for physical extraction, and the trap here is that candidates may confuse Cellebrite UFED's broader capabilities with GrayKey's specialized, bootrom-specific design.

How to eliminate wrong answers

Option A is wrong because Oxygen Forensic Detective is a comprehensive forensic platform that supports logical, file system, and cloud extractions from iOS devices, but it does not natively exploit bootrom vulnerabilities like checkm8 for physical extraction. Option B is wrong because Cellebrite UFED uses advanced techniques like brute-force attacks and checkm8-based extractions via its Cellebrite Advanced Unlock (CAU) module, but it is not specifically designed solely for bootrom exploitation; it relies on a combination of methods and is not the tool most exclusively associated with checkm8. Option C is wrong because Magnet AXIOM is a digital forensic analysis platform that processes data from various sources, including mobile devices, but it does not perform physical extraction via bootrom exploits; it relies on acquisition tools like UFED or GrayKey for the actual extraction.

14
MCQmedium

In iOS forensics, which database file typically contains the call history, including incoming, outgoing, and missed calls?

A.Notes.db
B.call_history.db
C.AddressBook.db
D.SMS.db
AnswerB

Correct database for call records.

Why this answer

In iOS forensics, the call history (incoming, outgoing, and missed calls) is stored in the SQLite database file named `call_history.db`. This database is located within the root domain of the iOS file system (typically under `/private/var/mobile/Library/CallHistoryDB/`) and contains tables such as `call` and `call_history` that record each call's direction, duration, timestamp, and associated contact identifier. The CHFI exam specifically tests this file as the authoritative source for call log evidence.

Exam trap

EC-Council often tests the misconception that `AddressBook.db` or `SMS.db` might contain call logs because they store contact names and message threads, but the trap is that call history is stored in a separate, dedicated database (`call_history.db`) that is not linked to the address book or SMS databases.

How to eliminate wrong answers

Option A is wrong because `Notes.db` stores user notes and not call history; it is located in the `/private/var/mobile/Library/Notes/` directory and contains tables like `ZNOTE` and `ZNOTEBODY`. Option C is wrong because `AddressBook.db` (now `Contacts.db` in newer iOS versions) stores contact information (names, phone numbers, email addresses) but does not contain call log records; it is used for address book data, not call history. Option D is wrong because `SMS.db` stores SMS and iMessage conversations, including text messages and attachments, but not call history; it is found in `/private/var/mobile/Library/SMS/` and contains tables like `message` and `chat`.

15
MCQmedium

An Android device is found with factory reset performed. The forensic examiner wants to recover as much data as possible. Which of the following artefacts is MOST likely to survive a factory reset and provide useful evidence?

A.Deleted SQLite records from /data/data/
B.Data stored on the external SD card
C.Google account authentication tokens stored in AccountManager
D.Wi-Fi passwords from wpa_supplicant.conf
AnswerB

Factory reset usually does not format the external SD card, so data there may remain.

Why this answer

Factory reset wipes the /data partition, which includes /data/data/ (app data), AccountManager tokens, and system configuration files like wpa_supplicant.conf. However, external SD cards are typically not formatted during a factory reset because they are user-removable storage. Therefore, data stored on the external SD card (e.g., photos, videos, app backups) often survives intact and can provide valuable forensic evidence.

Exam trap

Cisco often tests the misconception that factory reset wipes all storage, including external SD cards, but the standard Android factory reset only targets internal partitions, leaving external storage untouched unless the user selects the additional 'Erase SD card' option.

How to eliminate wrong answers

Option A is wrong because /data/data/ is part of the internal storage that is securely wiped during a factory reset, making deleted SQLite records unrecoverable via standard forensic tools. Option C is wrong because Google account authentication tokens are stored in AccountManager within the /data/system/ partition, which is erased on factory reset. Option D is wrong because wpa_supplicant.conf resides in /data/misc/wifi/, which is also wiped during factory reset, so Wi-Fi passwords are lost.

16
MCQhard

During an Android forensic examination, an analyst uses ADB to perform a backup of a device. The resulting .ab file is encrypted. Which of the following is the most likely reason for the encryption?

A.The device has a lock screen PIN set, and the backup was created with default settings
B.The backup was created with the -nopassword flag
C.The backup file is corrupted
D.The device has full-disk encryption enabled
AnswerA

By default, adb backup encrypts the backup using the device's lock screen credentials.

Why this answer

When an Android backup is created via ADB with default settings, the resulting .ab file is encrypted using the device's lock screen PIN or password as the encryption key. This is a built-in security feature of the Android Backup Manager to protect backup data from unauthorized access. The encryption is applied regardless of whether full-disk encryption is enabled, as it is a separate layer of protection for the backup stream.

Exam trap

EC-Council often tests the distinction between full-disk encryption and backup-level encryption, leading candidates to incorrectly assume that FDE is the cause of the encrypted .ab file when the real mechanism is the lock screen PIN used by the Android Backup Manager.

How to eliminate wrong answers

Option B is wrong because the -nopassword flag explicitly disables encryption, so the backup would not be encrypted. Option C is wrong because corruption does not cause encryption; a corrupted file would typically fail to parse or show integrity errors, not appear as encrypted. Option D is wrong because full-disk encryption (FDE) protects data at rest on the device's internal storage, but the ADB backup stream is encrypted independently using the lock screen credential, not FDE.

17
MCQhard

A security analyst observes a process on a Windows system creating a mutex named "Global\{5B9E4E7E-8B2C-4F6D-A1A3-F2C8D9E0A1B2}" shortly after execution. The analyst also notes outbound connections to an IP address 203.0.113.50 on port 4444. Which malware behaviour indicator is MOST clearly demonstrated?

A.Anti-debugging technique through timing checks
B.Single-instance execution safeguard and command and control communication
C.File encryption using a hardcoded AES key
D.Persistence mechanism via registry run keys
AnswerB

Mutex ensures only one instance runs; outbound connection indicates C2.

Why this answer

The mutex name 'Global\{5B9E4E7E-8B2C-4F6D-A1A3-F2C8D9E0A1B2}' is a well-known technique used by malware to ensure only one instance of itself runs on the system, preventing conflicts or multiple infections. The outbound connection to 203.0.113.50 on TCP port 4444 is a classic indicator of command and control (C2) communication, as port 4444 is commonly associated with reverse shells and C2 traffic (e.g., Metasploit default). Together, these two behaviors directly demonstrate single-instance execution safeguard and C2 communication.

Exam trap

EC-Council often tests the distinction between behavioral indicators (like mutex and network connections) and specific malware capabilities (like encryption or persistence), leading candidates to confuse a single-instance safeguard with anti-debugging or persistence techniques.

How to eliminate wrong answers

Option A is wrong because anti-debugging through timing checks involves measuring code execution time to detect debugger presence, not mutex creation or outbound connections. Option C is wrong because file encryption with a hardcoded AES key would manifest as file I/O operations and cryptographic API calls, not a mutex or a network connection on port 4444. Option D is wrong because persistence via registry run keys involves writing to 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' or similar, which is not indicated by the mutex or the outbound connection.

18
MCQeasy

Which mobile forensic tool is specifically designed to extract data from a wide range of mobile devices, including both iOS and Android, and is commonly used by law enforcement agencies?

A.Cellebrite UFED
B.Magnet AXIOM
C.Oxygen Forensic Detective
D.FTK Imager
AnswerA

Cellebrite UFED is specifically designed for mobile device forensics.

Why this answer

Cellebrite UFED (Universal Forensic Extraction Device) is the correct answer because it is a dedicated hardware and software solution specifically engineered to extract data from a vast array of mobile devices, including iOS and Android, through both physical and logical acquisition methods. It is widely adopted by law enforcement agencies globally due to its ability to bypass lock screen security, support over 30,000 device profiles, and extract deleted data via advanced techniques like JTAG and chip-off.

Exam trap

Cisco often tests the distinction between a dedicated mobile extraction tool (Cellebrite UFED) and a multi-platform forensic analysis suite (Magnet AXIOM), causing candidates to pick AXIOM because it is more well-known in general digital forensics, even though it is not the primary tool for physical mobile extraction.

How to eliminate wrong answers

Option B (Magnet AXIOM) is wrong because it is primarily a computer forensic analysis platform that processes artifacts from multiple sources (mobile, cloud, computer) but is not a dedicated mobile extraction tool; it relies on other tools like UFED for the actual physical extraction from mobile devices. Option C (Oxygen Forensic Detective) is wrong because, while it is a strong mobile forensic tool, it is not specifically designed as a hardware-based extraction device for law enforcement; it is a software suite that often requires a separate hardware write blocker and does not offer the same breadth of physical extraction methods (e.g., JTAG, ISP) as Cellebrite UFED. Option D (FTK Imager) is wrong because it is a disk imaging and preview tool for computers and hard drives, not designed for mobile device extraction; it lacks the protocols (e.g., USB, ADB, iTunes backup parsing) and hardware interfaces needed to acquire data from iOS or Android devices.

19
MCQeasy

Which tool is specifically designed to perform physical extraction of data from mobile devices, including bypassing lock screens on many iOS and Android devices?

A.SIFT Workstation
B.FTK Imager
C.Cellebrite UFED
D.Wireshark
AnswerC

Cellebrite UFED specializes in physical extraction and lock screen bypass.

Why this answer

Cellebrite UFED (Universal Forensic Extraction Device) is a specialized hardware and software tool designed for physical extraction of data from mobile devices, including bypassing lock screen security on iOS and Android devices. It uses advanced techniques such as bootloader exploits, JTAG, chip-off, and proprietary software-based methods to acquire full file system images, even when the device is locked or encrypted.

Exam trap

EC-Council often tests the distinction between logical extraction (e.g., via ADB or iTunes backup) and physical extraction, and candidates may confuse FTK Imager (a computer forensics tool) with mobile extraction tools, missing that Cellebrite UFED is the only option capable of bypassing lock screens via hardware-level exploits.

How to eliminate wrong answers

Option A is wrong because SIFT Workstation is a forensic analysis platform for disk and memory analysis, not a mobile device extraction tool, and it cannot bypass lock screens. Option B is wrong because FTK Imager is a disk imaging tool for computers and storage media, lacking the hardware interfaces and exploit capabilities needed for mobile device physical extraction. Option D is wrong because Wireshark is a network protocol analyzer used for capturing and inspecting network traffic, not for physical data extraction from mobile devices.

20
MCQmedium

A security analyst notices a process named 'svchost.exe' running from the directory 'C:\Users\Public\svchost.exe'. This is suspicious because legitimate svchost.exe runs from 'C:\Windows\System32'. What type of indicator is this?

A.Network indicator
B.Behavioural indicator
C.File hash indicator
D.Registry key indicator
AnswerB

The process running from an anomalous path is a behavioural pattern.

