CCNA Forensics Investigation Questions

10 questions · Forensics Investigation topic · All types, answers revealed

1
Multi-Selectmedium

Which TWO of the following are considered essential steps in the computer forensics investigation process according to EC-Council guidelines?

Select 2 answers
A.Identification of potential evidence
B.Data recovery from damaged media
C.Deletion of irrelevant data
D.Preservation of the integrity of evidence
E.Public disclosure of findings
AnswersA, D

Identification is the first step in the forensic process.

Why this answer

Identification of potential evidence is a core initial step in the EC-Council's computer forensics investigation process because it defines the scope and sources of data that may contain relevant evidence. Without proper identification, investigators risk missing critical data or collecting irrelevant information, which can compromise the entire investigation. This step involves recognizing potential evidence sources such as hard drives, network logs, and volatile memory, ensuring that all relevant data is accounted for before collection begins.

Exam trap

The trap here is that candidates often confuse specialized techniques like data recovery or data deletion with the core essential steps, leading them to select options that are not part of the standard EC-Council forensics process.

2
MCQeasy

During a forensic investigation, an analyst discovers that the suspect's hard drive was encrypted using BitLocker. The analyst has obtained the recovery key. Which of the following is the best next step to ensure data integrity?

A.Decrypt the drive using the recovery key and then create a forensic image.
B.Run a live analysis tool to extract encryption keys from memory.
C.Create a forensic image of the encrypted drive, then decrypt the image.
D.Boot the suspect computer and copy files to an external drive.
AnswerC

This preserves the original encrypted state and allows analysis of the decrypted image.

Why this answer

Option C is correct because creating a forensic image of the encrypted drive before decryption preserves the original evidence in its pristine, unaltered state. Decrypting the image later using the recovery key ensures that the original encrypted data remains intact and verifiable, maintaining data integrity throughout the investigation.

Exam trap

EC-Council often tests the principle that forensic imaging must occur before any decryption or analysis to preserve evidence integrity, and candidates mistakenly believe decryption first is acceptable because they have the key.

How to eliminate wrong answers

Option A is wrong because decrypting the drive directly on the original hardware modifies the data and metadata, breaking the chain of custody and potentially altering evidence. Option B is wrong because running a live analysis tool to extract encryption keys from memory is unnecessary when the recovery key is already obtained, and live acquisition risks modifying the system state and compromising integrity. Option D is wrong because booting the suspect computer and copying files to an external drive alters the original media and does not create a bit-for-bit forensic image, violating forensic best practices.

3
Drag & Dropmedium

Drag and drop the steps to perform forensic imaging of a hard drive using FTK Imager into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Forensic imaging involves selecting source, configuring destination, and verifying integrity with hash.

4
MCQmedium

A CHFI analyst is called to investigate a suspected data breach. The IT team has already shut down the server. Which of the following is the most appropriate order of actions to preserve evidence?

A.Immediately power on the server to check for running processes.
B.Copy all files from the server to an external USB drive.
C.Run antivirus scan to ensure no malware is present before imaging.
D.Secure the scene, photograph the setup, document connections, remove hard drives, and create forensic images using a write-blocker.
AnswerD

This follows proper forensic procedure: secure, document, collect, image with write-blocker.

Why this answer

Option D is correct because it follows the established forensic investigation process: secure the scene to prevent contamination, document the state of the server (photographs and connection diagrams), then physically remove the hard drives and create forensic images using a write-blocker to preserve the original data without alteration. This ensures evidence integrity and admissibility in legal proceedings.

Exam trap

EC-Council often tests the misconception that immediate data collection (like powering on or scanning) is acceptable, when in fact the first priority is to preserve the scene and prevent any modification to the evidence.

How to eliminate wrong answers

Option A is wrong because powering on a server that has been shut down can alter volatile data (e.g., memory contents, temporary files, system logs) and may trigger anti-forensic mechanisms, destroying evidence. Option B is wrong because copying files directly to an external USB drive modifies file metadata (e.g., last access timestamps) and does not capture deleted data or unallocated space, violating forensic best practices. Option C is wrong because running an antivirus scan on a live or powered-off system can modify files (e.g., quarantine, deletion, or repair) and alter the evidence, compromising its integrity.

5
MCQhard

You are a CHFI analyst responding to a security incident at a medium-sized financial firm. The IT team reports that an employee's workstation (Windows 10, single SSD) was used to access sensitive customer data without authorization. The workstation is still running, and the employee is currently logged in. The IT team has isolated the machine from the network but has not powered it off. You have been called to perform forensic acquisition. The company policy requires preservation of volatile data and a full disk image. The machine has 16 GB RAM and a 512 GB SSD. You have a forensic toolkit including FTK Imager, win32dd (for memory acquisition), and a write-blocker. Which of the following is the best course of action?

A.Use win32dd to capture the contents of RAM to an external drive, then use FTK Imager to create a physical image of the SSD over the network to a secure share.
B.Perform a graceful shutdown via the operating system, then remove the SSD and image it using a hardware write-blocker.
C.Boot the workstation from a forensic live CD, then use 'dd' to image the SSD to an external USB drive.
D.Immediately shut down the workstation by unplugging the power cord, remove the SSD, and create a forensic image using a write-blocker on a forensic workstation.
AnswerA

This captures memory first (volatile data) and then acquires a disk image while the system is still running, preserving evidence.

Why this answer

Option A is correct because it follows the proper order of volatility: capturing RAM first (volatile data) using win32dd, then imaging the SSD with FTK Imager. Since the machine is still running and isolated, network imaging is acceptable and preserves the disk state without risking data loss from a shutdown. This approach complies with the requirement to preserve volatile data and create a full disk image.