Why this answer

B is correct because the presence of svchost.exe in C:\Users\Public\ instead of C:\Windows\System32 indicates a deviation from the expected execution path, which is a classic behavioral indicator. Behavioral indicators focus on anomalous actions or file placements rather than static attributes like hashes or network traffic.

Exam trap

EC-Council often tests the distinction between static indicators (file hash, registry key) and dynamic indicators (behavioral, network), and the trap here is that candidates confuse a file path anomaly with a network or registry indicator because they associate svchost.exe with system-level activity.

How to eliminate wrong answers

Option A is wrong because a network indicator would involve IP addresses, domain names, or communication patterns (e.g., DNS queries to a C2 server), not the file path of a running process. Option C is wrong because a file hash indicator is a static signature (e.g., MD5/SHA-1 hash) used to identify known malware, not the location or behavior of a process. Option D is wrong because a registry key indicator involves modifications to Windows Registry keys (e.g., Run keys for persistence), not the file system path of an executable.

21
Multi-Selectmedium

A forensic analyst is examining an Android device using ADB extraction. Which TWO statements about ADB extraction are true?

Select 2 answers
A.ADB extraction requires USB debugging to be enabled on the device
B.ADB extraction allows full file system access without root
C.ADB extraction can acquire a physical image of the device
D.ADB extraction can recover deleted files from unallocated space
E.ADB extraction requires the device to be authorized to the computer
AnswersA, E

USB debugging must be enabled for ADB to communicate with the device.

Why this answer

ADB (Android Debug Bridge) extraction requires USB debugging to be enabled on the device because ADB operates over a USB connection using the Android Debug Bridge protocol, which is only active when USB debugging is turned on in Developer Options. Without this setting, the device will not respond to ADB commands, making extraction impossible. This is a fundamental prerequisite for any ADB-based forensic acquisition.

Exam trap

Cisco often tests the misconception that ADB extraction provides full file system or physical access, but the trap is that ADB is a logical extraction method with significant privilege restrictions, and candidates confuse 'ADB backup' or 'ADB pull' with physical imaging capabilities.

22
MCQmedium

During a malware analysis, an analyst uses a tool to monitor registry changes, file system modifications, and process activity simultaneously. Which tool is BEST suited for this integrated monitoring?

A.Wireshark
B.Process Monitor
C.Regshot
D.Process Explorer
AnswerB

Process Monitor monitors registry, file system, and process activity.

Why this answer

Process Monitor (ProcMon) is the correct tool because it integrates real-time monitoring of registry changes, file system modifications, and process/thread activity into a single interface. It combines the legacy tools Regmon (registry) and Filemon (file system) with process monitoring, allowing an analyst to correlate events across all three subsystems simultaneously, which is essential for dynamic malware analysis.

Exam trap

EC-Council often tests the distinction between tools that perform real-time integrated monitoring (Process Monitor) versus tools that offer only snapshot comparisons (Regshot) or specialize in a single subsystem (Process Explorer), leading candidates to confuse Regshot's registry snapshot capability with live monitoring.

How to eliminate wrong answers

Option A is wrong because Wireshark is a network protocol analyzer that captures and inspects network traffic (e.g., packets over Ethernet, Wi-Fi), not registry, file system, or process activity. Option C is wrong because Regshot is a registry comparison tool that takes before-and-after snapshots of the registry and optionally the file system, but it does not monitor process activity or provide real-time, integrated monitoring. Option D is wrong because Process Explorer is a task manager and process analysis tool that shows detailed information about running processes, handles, and DLLs, but it does not monitor registry or file system changes in real time.

23
MCQmedium

A security analyst discovers a suspicious registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate. The key points to a file in AppData. What is the most likely purpose of this registry key?

A.It logs the user's keystrokes
B.It ensures the malware runs every time the user logs in
C.It is a legitimate Windows update configuration
D.It stores the malware's configuration settings
AnswerB

The Run key is a standard persistence location for malware.

Why this answer

The registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run is a standard Windows autostart location. Malware commonly adds an entry here to achieve persistence, ensuring it executes every time the user logs in. The suspicious name 'WindowsUpdate' is a common masquerade tactic to hide malicious intent.

Exam trap

Cisco often tests the distinction between persistence mechanisms (like Run keys) and actual malware functionality; the trap here is assuming the key name 'WindowsUpdate' implies legitimate system behavior, when in fact it is a classic masquerade technique.

How to eliminate wrong answers

Option A is wrong because keystroke logging is a specific function of malware, not a property of the Run registry key itself; the key only specifies an executable to launch. Option C is wrong because legitimate Windows Update configuration is stored in system-level registry paths (e.g., HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate) and never in HKCU\...\Run. Option D is wrong because the Run key stores a command line to execute a program, not configuration settings; malware configuration is typically stored in separate files or other registry keys.

24
MCQmedium

A security analyst detects that a system's 'SeDebugPrivilege' is enabled for a suspicious process. Which technique is the malware MOST likely attempting to use?

A.Persistence through service
B.Anti-debugging
C.Network sniffing
D.Process injection
AnswerD

SeDebugPrivilege enables debugging and injecting code into other processes.

Why this answer

SeDebugPrivilege allows a process to debug other processes, including accessing and modifying their memory. Malware often enables this privilege to perform process injection, where malicious code is written into the memory of a legitimate process (e.g., via WriteProcessMemory and CreateRemoteThread) to evade detection and execute under the target process's context.

Exam trap

EC-Council often tests the misconception that SeDebugPrivilege is only for debugging or anti-debugging, but the exam trap is that it directly enables process injection and memory manipulation, not just debugging tools.

How to eliminate wrong answers

Option A is wrong because persistence through service typically involves creating or modifying Windows services (e.g., via sc.exe or registry keys like HKLM\SYSTEM\CurrentControlSet\Services), not enabling SeDebugPrivilege. Option B is wrong because anti-debugging techniques (e.g., IsDebuggerPresent, NtQueryInformationProcess) aim to prevent analysis, not leverage a debug privilege for code execution. Option C is wrong because network sniffing requires raw socket access or WinPcap/Npcap, not SeDebugPrivilege, which is a security privilege for process debugging.

25
MCQhard

During static analysis of a PE file, an analyst uses PEiD and detects the signature 'UPX 0.89.6 - 1.02 / 1.05 - 1.24'. What should the analyst do next?

A.The file is clean; no further analysis needed
B.Unpack the file using a UPX unpacker or manual unpacking
C.Delete the file as it is definitely malware
D.Run the file in a sandbox immediately
AnswerB

Unpacking is required to analyze the original code hidden by the packer.

Why this answer

The signature 'UPX 0.89.6 - 1.02 / 1.05 - 1.24' indicates the file is packed with UPX (Ultimate Packer for eXecutables). Packing is a common technique used by malware authors to obfuscate the original code and evade signature-based detection. The analyst must unpack the file using a UPX unpacker or manual unpacking to reveal the actual executable code for further static or dynamic analysis.

Exam trap

Cisco often tests the misconception that a packer signature automatically indicates malware, when in fact packing is a legitimate software distribution technique and the analyst must unpack the file to determine its true nature.

How to eliminate wrong answers

Option A is wrong because the presence of a packer signature like UPX does not mean the file is clean; packing is often used to hide malicious code. Option C is wrong because deleting the file without analysis destroys potential evidence and may be premature—packed files can be legitimate software, and the analyst must verify. Option D is wrong because running a packed file in a sandbox may not reveal the true behavior, as the unpacking routine must execute first; static unpacking is the proper next step to obtain the unpacked binary for analysis.

26
MCQmedium

An investigator recovers a suspicious file from a compromised system. Using PEiD, the file is detected as 'UPX 0.89.6 - 1.02 / 1.05 - 1.24'. What is the MOST appropriate next step in the analysis?

A.Delete the file as it is likely a false positive from a legitimate UPX-packed application.
B.Unpack the file using the UPX tool or manual unpacking to obtain the original executable.
C.Submit the packed file to VirusTotal to obtain a hash-based detection report.
D.Run the file in a sandbox without unpacking to observe dynamic behavior.
AnswerB

Unpacking is the standard next step to reveal the original code for static analysis.

Why this answer

The PEiD detection of 'UPX 0.89.6 - 1.02 / 1.05 - 1.24' confirms the file is packed with UPX (Ultimate Packer for eXecutables). Packing obfuscates the original code and often evades static analysis. The most appropriate next step is to unpack the file using the UPX tool (with the -d switch) or manual unpacking to recover the original executable for deeper static and dynamic analysis.

Exam trap

EC-Council often tests the misconception that a packer detection alone indicates a false positive or that dynamic analysis without unpacking is sufficient, when in fact unpacking is the foundational step to reveal the true executable for both static and dynamic analysis.

How to eliminate wrong answers

Option A is wrong because deleting the file based solely on a UPX packer detection is premature; UPX is commonly used by malware to compress and obfuscate code, and a legitimate application does not preclude malicious intent. Option C is wrong because submitting the packed file to VirusTotal may yield a hash that differs from the unpacked malware, potentially missing detection signatures that rely on the unpacked code. Option D is wrong because running the packed file in a sandbox without unpacking may cause the unpacking stub to execute and then the malware to run, but the packed state prevents proper static analysis and may not trigger all dynamic behaviors if the unpacking fails or is environment-aware.

27
MCQmedium

A security analyst is reviewing the output from a forensic tool examining an iOS Keychain. The analyst finds an entry with the attribute 'kSecAttrAccessible' set to 'kSecAttrAccessibleWhenUnlockedThisDeviceOnly'. What does this indicate?

A.The item is backed up to iCloud and can be restored to another device
B.The item is accessible even when the device is locked
C.The item is only accessible when the device is unlocked and is not backed up to iCloud
D.The item is stored in the Secure Enclave and cannot be extracted
AnswerC

This is the correct interpretation of the attribute.

Why this answer

The attribute 'kSecAttrAccessibleWhenUnlockedThisDeviceOnly' in iOS Keychain indicates that the item can only be accessed when the device is unlocked and is not included in any backup (iCloud or iTunes). This is because the 'ThisDeviceOnly' suffix ties the encryption key to the device's UID, preventing migration to another device or restoration from backup. Option C correctly captures both conditions: accessibility only when unlocked and exclusion from backups.

Exam trap

EC-Council often tests the misconception that 'ThisDeviceOnly' only affects backup behavior, when in fact it also prevents restoration to another device, and candidates may confuse 'WhenUnlocked' with 'AfterFirstUnlock' or 'Always', which have different lock-state requirements.

How to eliminate wrong answers

Option A is wrong because 'ThisDeviceOnly' explicitly prevents the item from being backed up to iCloud or restored to another device; only items without that suffix can be migrated. Option B is wrong because 'WhenUnlocked' means the item is only accessible when the device is unlocked, not when locked; the 'kSecAttrAccessibleWhenUnlocked' class requires the device to be unlocked for decryption. Option D is wrong because the Keychain item is encrypted with a key derived from the device's UID and the user's passcode, but it is not stored in the Secure Enclave; the Secure Enclave handles cryptographic operations but does not store Keychain items directly.

28
Multi-Selectmedium

An analyst is performing dynamic analysis of a malware sample in Cuckoo Sandbox. Which TWO of the following are typical indicators of command and control (C2) communication?

Select 2 answers
A.The malware creates a registry run key for persistence
B.The malware performs DNS queries to a domain that resolves to a known malicious IP
C.The malware modifies system files in C:\Windows\System32
D.The malware creates a mutex named 'Global\MyMutex'
E.The malware makes HTTP POST requests to a domain registered 2 days ago
AnswersB, E

DNS queries to malicious IPs are typical C2 beaconing activity.

Why this answer

In dynamic analysis with Cuckoo Sandbox, DNS queries to a domain that resolves to a known malicious IP are a classic indicator of C2 communication because the malware must resolve its command server's address before establishing a channel. Similarly, HTTP POST requests to a very recently registered domain (e.g., 2 days old) are suspicious, as attackers often use fresh domains to evade reputation-based blocklists, and POST is commonly used to exfiltrate data or receive commands.

Exam trap

EC-Council often tests the distinction between local host artifacts (persistence, mutexes, file modifications) and network-based C2 indicators, tricking candidates into selecting any suspicious behavior rather than focusing specifically on outbound communication patterns.

29
Multi-Selecthard

A malware analyst is analyzing a suspicious executable. Which THREE of the following are valid indicators of compromise (IoCs) that can be extracted from static analysis of the PE file? (Select THREE)

Select 3 answers
A.IP addresses from embedded strings
B.Registry keys modified during execution
C.MD5 hash of the file
D.File paths created during execution
E.List of imported DLLs and functions
AnswersA, C, E

Strings can be extracted from the binary without execution.

Why this answer

Option A is correct because static analysis of a PE file involves examining the file without executing it. Embedded strings, such as IP addresses, can be extracted using tools like `strings` or `binwalk` and serve as IoCs indicating command-and-control servers or other network destinations. These strings are stored in the PE file's data sections and are directly observable in the binary.

Exam trap

EC-Council often tests the distinction between static and dynamic analysis, trapping candidates who confuse runtime artifacts (like registry or file system changes) with data extractable from the PE file itself without execution.

30
Multi-Selectmedium

Which TWO of the following are SQLite databases commonly analysed during iOS forensic examinations?

Select 2 answers
A.AddressBook.db
B.call_history.db
C.com.apple.mobilemail.plist
D.SMS.db
E.keychain.plist
AnswersB, D

Stores call logs.

Why this answer

B is correct because `call_history.db` is a SQLite database on iOS devices that stores call logs, including incoming, outgoing, and missed calls with timestamps and durations. Forensic examiners analyze this database to reconstruct communication patterns and timelines during investigations.

Exam trap

EC-Council often tests the distinction between SQLite databases and plist files, trapping candidates who assume all iOS forensic artifacts are SQLite databases when many are property lists or other formats.

31
MCQmedium

During an iOS forensic examination, an analyst extracts the SMS.db file from an iTunes backup. Which table within this database contains the actual message content and associated metadata such as timestamps and sender/recipient information?

A.chat
B.message
C.attachment
D.handle
AnswerB

The 'message' table contains the actual message content, timestamps, and sender/recipient references.

Why this answer

The `message` table in SMS.db stores the actual message content (the `text` field) along with critical metadata such as `date` (Unix timestamp), `is_from_me` (sender/recipient indicator), and `handle_id` (foreign key to the `handle` table). This is the primary table for message body and timestamp data in iOS SMS/MMS forensics.

Exam trap

EC-Council often tests the distinction between the `message` table (content + timestamps) and the `handle` table (contact identifiers), leading candidates to confuse the `handle` table as containing message data when it only stores address book references.

How to eliminate wrong answers

Option A is wrong because the `chat` table stores conversation groupings (chat rooms) and references to messages via the `chat_message_join` table, not the message content itself. Option C is wrong because the `attachment` table stores metadata about file attachments (e.g., filename, MIME type, transfer state) but not the text content of messages. Option D is wrong because the `handle` table stores contact identifiers (phone numbers, email addresses) and their service types (iMessage, SMS), not the message body or timestamps.

32
MCQmedium

During a malware investigation, an analyst uses Process Monitor to observe a suspicious executable. The tool reveals that the process attempts to write to 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' and creates a file named 'svchost.exe' in 'C:\Users\Public\'. What is the MOST likely goal of this behavior?

A.Exfiltrating data to a remote C2 server
B.Establishing persistence by adding an auto-start entry
C.Disabling security software by modifying service entries
D.Privilege escalation by masquerading as a legitimate system process
AnswerB

The Run registry key is a standard auto-start location, ensuring the malware executes on user logon.

Why this answer

Writing to the 'Run' registry key (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) is a classic persistence mechanism: any executable listed there is automatically launched at user logon. Creating a file named 'svchost.exe' in a public directory is a masquerading attempt to blend in with the legitimate svchost.exe (which resides in System32), but the registry write is the definitive indicator of persistence via an auto-start entry.

Exam trap

EC-Council often tests the distinction between persistence (Run key) and privilege escalation (e.g., service path hijacking or token theft) — candidates confuse masquerading as a system process with actually gaining higher privileges, but the Run key write only ensures the malware runs at logon, not with elevated rights.

How to eliminate wrong answers

Option A is wrong because writing to the Run registry key and creating a local file are actions that establish foothold, not data exfiltration; exfiltration would involve network activity (e.g., HTTP POST, DNS tunneling) or file uploads, which Process Monitor did not show. Option C is wrong because disabling security software typically involves modifying service entries (e.g., HKLM\SYSTEM\CurrentControlSet\Services) or deleting security product binaries, not writing to the Run key or creating a fake svchost.exe. Option D is wrong because privilege escalation requires exploiting a vulnerability (e.g., token manipulation, UAC bypass) or abusing misconfigured permissions; simply naming a file 'svchost.exe' in a non-system directory is masquerading, not privilege escalation, and the Run key write does not elevate privileges.

33
MCQmedium

During a malware analysis session, an analyst uses Process Monitor (Procmon) to observe a suspicious executable. Which of the following behavioral indicators would MOST strongly suggest the malware is attempting to establish persistence?

A.Making outbound TCP connections to an IP address
B.Creating a named mutex
C.Writing to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
D.Creating files in the %TEMP% directory
AnswerC

This registry key is used to run programs at user logon, a classic persistence technique.

Why this answer

Writing to HKCU\Software\Microsoft\Windows\CurrentVersion\Run is a classic persistence mechanism because Windows automatically launches programs listed in this registry key at user logon. Process Monitor capturing a write to this key directly indicates the malware is configuring itself to run on startup, which is the strongest evidence of persistence among the options.

Exam trap

EC-Council often tests the distinction between runtime indicators (network connections, mutexes, temp files) and persistence mechanisms (registry Run keys, scheduled tasks, startup folders), so candidates mistakenly pick outbound connections or mutexes as persistence when they are not.

How to eliminate wrong answers

Option A is wrong because making outbound TCP connections indicates network communication (e.g., C2 beaconing), not persistence. Option B is wrong because creating a named mutex is a synchronization primitive used to prevent multiple instances of a process, not a persistence mechanism. Option D is wrong because creating files in %TEMP% is typical for temporary data extraction or staging, but does not ensure the malware runs again after reboot.

34
Multi-Selectmedium

During an iOS forensics investigation, an examiner extracts an iTunes backup and finds the SQLite database files. Which TWO of the following databases are LEAST likely to contain forensically relevant artefacts for a communication analysis?

Select 2 answers
A.SMS.db
B.data_ark.db
C.AddressBook.db
D.tmp.db
E.call_history.db
AnswersB, D

Not a standard iOS backup database; likely not present or relevant.

Why this answer

B is correct because data_ark.db is not a standard iOS SQLite database; it does not exist in typical iOS backups or file systems. The name suggests a fabricated or non-standard artefact, making it least likely to contain forensically relevant communication data. In contrast, databases like SMS.db and call_history.db are well-documented repositories for SMS messages and call logs, respectively.

Exam trap

EC-Council often tests candidates' familiarity with standard iOS database filenames, and the trap here is that 'data_ark.db' sounds plausible (like an 'ark' for data) but is not a real iOS database, leading examinees to overlook it as a distractor.

35
Multi-Selectmedium

A malware analyst is performing dynamic analysis of a suspicious executable in a Cuckoo Sandbox environment. Which THREE of the following behavioural indicators would be considered suspicious and warrant further investigation?

Select 3 answers
A.Creating a mutex with a hardcoded name
B.Reading registry keys under HKLM\HARDWARE
C.Modifying the hosts file to redirect a domain
D.Writing a temporary file to %TEMP%
E.Connecting to an IP address associated with a known command-and-control server
AnswersA, C, E

Malware often creates a mutex with a unique name to ensure single instance; hardcoded mutex names are common in malware families.

Why this answer

Creating a mutex with a hardcoded name is a common anti-analysis technique used by malware to ensure only one instance runs, preventing multiple infections or sandbox detection. In Cuckoo Sandbox, a hardcoded mutex name (e.g., 'Global\MyMalwareMutex') can indicate a known malware family or a custom implementation, warranting further investigation as it often correlates with persistence or evasion logic.

Exam trap

Cisco often tests the distinction between common benign operations (like reading hardware registry keys or writing to %TEMP%) and truly malicious indicators, so candidates mistakenly flag normal system activities as suspicious without considering context.

36
MCQmedium

Which tool can be used to extract evidence from Android devices through the Android Debug Bridge (ADB) and is often used for logical acquisition?

A.Cellebrite UFED
B.PEiD
C.Cuckoo Sandbox
D.GrayKey
AnswerA

Supports ADB logical acquisition for Android.

Why this answer

Cellebrite UFED (Universal Forensic Extraction Device) is a widely used forensic tool that leverages Android Debug Bridge (ADB) to perform logical acquisition of Android devices. ADB allows the tool to communicate with the device's operating system via USB debugging, enabling extraction of call logs, contacts, SMS, and application data without physical chip-off. This makes it the correct choice for logical acquisition over ADB.

Exam trap

Cisco often tests the distinction between logical acquisition (via ADB) and physical acquisition (via JTAG or chip-off), and candidates may confuse GrayKey (iOS-focused) with Android tools because both are used for mobile forensics.

How to eliminate wrong answers

Option B (PEiD) is wrong because it is a packer identifier for Windows executables, used in malware analysis to detect packed or obfuscated PE files, and has no capability to interface with Android devices via ADB. Option C (Cuckoo Sandbox) is wrong because it is an automated malware analysis environment that runs suspicious files in a virtualized sandbox, not a mobile forensic acquisition tool for extracting evidence from Android devices. Option D (GrayKey) is wrong because, while it is a mobile forensic tool for iOS devices (specifically for bypassing passcodes and extracting data from iPhones), it does not use ADB and is not designed for Android logical acquisition.