Exam trap

EC-Council often tests the order of volatility (RFC 3227) and the misconception that a graceful shutdown is safe, when in fact it destroys volatile data and alters disk state.

How to eliminate wrong answers

Option B is wrong because a graceful shutdown triggers OS cleanup processes that overwrite volatile data in RAM and may alter disk artifacts (e.g., pagefile, registry hives), violating forensic integrity. Option C is wrong because booting from a forensic live CD would overwrite portions of RAM and potentially modify the SSD (e.g., via temporary files or partition table changes), and using 'dd' without a write-blocker on a running system risks writes to the source drive. Option D is wrong because immediately unplugging the power cord loses all volatile data (RAM, network connections, process lists) that must be preserved per policy, and it may cause filesystem corruption on the SSD.

6
Matchingmedium

Match each forensic tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Acquisition and preview of disk images

Forensic analysis and evidence processing

Memory forensics and analysis

Network packet capture and analysis

Open-source file system analysis

Why these pairings

These are standard tools used in digital forensics for specific tasks.

7
Drag & Dropmedium

Drag and drop the steps to perform a forensic analysis of a PDF file for hidden data or malicious content into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

PDF forensics involves parsing objects, checking for scripts, and sandbox analysis.

8
MCQmedium

An analyst executed the commands shown in the exhibit on a Windows system to prepare a forensic image for analysis. What is the most likely reason for the error message from e2fsck?

A.The analyst failed to properly dismount the source volume before imaging, leading to filesystem inconsistencies.
B.The forensic image was not acquired with a write-blocker, causing data corruption.
C.The image file contains an NTFS filesystem, but e2fsck is designed for ext filesystems.
D.The e2fsck command syntax is incorrect; it should be 'e2fsck -f -n' instead.
AnswerA

The fsutil dismount command was run on C:, but the image was taken later, possibly without ensuring the volume was cleanly unmounted.

Why this answer

The error message from e2fsck indicates that the filesystem has inconsistencies, which typically occur when a volume is imaged while it is still mounted and actively being written to. The analyst likely did not dismount the source volume before acquiring the forensic image, resulting in a snapshot that reflects an inconsistent state (e.g., dirty journal, unflushed writes). This is a common chain-of-custody and acquisition procedure error in forensic imaging.

Exam trap

EC-Council often tests the misconception that a write-blocker alone guarantees a forensically sound image, but the trap here is that even with a write-blocker, imaging a mounted volume can produce an inconsistent filesystem because the OS may have pending writes in cache.

How to eliminate wrong answers

Option B is wrong because a write-blocker prevents writes to the source drive during acquisition, but it does not affect the consistency of the filesystem on the source volume if the volume was mounted and active; the error is about filesystem state, not write-blocker usage. Option C is wrong because the exhibit shows the analyst used 'dd' to create a raw image, and e2fsck is designed for ext2/3/4 filesystems; if the image contained NTFS, e2fsck would produce a different error (e.g., 'bad magic number') rather than a filesystem inconsistency error. Option D is wrong because the syntax 'e2fsck -f -n' is valid (force check and non-interactive), but the error message shown is about filesystem inconsistencies, not a command syntax error; the command executed correctly and detected the issue.

9
Matchingmedium

Match each email forensic artifact to its source.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Message source (RFC 5322 headers)

Microsoft Outlook personal folder

Microsoft Exchange server

Unix-based email clients

Individual email message export

Why these pairings

These artifacts store email data in different formats.

10
MCQhard

An incident responder has acquired a forensic image of a Linux server suspected of being compromised. The image was taken using 'dd' with no compression. The analyst needs to verify the integrity of the image. Which command should be used and what should be compared?

A.Use 'cmp' to compare the image byte-by-byte with the original drive.
B.Use 'md5sum image.dd' and compare with the original file's MD5 hash provided by the system administrator.
C.Run 'fsck' on the image to check for filesystem errors.
D.Use 'sha256sum image.dd' and compare with the hash computed during acquisition from the source device.
AnswerD

SHA-256 is strong and comparing with the hash from the source verifies integrity.

Why this answer

Option D is correct because the SHA-256 hash computed during acquisition from the source device provides a cryptographic integrity check. By recomputing the hash on the acquired image and comparing it to the original hash, the analyst can verify that the image is an exact bit-for-bit copy without any alteration or corruption. SHA-256 is preferred over MD5 in forensic contexts due to its stronger collision resistance.

Exam trap

EC-Council often tests the distinction between integrity verification (hash comparison) and filesystem checking (fsck), and the trap here is that candidates may choose 'cmp' or 'md5sum' because they sound familiar, without recognizing that 'cmp' requires the original drive and MD5 is no longer considered forensically sound.

How to eliminate wrong answers

Option A is wrong because 'cmp' compares the image file to the original drive, but the original drive is no longer available (or should not be accessed again to preserve evidence) and this approach requires direct access to the source, which defeats the purpose of forensic imaging. Option B is wrong because comparing the MD5 hash of the image to a hash provided by the system administrator is unreliable; the administrator's hash could be compromised or not computed at the time of acquisition, and MD5 is cryptographically weak and deprecated for forensic integrity verification. Option C is wrong because 'fsck' checks filesystem consistency, not bit-for-bit integrity; a filesystem can pass fsck even if the image has been tampered with or corrupted at the block level.

Ready to test yourself?

Try a timed practice session using only Forensics Investigation questions.