37
MCQmedium

A forensic analyst is examining a SQLite database from an iOS device backup. The database contains a table named 'message' with columns 'ROWID', 'text', 'handle_id', and 'date'. This database is MOST likely part of which iOS system database?

A.SMS.db
B.call_history.db
C.Calendar.db
D.AddressBook.db
AnswerA

SMS.db stores text messages and iMessages in the 'message' table.

Why this answer

The 'message' table with columns 'ROWID', 'text', 'handle_id', and 'date' is the core schema of the SMS.db database on iOS devices. This database stores iMessage and SMS/MMS messages, where 'handle_id' links to the 'handle' table for contact identifiers and 'date' stores the timestamp in Apple's absolute time (seconds since 2001-01-01). The presence of these specific columns confirms it is the SMS/Message database.

Exam trap

Cisco often tests the misconception that 'message' tables are found in AddressBook.db or Calendar.db, but the specific column set (ROWID, text, handle_id, date) is unique to SMS.db in iOS forensics.

How to eliminate wrong answers

Option B is wrong because call_history.db stores call logs with columns like 'Z_PK', 'ZADDRESS', 'ZDATE', and 'ZDURATION', not a 'message' table with 'text' and 'handle_id'. Option C is wrong because Calendar.db uses tables like 'CalendarItem' and 'Recurrence' with columns for event dates and titles, not a 'message' table. Option D is wrong because AddressBook.db (now Contacts.sqlite) uses tables like 'ABPerson' and 'ABMultiValue' for contact data, not a 'message' table for text conversations.

38
Multi-Selecthard

A forensic examiner is analyzing a malware sample that creates the following registry keys for persistence: 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Malware', 'HKLM\System\CurrentControlSet\Services\MalService', and 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'. Which TWO of the following statements are TRUE regarding these persistence mechanisms?

Select 2 answers
A.The Run key executes the malware when the user logs in.
B.The Services key ensures the malware runs with system privileges before user logon.
C.The Services key requires administrative privileges to create.
D.The Winlogon Shell key replaces the default Windows shell (explorer.exe) completely.
E.All three keys ensure persistence across reboots and user sessions.
AnswersA, B

The Run key is designed to run programs at user logon.

Why this answer

Option A is correct because the 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' key is a well-known autostart location that executes the specified program each time the user logs into their account. This is a common persistence mechanism used by malware to re-launch after a reboot, as Windows Explorer reads this key during the user logon process.

Exam trap

EC-Council often tests the misconception that the Winlogon Shell key completely replaces explorer.exe, when in fact it only adds an additional program to the logon process, and the default shell remains unless explicitly overridden.

39
Multi-Selecthard

Which THREE artefacts are typically recoverable from an iOS iTunes backup?

Select 3 answers
A.RAM dump of running processes
B.SMS.db containing text messages
C.AddressBook.db containing contacts
D.Call_history.db containing call logs
E.iCloud Keychain items
AnswersB, C, D

SMS.db is included in iTunes backups.

Why this answer

Option B is correct because an iTunes backup of an iOS device includes the SQLite database file SMS.db, which stores all text messages (iMessages and SMS). This file is located in the backup's AppDomain group for com.apple.mobileSMS and can be extracted and parsed to recover message content, timestamps, and sender/receiver information.

Exam trap

Cisco often tests the distinction between what is stored in a local iTunes backup versus cloud-based or volatile artifacts, leading candidates to incorrectly include iCloud Keychain items or RAM data as recoverable from a backup.

40
MCQeasy

In mobile forensics, which acquisition method preserves the highest level of data integrity and captures the most data from an iOS device?

A.File system acquisition
B.Physical acquisition
C.Logical acquisition
D.Manual acquisition
AnswerB

Physical acquisition creates a bit-for-bit copy of the entire flash memory, preserving all data including deleted files.

Why this answer

Physical acquisition is correct because it creates a bit-for-bit copy of the entire flash storage, including unallocated space, deleted files, and system partitions. This method bypasses the iOS file system abstraction, preserving the highest data integrity and capturing all recoverable data, unlike higher-level acquisitions that only retrieve accessible files.

Exam trap

EC-Council often tests the misconception that 'file system acquisition' is the most thorough because it includes system files, but the trap is that physical acquisition alone captures unallocated space and deleted data, which file system acquisition cannot access due to iOS sandboxing and file system abstraction.

How to eliminate wrong answers

Option A is wrong because file system acquisition only copies allocated files and metadata visible through the iOS file system (e.g., via AFC or iTunes backup), missing deleted data and unallocated space, thus providing lower integrity and less data. Option C is wrong because logical acquisition extracts only user-accessible data (e.g., contacts, messages) via APIs like iTunes backup or libimobiledevice, ignoring system files and deleted artifacts, resulting in the least data capture. Option D is wrong because manual acquisition involves physically interacting with the device screen to capture data (e.g., screenshots or notes), which is highly operator-dependent, alters the device state, and cannot recover hidden or deleted data, offering the lowest integrity and data completeness.

41
MCQhard

In an iOS forensic examination, an analyst extracts an encrypted iTunes backup. The backup contains a file named 'manifest.plist' which lists the backup version and encryption state. Which tool is specifically designed to brute-force the backup password using GPU acceleration?

A.Hashcat
B.Oxygen Forensic Detective
C.Cellebrite UFED
D.GrayKey
AnswerA

Hashcat can crack iTunes backup passwords using GPU acceleration with mode 14700 for iTunes backups.

Why this answer

Hashcat is the correct tool because it is a password recovery utility that leverages GPU acceleration to perform high-speed brute-force attacks on encrypted iTunes backup passwords. It can directly process the password hash extracted from the 'manifest.plist' file, which contains the backup version and encryption state, allowing efficient cracking of the backup password.

Exam trap

Cisco often tests the distinction between tools used for physical device extraction (like Cellebrite UFED or GrayKey) versus those used for password cracking (like Hashcat), and the trap here is that candidates may confuse GrayKey's passcode bypass capability with backup password cracking, even though GrayKey does not use GPU acceleration for brute-forcing encrypted backups.

How to eliminate wrong answers

Option B (Oxygen Forensic Detective) is wrong because it is a forensic analysis suite for extracting and analyzing mobile device data, not a dedicated password cracking tool with GPU acceleration. Option C (Cellebrite UFED) is wrong because it is a physical extraction and forensic imaging tool for mobile devices, not designed for brute-forcing encrypted backup passwords using GPU acceleration. Option D (GrayKey) is wrong because it is a specialized device for bypassing iOS passcodes via hardware exploits or software vulnerabilities, not for cracking encrypted iTunes backup passwords with GPU-accelerated brute-force attacks.

42
MCQmedium

An incident responder receives an alert that a workstation is beaconing to a known malicious IP address. The responder captures network traffic and analyzes it with Wireshark. Which of the following would be an immediate indicator of compromise (IoC) visible in the traffic capture?

A.Large file transfers during off-hours
B.ARP requests from unknown MAC addresses
C.Encrypted payloads using TLS 1.3
D.Repeated connections to a known malicious IP address on a non-standard port
AnswerD

A known malicious IP is a clear IoC; repeated connections suggest beaconing.

Why this answer

Option D is correct because repeated connections to a known malicious IP address on a non-standard port directly match the definition of a beaconing indicator of compromise (IoC). In network traffic analysis, beaconing is characterized by periodic, outbound connections to a command-and-control (C2) server, often using a non-standard port to evade detection. This pattern is a primary IoC in malware forensics and is immediately visible in Wireshark as a series of TCP SYN packets to the same IP and port at regular intervals.

Exam trap

Cisco often tests the distinction between a direct IoC (like beaconing to a known malicious IP) and secondary indicators (like large file transfers or ARP anomalies) that require additional context to confirm compromise.

How to eliminate wrong answers

Option A is wrong because large file transfers during off-hours may indicate data exfiltration but are not an immediate indicator of beaconing; they are a secondary behavioral anomaly that requires correlation with other evidence. Option B is wrong because ARP requests from unknown MAC addresses indicate local network scanning or spoofing, not beaconing to a remote malicious IP; ARP operates at Layer 2 and does not reveal C2 communication patterns. Option C is wrong because encrypted payloads using TLS 1.3 are not inherently malicious; TLS 1.3 is a standard security protocol used by legitimate services, and its presence alone does not indicate compromise—beaconing is defined by connection patterns, not encryption.

43
MCQhard

An incident responder analyzes a compromised system and finds evidence of timestomping: the Modified timestamp of a malicious DLL is earlier than the Creation timestamp. Additionally, the DLL is encrypted with an XOR key. Which anti-forensic techniques are being employed?

A.Timestomping and obfuscation
B.Packer and anti-debugging
C.Rootkit installation and process hiding
D.Log wiping and data hiding
AnswerA

Timestamp manipulation is timestomping; XOR encryption is obfuscation/packing.

Why this answer

Timestomping is confirmed because the Modified timestamp (which tracks file content changes) is earlier than the Creation timestamp, which is logically impossible under normal file system operations—this indicates an attacker deliberately set the Modified timestamp backward to evade timeline analysis. The XOR encryption of the DLL is a form of obfuscation, a technique used to hide the true content of the file from static analysis tools and signature-based detection. Together, these two actions represent the anti-forensic techniques of timestomping and obfuscation.

Exam trap

EC-Council often tests the distinction between obfuscation (e.g., XOR encryption) and packing (e.g., UPX compression), where candidates mistakenly equate any encryption with a packer, but a packer specifically alters the PE structure and includes a decompression stub, while XOR obfuscation is a simpler, non-structural transformation.

How to eliminate wrong answers

Option B is wrong because a packer compresses or encrypts an executable to reduce size or evade signature detection, but it does not alter timestamps, and anti-debugging techniques (e.g., IsDebuggerPresent API calls) are runtime defenses, not file-level obfuscation or timestamp manipulation. Option C is wrong because rootkit installation involves modifying the OS kernel or system calls to hide processes or files, and process hiding is a runtime concealment method—neither directly relates to timestamp manipulation or XOR encryption of a single DLL. Option D is wrong because log wiping targets system or application logs (e.g., clearing Event Logs or /var/log files), and data hiding typically refers to steganography or alternate data streams, not XOR encryption of a DLL.

44
Multi-Selectmedium

Which THREE of the following are common techniques used by malware to achieve persistence on a Windows system? (Select THREE)

Select 3 answers
A.Creating a scheduled task
B.Process hollowing
C.Adding a value to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
D.WMI event subscription
E.Installing as a Windows service
AnswersA, C, E

Scheduled tasks can run malware at specific times or events.

Why this answer

Creating a scheduled task is a common persistence technique because it allows malware to execute at predefined times or system events, such as user logon or system startup. The Windows Task Scheduler can run arbitrary executables with SYSTEM privileges, making it a reliable method for maintaining access even after a reboot.

Exam trap

EC-Council often tests the distinction between persistence mechanisms and execution/injection techniques, so the trap here is confusing process hollowing (a runtime evasion method) with persistence methods that survive reboots.

45
MCQmedium

During a mobile forensic investigation, an analyst uses Cellebrite UFED to extract data from a locked iOS device. The extraction successfully retrieves the device's passcode, call logs, SMS messages, and application data. Which extraction method did the analyst MOST likely use?

A.File system extraction
B.Physical extraction
C.Advanced logical extraction
D.Logical extraction
AnswerC

Advanced logical extraction (e.g., via UFED) can extract passcodes and app data from locked iOS devices.

Why this answer

C is correct because Advanced Logical Extraction (ALE) on Cellebrite UFED leverages a combination of file system parsing, agent-based extraction, and exploit techniques to retrieve the device passcode, call logs, SMS messages, and application data from a locked iOS device without requiring a full physical dump. This method bypasses the logical extraction limitations by using a custom agent or AFC (Apple File Conduit) to access protected data, making it the most likely method for the described successful extraction.

Exam trap

Cisco often tests the misconception that 'physical extraction' is the most powerful method for locked iOS devices, but the trap here is that physical extraction is rarely achievable on modern iOS due to hardware encryption, whereas Advanced Logical Extraction is the practical method used by tools like Cellebrite UFED to retrieve passcodes and application data from locked devices.

How to eliminate wrong answers

Option A is wrong because file system extraction typically requires the device to be jailbroken or have an unlocked state to mount the file system and retrieve raw files; it does not inherently retrieve the passcode from a locked device. Option B is wrong because physical extraction on iOS devices is extremely limited due to hardware encryption and secure enclave protections, and it rarely succeeds on locked devices without advanced bootrom exploits (e.g., checkm8), which are not standard in Cellebrite UFED for passcode retrieval. Option D is wrong because logical extraction only retrieves data that the device's operating system exposes via standard APIs (e.g., iTunes backup), which does not include the passcode or deep application data from a locked device.

46
Multi-Selectmedium

During a mobile forensic investigation, an examiner wants to recover deleted WhatsApp messages from an Android device. Which of the following artefacts should the examiner examine? (Select TWO.)

Select 2 answers
A./data/media/0/Android/data/com.whatsapp/
B./data/data/com.android.providers.telephony/databases/mmssms.db
C./data/data/com.whatsapp/databases/msgstore.db
D./data/data/com.whatsapp/files/Avatars/
E./data/data/com.google.android.gms/databases/
AnswersA, C

This directory contains WhatsApp media and backup files that may include message history.

Why this answer

Option A is correct because WhatsApp stores media files (images, videos, voice notes) in the external app-specific directory `/data/media/0/Android/data/com.whatsapp/`. Even after a message is deleted from the chat, the media file may remain in this directory if it was not explicitly removed, allowing recovery. Option C is correct because the primary SQLite database `msgstore.db` in `/data/data/com.whatsapp/databases/` contains the chat messages, including deleted entries that are often only marked as deleted but not physically removed until a vacuum operation.

Exam trap

Cisco often tests the distinction between the app-specific data directory (`/data/data/`) and the external media directory (`/data/media/0/`), tricking candidates into thinking only the internal database holds deleted messages, while media files in the external directory are also recoverable artefacts.

47
Multi-Selectmedium

A forensic examiner is analyzing an Android device and needs to extract application data from the /data/data/ directory. Which TWO conditions must be met to access this directory? (Select TWO.)

Select 2 answers
A.USB debugging must be enabled
B.The device must be rooted
C.The device must be in recovery mode
D.The bootloader must be unlocked
E.The screen must be unlocked
AnswersA, B

ADB requires USB debugging to be enabled.

Why this answer

The /data/data/ directory on Android contains application private data, which is protected by Linux user permissions (UID/GID) and SELinux policies. USB debugging must be enabled (Option A) to allow the forensic workstation to communicate with the device via ADB (Android Debug Bridge) for command execution. The device must be rooted (Option B) because the /data/data/ directory is owned by the system and individual app UIDs, and only a root user (UID 0) can bypass these permissions to read all application data.

Exam trap

EC-Council often tests the misconception that unlocking the bootloader or using recovery mode alone provides full filesystem access, but the key distinction is that root privileges are required to override Linux UID permissions, and USB debugging is required for ADB communication.

48
MCQmedium

An analyst is performing malware analysis and executes a suspicious binary in a sandbox. The sandbox reports that the binary creates a mutex named 'Global\DRIVER_UPDATE_MTX' before attempting to connect to 'http://malicious.com/update'. Which tool would BEST capture the network traffic during dynamic analysis?

A.Regshot
B.Wireshark
C.Process Explorer
D.Process Monitor
AnswerB

Wireshark captures and analyzes network packets, ideal for monitoring C2 traffic.

Why this answer

Wireshark is the correct tool because it captures and analyzes network packets at the protocol level, allowing the analyst to inspect the HTTP request to 'http://malicious.com/update', including headers, payload, and any subsequent data exfiltration. Dynamic analysis of malware requires monitoring network traffic to identify command-and-control (C2) communications, and Wireshark provides full packet capture (PCAP) for this purpose.

Exam trap

EC-Council often tests the distinction between host-based monitoring tools (like Process Monitor and Process Explorer) and network-based capture tools (like Wireshark), leading candidates to choose a host-based tool when the question explicitly asks for network traffic capture.

How to eliminate wrong answers

Option A is wrong because Regshot is a registry and file system snapshot comparison tool, not a network traffic capture tool; it cannot capture HTTP or TCP/IP packets. Option C is wrong because Process Explorer is a process management and analysis utility that shows handles, DLLs, and threads, but it does not capture network traffic at the packet level. Option D is wrong because Process Monitor monitors file system, registry, and process/thread activity in real time, but it does not capture raw network packets or HTTP traffic.

49
MCQeasy

Which of the following is an example of an indicator of compromise (IoC) that can be used to detect malware on a network?

A.A mutex name
B.A known malicious IP address
C.A registry key modification
D.A file's MD5 hash
AnswerB

Malicious IP addresses are network-based IoCs indicating C2 or malware distribution.

Why this answer

A known malicious IP address is a classic indicator of compromise (IoC) because it directly identifies a command-and-control (C2) server or a source of malicious traffic. Network monitoring tools can match outbound or inbound connections against threat intelligence feeds of known bad IPs, triggering an alert. This is a network-based IoC that requires no host-level analysis, making it ideal for initial detection.

Exam trap

EC-Council often tests the distinction between network-based and host-based IoCs, and the trap here is that candidates mistakenly classify host-level artifacts (mutex, registry, hash) as network IoCs because they are common in malware analysis, but the question explicitly asks for an indicator 'on a network'.

How to eliminate wrong answers

Option A is wrong because a mutex name is a host-based artifact used to detect malware on an infected system (e.g., ensuring only one instance runs), not a network-based IoC. Option C is wrong because a registry key modification is a host-based forensic artifact indicating persistence or configuration changes on a Windows system, not a network-level indicator. Option D is wrong because a file's MD5 hash is a host-based file integrity check or malware signature, used to identify known malicious files on disk, not to detect malware on the network.

50
Multi-Selecthard

During a mobile forensic examination of an iOS device, the analyst encounters encrypted backups. Which THREE of the following are valid methods to access the data?

Select 3 answers
A.Performing a logical acquisition via ADB
B.Using Cellebrite UFED to force a physical extraction without backup
C.Obtaining the backup password from the device owner through legal process
D.Brute-forcing the backup password using a tool like Elcomsoft Phone Breaker
E.Using GrayKey to bypass the device passcode and then extract the backup key
AnswersC, D, E

If legally permissible, the user can provide the password.

Why this answer

Option C is correct because obtaining the backup password from the device owner through a legal process is a standard and valid method to access encrypted iOS backups. The backup password is required to decrypt the backup data, and if the owner provides it voluntarily or through a court order, the forensic analyst can legally access the encrypted backup contents.

Exam trap

EC-Council often tests the misconception that physical extraction is always possible on iOS devices, but hardware encryption and the Secure Enclave make physical extraction infeasible on modern iPhones without the passcode or backup password.

51
MCQhard

A malware analyst is examining a PE file that has a section named '.tls' and imports from 'kernel32.dll' and 'ntdll.dll'. The entry point points to a small stub that decrypts the main code at runtime. Which of the following best describes this technique?

A.Code injection via Reflective DLL
B.TLS callback-based decryption
C.Packing with UPX
D.Anti-debugging via NtGlobalFlag
AnswerB

TLS callbacks can execute before the main entry point, often used to decrypt code.

Why this answer

The presence of a '.tls' section in a PE file, combined with imports from kernel32.dll and ntdll.dll, indicates the use of Thread Local Storage (TLS) callbacks. These callbacks execute before the entry point, allowing the malware to decrypt the main code at runtime before the main executable logic runs. This is a classic TLS callback-based decryption technique, not a form of code injection or packing.

Exam trap

EC-Council often tests the distinction between TLS callbacks and other obfuscation techniques, and the trap here is that candidates confuse the '.tls' section with packing or injection, failing to recognize that TLS callbacks execute before the entry point and are a legitimate PE feature exploited for decryption.

How to eliminate wrong answers

Option A is wrong because Reflective DLL injection involves loading a DLL from memory without using the standard LoadLibrary API, and it does not rely on a '.tls' section or TLS callbacks for decryption. Option C is wrong because UPX packing typically adds sections like 'UPX0' and 'UPX1', not a '.tls' section, and the entry point usually points to a unpacking stub, not a decryption stub that uses TLS callbacks. Option D is wrong because anti-debugging via NtGlobalFlag involves checking the Process Environment Block (PEB) for the BeingDebugged flag or NtGlobalFlag value, which is unrelated to the '.tls' section or runtime decryption of code.

52
MCQhard

During malware dynamic analysis in a sandbox, a sample creates a file named 'C:\Users\Admin\AppData\Local\Temp\svchost.dll' and then executes 'rundll32.exe C:\Users\Admin\AppData\Local\Temp\svchost.dll,Start'. This behavior is indicative of which technique?

A.DLL injection
B.Process hollowing
C.Reflective DLL loading
D.DLL side-loading
AnswerD

The malware placed a malicious DLL in a location where rundll32.exe will load it, exploiting the search order.

Why this answer

D is correct because the sample places a malicious DLL named 'svchost.dll' in a user-writable directory (Temp) and then invokes it via rundll32.exe, which is a legitimate Microsoft binary. This exploits the Windows DLL search order: when rundll32.exe loads the DLL without specifying a full path, Windows first searches the application's directory, then system directories, but here the attacker explicitly provides the full path to the Temp folder, bypassing the search order and forcing the load of the attacker's DLL. This is classic DLL side-loading, where a trusted executable loads a malicious DLL from a non-standard location.

Exam trap

The trap here is that candidates confuse DLL side-loading with DLL injection because both involve a DLL being loaded by a legitimate process, but side-loading relies on the search order and file placement, while injection requires active code injection into a running process.

How to eliminate wrong answers

Option A is wrong because DLL injection involves forcing a target process to load a DLL into its address space using API calls like CreateRemoteThread and LoadLibrary, not by executing a DLL directly via rundll32.exe. Option B is wrong because process hollowing replaces the legitimate code of a process (e.g., svchost.exe) with malicious code in memory, whereas here the sample executes rundll32.exe to load a DLL, not hollowing out an existing process. Option C is wrong because reflective DLL loading loads a DLL entirely from memory without touching the disk, but here the DLL is written to disk first (C:\Users\Admin\AppData\Local\Temp\svchost.dll) and then executed, so it is not reflective.

53
Multi-Selecthard

A malware analyst is performing static analysis on a packed executable. Which THREE techniques are effective for unpacking or analyzing packed malware? (Select THREE.)

Select 3 answers
A.Renaming the file to .txt
B.Performing strings analysis on the packed binary
C.Running PEiD to identify the packer
D.Executing the sample in Cuckoo Sandbox
E.Using OllyDbg to step through the unpacking routine
AnswersB, C, E

Strings may reveal embedded data or unpacked code regions.

Why this answer

Option B is correct because performing strings analysis on a packed binary can reveal embedded strings, such as import hints, configuration data, or the original entry point (OEP), which may survive packing. While packing obfuscates many strings, some packers leave remnants that static analysis tools like `strings` can extract, providing initial clues about the malware's functionality without execution.

Exam trap

EC-Council often tests the distinction between static and dynamic analysis techniques, and the trap here is that candidates may incorrectly select dynamic methods like Cuckoo Sandbox (Option D) when the question explicitly limits the scope to static analysis.

54
MCQmedium

During an iOS forensic examination, an analyst extracts an iTunes backup and finds the file '3d0d7e5fb2ce288813306e4d4636395e047a3d28'. Which type of data does this file typically contain?

A.Call history
B.SMS and iMessage conversations
C.Keychain data
D.Notes app data
AnswerD

The hash corresponds to the Notes app's SQLite database (NotesStore.sqlite).

Why this answer

The file '3d0d7e5fb2ce288813306e4d4636395e047a3d28' is the SQLite database (NotesStore.sqlite) that stores Apple's Notes app data in an iOS backup. Its SHA-1 hash name corresponds to the domain 'AppDomain-com.apple.mobilenotes' and contains the notes, attachments, and metadata. This is a well-known artifact in iOS forensics for recovering user-created notes.

Exam trap

Cisco often tests the misconception that all hash-named files in iOS backups are SMS or iMessage databases, but the specific hash '3d0d7e5fb2ce288813306e4d4636395e047a3d28' is uniquely tied to the Notes app, not SMS.

How to eliminate wrong answers

Option A is wrong because call history is stored in the file 'call_history.db' (or 'CallHistory.storedata') under the domain 'com.apple.callhistory', not in a hash-named file associated with the Notes app. Option B is wrong because SMS and iMessage conversations are stored in the 'sms.db' file (or '3d0d7e5fb2ce288813306e4d4636395e047a3d28' is not the correct hash for SMS; the actual SMS database hash is different, e.g., '3d0d7e5fb2ce288813306e4d4636395e047a3d28' is specifically for Notes). Option C is wrong because Keychain data is stored in the 'keychain-backup.plist' or 'keychain-2.db' files, not in a SQLite database with this hash; Keychain uses encrypted plist or SQLite files with different identifiers.

55
MCQeasy

Which mobile forensic tool is commonly used for physical extraction of iOS devices via checkm8 exploit?

A.GrayKey
B.Cellebrite UFED
C.Magnet AXIOM
D.Oxygen Forensic Detective
AnswerA

GrayKey is specifically designed to use the checkm8 exploit for physical extraction.

Why this answer

GrayKey is correct because it is a dedicated forensic tool that leverages the checkm8 bootrom exploit (CVE-2019-15971) to perform physical extraction on iOS devices. The checkm8 exploit is unpatchable in hardware, allowing GrayKey to bypass the device's security enclave and extract a full file system image, including encrypted data, from iPhones up to the iPhone X.

Exam trap

EC-Council often tests the misconception that Cellebrite UFED is the primary tool for all mobile extractions, but the trap here is that checkm8 is a specific hardware-level exploit unique to GrayKey, not a general feature of commercial forensic suites.

How to eliminate wrong answers

Option B (Cellebrite UFED) is wrong because while Cellebrite UFED can perform physical extractions on many devices, it does not natively use the checkm8 exploit; instead, it relies on other methods like advanced logical extraction or proprietary bootloader exploits for iOS, and checkm8-based extraction is typically associated with GrayKey. Option C (Magnet AXIOM) is wrong because it is a forensic analysis platform that processes data from various sources but does not perform physical extraction via checkm8; it imports data from other tools like GrayKey or Cellebrite. Option D (Oxygen Forensic Detective) is wrong because it is a forensic analysis tool that supports logical and file system extractions but does not implement the checkm8 exploit for physical extraction; it relies on other acquisition methods or third-party tools.

56
Multi-Selecthard

A security analyst observes a process making repeated network connections to an IP address 192.168.1.100 on TCP port 4444, and the process writes a DLL file to C:\Users\Public\. Which THREE actions should the analyst take immediately as part of dynamic analysis?

Select 3 answers
A.Isolate the host from the network to prevent further C2 communication
B.Capture a memory dump using FTK Imager or similar
C.Delete the DLL file to stop the malware
D.Monitor process creation and file system activity with Process Monitor
E.Reimage the hard drive to remove the malware
AnswersA, B, D

Isolation stops the malware from communicating and spreading.

Why this answer

Option A is correct because isolating the host from the network immediately stops the ongoing C2 communication to 192.168.1.100 on TCP port 4444, which is a common port for reverse shells (e.g., Metasploit). This containment prevents further data exfiltration, lateral movement, or command execution by the attacker, and is a critical first step in dynamic analysis to preserve the integrity of the investigation.

Exam trap

EC-Council often tests the distinction between immediate dynamic analysis actions (containment, monitoring, memory capture) versus destructive or premature remediation steps (deleting files, reimaging), and the trap here is that candidates mistakenly choose to delete the DLL or reimage the drive, thinking it will stop the malware, when in fact it destroys evidence and bypasses the forensic process.

57
MCQmedium

An examiner is analyzing an Android device using Cellebrite UFED. The device is locked with a PIN, and the examiner has no PIN. Which acquisition type should the examiner attempt FIRST to maximize data recovery without destroying evidence?

A.Logical extraction via ADB backup
B.Manual extraction by photographing the screen
C.File system extraction via ADB root shell
D.Physical extraction using a bootloader exploit
AnswerA

ADB backup can often be performed on a locked device without root, providing a logical copy of user data.

Why this answer

Option A is correct because when an Android device is locked with a PIN and no PIN is known, a logical extraction via ADB backup is the safest first step. ADB backup (adb backup) can capture app data and system settings without requiring root or unlocking the bootloader, and it does not modify the device state, preserving evidence integrity. This method works if USB debugging was previously enabled, which is common in forensic acquisitions, and it avoids the risk of triggering lockout or data wiping that physical methods might cause.

Exam trap

EC-Council often tests the misconception that physical extraction is always the best first step for locked devices, but the trap here is that bootloader exploits or physical methods can trigger data wiping or require unlocking, whereas ADB backup is a non-invasive logical method that preserves evidence integrity when USB debugging is enabled.

How to eliminate wrong answers

Option B is wrong because manual extraction by photographing the screen is a non-acquisition technique that only captures visible content, not underlying data like deleted files or app databases, and it is not a standard forensic acquisition method for maximizing data recovery. Option C is wrong because file system extraction via ADB root shell requires root access, which is not available on a locked device without a PIN; attempting to root the device could modify system partitions and destroy evidence. Option D is wrong because physical extraction using a bootloader exploit often requires unlocking the bootloader, which wipes the device (factory reset) as a security measure, destroying all user data and making it unsuitable as a first attempt.

58
Multi-Selectmedium

Which TWO tools are commonly used for static analysis of malware binaries?

Select 2 answers
A.Cuckoo Sandbox
B.Wireshark
C.IDA Pro
D.Ghidra
E.Process Monitor
AnswersC, D

IDA Pro is a disassembler and debugger for static analysis.

Why this answer

IDA Pro is a leading interactive disassembler and debugger used for static analysis of malware binaries. It allows analysts to examine executable code without executing it, by disassembling machine code into assembly language and providing cross-references, function graphs, and decompilation capabilities. This makes it essential for reverse engineering malicious software to understand its logic, embedded strings, and control flow.

Exam trap

EC-Council often tests the distinction between static and dynamic analysis tools, and the trap here is that candidates confuse tools that monitor live behavior (like Cuckoo Sandbox or Process Monitor) with those that analyze code without execution, leading them to select dynamic analysis tools for a static analysis question.

59
MCQeasy

Which tool is specifically designed for dynamic analysis of malware by executing it in a controlled, isolated environment and logging its behavior?

A.PEiD
B.IDA Pro
C.Ghidra
D.Cuckoo Sandbox
AnswerD

Dynamic analysis sandbox.

Why this answer

Cuckoo Sandbox is the correct answer because it is an open-source automated malware analysis system specifically designed to execute suspicious files in a controlled, isolated environment (a sandbox) and log their behavior, including system calls, file system changes, network traffic, and memory dumps. Unlike static analysis tools, Cuckoo performs dynamic analysis by actually running the malware and observing its runtime actions.

Exam trap

Cisco often tests the distinction between static analysis tools (like PEiD, IDA Pro, Ghidra) and dynamic analysis tools (like Cuckoo Sandbox), trapping candidates who confuse reverse engineering with automated behavioral analysis in a sandbox.

How to eliminate wrong answers

Option A is wrong because PEiD is a static analysis tool that detects packers, cryptors, and compilers in PE files by scanning file signatures; it does not execute malware or log runtime behavior. Option B is wrong because IDA Pro is a disassembler and debugger used for static and interactive reverse engineering of binary code, not for automated dynamic analysis in an isolated sandbox environment. Option C is wrong because Ghidra is a reverse engineering framework developed by the NSA that focuses on static analysis and decompilation, lacking the sandboxed execution and behavior logging capabilities of a dedicated dynamic analysis tool like Cuckoo.

60
MCQhard

During an Android forensic examination, the analyst uses ADB to run 'adb shell dumpsys batterystats --reset' before acquiring data. What is the MOST likely purpose of this command?

A.To clear battery logs that may contain evidence of app activity
B.This command is not recommended in forensic acquisition as it may destroy potential evidence
C.To ensure the device is in a low-power state for safe extraction
D.To optimize device performance during imaging
AnswerB

Resetting battery stats erases historical battery data, which could include evidence of app usage or timestamps.

Why this answer

Option B is correct because the 'adb shell dumpsys batterystats --reset' command clears the battery statistics logs on the device. In forensic acquisition, any command that modifies or deletes data on the device is considered destructive to evidence. The reset operation removes historical battery data that may contain timestamps and app usage patterns, which could be critical evidence.

Therefore, this command is not recommended in forensic acquisition as it may destroy potential evidence.

Exam trap

EC-Council often tests the misconception that clearing logs is a benign or preparatory step, when in fact any command that modifies device state during acquisition violates forensic best practices and may be considered evidence spoliation.

How to eliminate wrong answers

Option A is wrong because clearing battery logs is precisely what the command does, and while those logs may contain evidence of app activity, the purpose of the command is to reset them, not to preserve them; the question asks for the 'most likely purpose' in a forensic context, which is that it is destructive. Option C is wrong because the command does not affect the device's power state; it only resets battery statistics data, and ensuring a low-power state is achieved through other means like disabling radios or using airplane mode. Option D is wrong because the command does not optimize device performance during imaging; it only clears battery stats, and performance optimization is irrelevant to forensic acquisition.

61
MCQmedium

A security analyst notices that a compromised Android device's /data/data/com.example.app/databases/ directory contains a database with tables named 'accounts', 'transactions', and 'settings'. Which type of forensic acquisition would be MOST appropriate to capture this app-specific data while preserving deleted records?

A.Physical extraction
B.File system extraction
C.Logical extraction via ADB
D.Manual extraction via device UI
AnswerA

Physical extraction provides a complete bit-for-bit image, including deleted data.

Why this answer

Physical extraction creates a bit-for-bit copy of the entire flash memory, including unallocated space and deleted SQLite records that have not been overwritten. This is the only method that can recover deleted rows from the 'accounts', 'transactions', and 'settings' tables because logical and file-system extractions typically skip unallocated blocks. The /data/data/com.example.app/databases/ directory is protected by Android's sandboxing, but physical acquisition bypasses the OS and reads the raw NAND or eMMC blocks directly.

Exam trap

Cisco often tests the misconception that file system extraction (Option B) can recover deleted app data, but candidates forget that file system extraction only sees allocated files and does not capture unallocated space where deleted SQLite records persist.

How to eliminate wrong answers

Option B (File system extraction) is wrong because it only retrieves allocated files and metadata from the mounted file system, missing deleted records that reside in unallocated space or SQLite free pages. Option C (Logical extraction via ADB) is wrong because ADB backup or content provider queries only export active data and cannot access deleted rows or unallocated clusters. Option D (Manual extraction via device UI) is wrong because the user interface only displays current application data and provides no mechanism to recover deleted database entries.

62
MCQhard

During a malware investigation, an analyst identifies a suspicious file that appears to be a Windows executable. Using PEiD, the analyst detects the file is packed with UPX. After unpacking, the analyst runs the file in a sandbox and observes it modifies the following registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MalService. What behavioural indicator is primarily demonstrated?

A.Persistence mechanism
B.Command and control communication
C.Anti-forensic technique (timestomping)
D.Privilege escalation attempt
AnswerA

Adding a value to the Run key ensures persistence.

Why this answer

The modification of the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MalService is a classic persistence mechanism. By adding an entry to the Run key, the malware ensures that it executes automatically every time the user logs into the system, maintaining its presence across reboots.

Exam trap

EC-Council often tests the distinction between persistence and privilege escalation, where candidates mistakenly think modifying HKCU\Run requires administrative rights, but it only requires user-level access and is a persistence technique, not an escalation attempt.

How to eliminate wrong answers

Option B is wrong because command and control communication involves network traffic to an external server (e.g., HTTP, DNS, or IRC), not a local registry modification. Option C is wrong because anti-forensic techniques like timestomping alter file timestamps (e.g., using SetFileTime or touch), not registry keys. Option D is wrong because privilege escalation attempts typically target security tokens or exploit vulnerabilities to gain higher access (e.g., SeDebugPrivilege or UAC bypass), not setting a user-level Run key.

63
MCQmedium

An Android forensic analyst connects a suspect device to their workstation and issues the command "adb backup -apk -shared -all -f backup.ab". Which type of acquisition is being performed?

A.Manual acquisition through device UI
B.Physical acquisition via JTAG
C.Logical acquisition via ADB backup
D.File system acquisition via dd
AnswerC

ADB backup creates a logical backup of app data and settings.

Why this answer

The command `adb backup -apk -shared -all -f backup.ab` creates a full Android backup via the Android Debug Bridge (ADB) protocol. This is a logical acquisition because it requests user data and installed APKs through the high-level backup service, not a bit-for-bit copy of the storage. The resulting `.ab` file is an Android Backup archive, which contains files and directories that the device’s backup manager chooses to export, making it a logical extraction.

Exam trap

Cisco often tests the distinction between logical and physical acquisition by presenting a command that looks like it might be low-level (e.g., containing 'backup' or 'all') but is actually a logical method, leading candidates to mistakenly choose physical or file system acquisition.

How to eliminate wrong answers

Option A is wrong because manual acquisition through the device UI involves navigating menus and copying data manually, not using ADB commands. Option B is wrong because physical acquisition via JTAG requires hardware-level access to the device’s JTAG interface to dump raw flash memory, not a software command over USB. Option D is wrong because file system acquisition via `dd` creates a bit-for-bit image of a partition or block device, whereas `adb backup` only extracts logical files and does not capture deleted data or unallocated space.

64
MCQmedium

During a malware analysis, an analyst runs a suspicious executable in a Cuckoo Sandbox and observes that the process creates a mutex named 'Global\XPSS-1.0.0' and writes a registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. What do these actions MOST likely indicate?

A.The malware is performing privilege escalation by exploiting a known vulnerability.
B.The malware is communicating with a command-and-control server to receive further instructions.
C.The malware is attempting to hide its presence by using a system mutex name and a legitimate registry location.
D.The malware is establishing persistence and ensuring only one instance of itself runs.
AnswerD

The Run registry key provides persistence, and the mutex prevents multiple instances.

Why this answer

The mutex 'Global\XPSS-1.0.0' is used to prevent multiple instances of the malware from running simultaneously, which is a common anti-analysis and stability technique. Writing a registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run is a standard method for achieving persistence, ensuring the malware executes automatically at user logon. Together, these actions directly indicate persistence and single-instance control, not privilege escalation, C2 communication, or hiding.

Exam trap

EC-Council often tests the distinction between persistence mechanisms and hiding techniques, trapping candidates who confuse a standard persistence location (Run key) with a stealth or concealment method, when hiding typically involves alternate data streams, registry run keys under Policies, or rootkit-level hooks.

How to eliminate wrong answers

Option A is wrong because creating a mutex and writing a Run key are not techniques for privilege escalation; privilege escalation typically involves exploiting vulnerabilities (e.g., via token manipulation or kernel exploits) to gain higher access rights, not mutex or registry operations. Option B is wrong because mutex creation and Run key persistence are local system actions; communication with a command-and-control server would involve network connections (e.g., HTTP, DNS, or IRC traffic) and is not directly indicated by these artifacts. Option C is wrong because the mutex name 'Global\XPSS-1.0.0' is not a standard system mutex (system mutexes often use 'Global\' prefix with well-known names like 'Global\MSCTF.CtfMonitor') and the Run key is a well-known persistence location, not a hiding technique; hiding would involve rootkits, fileless techniques, or stealthy registry locations like HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run.

65
MCQhard

A forensic analyst is examining an Android device that has been factory reset. Which type of data is LEAST likely to be recoverable using forensic tools?

A.Google account tokens stored in AccountManager
B.Encrypted app data from /data/data/
C.System logs in /data/log/
D.Deleted text messages from SQLite files
AnswerB

File-based encryption keys are wiped; data is inaccessible.

Why this answer

After a factory reset, the /data partition is wiped and re-encrypted with a new key. Encrypted app data stored under /data/data/ is protected by file-based encryption (FBE) using a per-user encryption key that is discarded during the reset. Without the original encryption key, forensic tools cannot decrypt this data, making it the least likely to be recoverable.

Exam trap

Cisco often tests the misconception that a factory reset makes all data permanently unrecoverable, but the trap here is that encrypted data is truly irrecoverable due to key destruction, whereas unencrypted or synced data may still be retrieved from residual storage or cloud sources.

How to eliminate wrong answers

Option A is wrong because Google account tokens stored in AccountManager are often synced to Google's servers and may be recoverable from cloud backups or Google's authentication logs, even after a factory reset. Option C is wrong because system logs in /data/log/ are plaintext files that, although overwritten by the reset, may still be partially recoverable using file carving techniques if the blocks have not been overwritten. Option D is wrong because deleted text messages from SQLite files reside in the /data partition, and while the database is wiped, unallocated space may still contain remnants of the deleted records that can be recovered with forensic tools like Cellebrite or Oxygen Forensic Detective.

66
Multi-Selecteasy

A forensic analyst is performing static analysis of a Windows PE file. Which TWO of the following tools are specifically designed for static analysis of malware?

Select 2 answers
A.Wireshark
B.Cuckoo Sandbox
C.IDA Pro
D.Ghidra
E.Process Monitor
AnswersC, D

IDA Pro is a disassembler and debugger used for static analysis.

Why this answer

IDA Pro is a disassembler and debugger that allows analysts to reverse-engineer binary executables by converting machine code into assembly language. For static analysis of malware, IDA Pro enables examination of the PE file's structure, strings, imports, and code flow without executing the sample, making it a core tool for malware forensics.

Exam trap

EC-Council often tests the distinction between static and dynamic analysis tools, and the trap here is that candidates confuse network or process monitoring tools (Wireshark, Process Monitor) with static analysis, or mistake sandboxing (Cuckoo) for static analysis when it is inherently dynamic.

67
Multi-Selectmedium

A forensic examiner is analyzing an iOS device backup and wants to extract the user's iCloud-related artefacts. Which TWO of the following are typical sources of iCloud artefacts in an iTunes backup?

Select 2 answers
A.AddressBook.db
B.com.apple.accounts.plist
C.Call_history.db
D.Keychain database (keychain-backup.plist)
E.SMS.db
AnswersB, D

This plist contains iCloud account details.

Why this answer

Option B is correct because the `com.apple.accounts.plist` file in an iTunes backup stores the user's iCloud account configuration, including the primary iCloud email address and associated account metadata. This plist is a direct source for identifying which iCloud account was configured on the device, making it a key artefact for iCloud-related analysis.

Exam trap

EC-Council often tests the misconception that iCloud artefacts are found in user-facing databases like SMS.db or AddressBook.db, when in fact they reside in system configuration files like plists and the Keychain database.

68
MCQmedium

A forensic examiner is analyzing an Android device and wants to extract the database containing the user's text messages (SMS). In which directory would the examiner typically find the SMS database on a non-rooted device?

A./data/data/com.android.providers.contacts/databases/
B./data/data/com.android.providers.calendar/databases/
C./data/data/com.android.providers.downloads/databases/
D./data/data/com.android.providers.telephony/databases/
AnswerD

mmssms.db is stored here.

Why this answer

The SMS database on Android devices is stored by the telephony provider, which manages SMS/MMS messages. On non-rooted devices, the database is located at /data/data/com.android.providers.telephony/databases/mmssms.db, as the package com.android.providers.telephony is the system application responsible for handling SMS and MMS operations.

Exam trap

EC-Council often tests the distinction between Android system packages; the trap here is confusing the telephony provider (SMS) with the contacts provider (call logs/contacts) or other providers, as candidates may incorrectly associate SMS with contacts due to their functional overlap in messaging apps.

How to eliminate wrong answers

Option A is wrong because com.android.providers.contacts manages contact data, not SMS messages; its databases contain contact information and call logs. Option B is wrong because com.android.providers.calendar handles calendar events and reminders, not SMS. Option C is wrong because com.android.providers.downloads manages download history and files, not SMS messages.

69
MCQhard

A security analyst runs a dynamic analysis of a suspected malware sample using Cuckoo Sandbox. The report shows that the sample created a mutex named 'Global\MyMaliciousMutex', added a registry run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and attempted to communicate with an IP address 185.10.68.12 on port 443. Which of the following is the BEST immediate indicator of compromise (IoC) to share with the threat intelligence team?

A.The registry run key location
B.The sample's MD5 hash
C.The IP address 185.10.68.12
D.The mutex name 'Global\MyMaliciousMutex'
AnswerC

The C2 IP address can be blocked at the firewall or added to threat intel feeds to prevent further communication.

Why this answer

The network C2 IP address is direct and actionable for blocklisting. Registry keys and mutex names can be used for detection but are less definitive for network defense.

70
Multi-Selectmedium

A malware analyst is performing static analysis on a suspicious PE file. Which TWO of the following are examples of anti-forensic techniques that the malware might use to hinder analysis? (Select TWO.)

Select 2 answers
A.Using TLS encryption for network communication
B.Packing or obfuscating the malicious code
C.Creating registry keys for persistence
D.Writing temporary files to the %TEMP% directory
E.Timestomping to modify file creation and modification timestamps
AnswersB, E

Packing obfuscates the code to evade signature detection and analysis.

Why this answer

Packing or obfuscating the malicious code (Option B) is a classic anti-forensic technique used to hinder static analysis. Packers compress or encrypt the original PE file's code and data, making it unreadable to disassemblers and signature-based scanners until the unpacking stub executes at runtime. This forces the analyst to perform dynamic analysis or manual unpacking, significantly increasing the time and complexity of the investigation.

Exam trap

EC-Council often tests the distinction between anti-forensic techniques (which actively hinder analysis) and common malware behaviors (which are forensic artifacts themselves), so candidates mistakenly select persistence or file-writing options as anti-forensic when they are actually evidence-creating actions.

71
MCQeasy

During an iOS forensics investigation, an examiner wants to extract call history records from an iPhone backup. Which SQLite database file should be examined?

A.SMS.db
B.AddressBook.db
C.call_history.db
D.Calendar.sqlitedb
AnswerC

call_history.db contains call records.

Why this answer

In iOS forensics, call history records are stored in the SQLite database file named 'call_history.db' (or 'CallHistory.storedata' in newer iOS versions). This database contains tables such as 'call' and 'ZCALLRECORD' that log incoming, outgoing, and missed calls along with timestamps and durations. Examining this file directly from an iTunes backup or device extraction provides the examiner with the complete call log.

Exam trap

EC-Council often tests the specific naming of iOS forensic artifacts; the trap here is that candidates confuse 'SMS.db' (which stores messages) with call logs, or assume call history is stored in a more generic database like 'AddressBook.db'.

How to eliminate wrong answers

Option A is wrong because SMS.db stores SMS and iMessage conversations, not call history records. Option B is wrong because AddressBook.db (or Contacts.sqlitedb) stores contact names, phone numbers, and email addresses, but does not contain call logs. Option D is wrong because Calendar.sqlitedb stores calendar events and reminders, not telephony call records.

72
MCQeasy

Which of the following is a key difference between static analysis and dynamic analysis in malware forensics?

A.Static analysis requires the malware to be executed, while dynamic analysis does not.
B.Static analysis is used only for packed malware, while dynamic analysis is used for unpacked.
C.Dynamic analysis uses tools like IDA Pro, while static uses Cuckoo Sandbox.
D.Static analyzes the code without execution; dynamic executes the malware.
AnswerD

Correct distinction.

Why this answer

Option D is correct because static analysis involves examining the malware's code (e.g., disassembly, string extraction, hash analysis) without executing it, while dynamic analysis runs the malware in a controlled sandbox environment to observe its runtime behavior, such as file system changes, registry modifications, and network connections. This fundamental distinction is critical in malware forensics to safely understand the threat without risking infection.

Exam trap

EC-Council often tests the reversal of definitions (execution vs. non-execution) to catch candidates who confuse static and dynamic analysis roles.

How to eliminate wrong answers

Option A is wrong because it reverses the definitions: static analysis does NOT require execution, while dynamic analysis does. Option B is wrong because static analysis can be applied to both packed and unpacked malware (though packing complicates static analysis), and dynamic analysis works regardless of packing by observing runtime behavior. Option C is wrong because IDA Pro is a static analysis tool (disassembler/decompiler), while Cuckoo Sandbox is a dynamic analysis tool (automated malware execution environment); the option swaps their correct classifications.

73
MCQeasy

An Android phone is seized, and the forensic examiner needs to acquire the device in a forensically sound manner. The phone is running Android 12 and has USB debugging enabled. Which acquisition method provides the most complete data without physically modifying the device?

A.File system acquisition via Cellebrite UFED
B.Physical acquisition via ADB with appropriate exploit
C.Logical acquisition through ADB backup
D.Manual extraction using screen captures
AnswerB

Physical acquisition via ADB (e.g., using dd or a custom recovery) can obtain a full physical image, providing the most comprehensive data.

Why this answer

Option B is correct because physical acquisition via ADB with an appropriate exploit allows the examiner to obtain a complete bit-for-bit copy of the device's flash memory, including deleted data and unallocated space, without physically modifying the device. Since Android 12 has USB debugging enabled, ADB can be used to push an exploit that bypasses security restrictions to perform a physical dump, which is the most comprehensive method available for this scenario.

Exam trap

EC-Council often tests the misconception that file system acquisition via Cellebrite UFED is the most complete method, but candidates must remember that physical acquisition captures raw flash memory including deleted data, whereas file system acquisition only retrieves active files.

How to eliminate wrong answers

Option A is wrong because Cellebrite UFED file system acquisition typically extracts only the file system structure (files and directories) and does not capture raw flash memory or unallocated space, missing deleted data and hidden partitions. Option C is wrong because logical acquisition through ADB backup only retrieves app data and system settings specified by the backup API, not the entire device storage, and it cannot recover deleted files or raw disk images. Option D is wrong because manual extraction using screen captures is not a forensic acquisition method; it only captures visible screen content and provides no access to underlying data, making it forensically unsound and incomplete.

74
MCQmedium

A forensic analyst is examining an Android device that was factory reset before seizure. Which Google account artefacts are MOST likely still recoverable from the device's storage?

A.All installed application APK files
B.Full SMS message history
C.Google account authentication tokens and cached account data
D.Encryption keys for user data partition
AnswerC

Auth tokens and cached account info can persist in /data/system/ or unallocated space even after factory reset.

Why this answer

Factory reset on Android typically wipes user data partitions (e.g., /data) but does not securely overwrite the entire flash storage. Google account authentication tokens (e.g., OAuth 2.0 tokens) and cached account data (e.g., account names, sync settings) are often stored in system-level databases or encrypted key stores that may persist in unallocated or residual flash blocks, especially if TRIM or secure erase was not executed. These artefacts can be recovered via forensic imaging and carving of the raw NAND or eMMC.

Exam trap

EC-Council often tests the misconception that a factory reset securely erases all user data, when in reality residual artefacts like authentication tokens can persist in unallocated flash storage due to incomplete overwrite or lack of TRIM execution.

How to eliminate wrong answers

Option A is wrong because APK files are stored in the /data/app directory, which is part of the user data partition that is wiped during a factory reset; residual APK fragments are rarely recoverable in a complete, installable form. Option B is wrong because SMS messages are stored in the /data/data/com.android.providers.telephony/databases/mmssms.db file, which is also on the user data partition and is deleted during reset; while some fragments may remain in unallocated space, full message history is not reliably recoverable. Option D is wrong because encryption keys for the user data partition (e.g., FBE or FDE keys) are stored in the device's hardware-backed keystore or TEE and are cryptographically invalidated or wiped during factory reset, making them unrecoverable.

75
MCQmedium

A security analyst suspects malware infection on a Windows workstation. They run Process Monitor and observe that a process named 'svch0st.exe' creates a mutex named 'Global\Mutex_1234' and writes to the registry key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run'. Which malware persistence mechanism is being used?

A.Scheduled task creation
B.Service installation
C.DLL search order hijacking
D.Run key persistence
AnswerD

The Run registry key is a common persistence location for malware to launch on user logon.

Why this answer

The process 'svch0st.exe' writes to the registry key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run', which is a classic Run key used for automatic program execution at user logon. This is the most common malware persistence mechanism, as any executable referenced there will start each time the user logs in. The creation of a mutex named 'Global\Mutex_1234' is a common anti-reinfection technique to ensure only one instance of the malware runs, but the persistence is established via the Run key.

Exam trap

EC-Council often tests the distinction between user-level persistence (HKCU Run key) and system-level persistence (HKLM Run key or service installation), and candidates may confuse the 'Run' key with scheduled tasks or services because all three can launch executables at startup.

How to eliminate wrong answers

Option A is wrong because scheduled task creation uses the Task Scheduler service and writes to the '\Windows\System32\Tasks' directory or the 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache' registry key, not to the 'Run' key. Option B is wrong because service installation requires writing to 'HKLM\SYSTEM\CurrentControlSet\Services' and typically uses the 'CreateService' API, not the 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' key. Option C is wrong because DLL search order hijacking involves placing a malicious DLL in a directory searched before the legitimate DLL (e.g., the application's directory or the current working directory) and does not involve writing to a Run registry key or creating a mutex.

Page 1 of 3 · 164 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Chfi Mobile Malware questions.