CCNA Network Cloud Forensics Questions

27 questions · Network Cloud Forensics topic · All types, answers revealed

1
MCQhard

An investigator finds the above IAM policy attached to an S3 bucket. What is the security concern?

A.The resource does not include all objects
B.The policy version is outdated
C.The bucket is publicly accessible to read objects
D.The policy allows anyone to write objects to the bucket
AnswerC

Principal: * allows any user to perform GetObject.

Why this answer

Option C is correct because the IAM policy's `Principal` is set to `"*"` (wildcard), which means any unauthenticated user or anonymous entity on the internet can perform the `s3:GetObject` action. This makes the S3 bucket publicly readable, exposing all objects stored in the bucket to anyone who knows the bucket name and object key. The `Effect` is `Allow` and there is no condition restricting access, so the policy grants open read access to the entire bucket.

Exam trap

EC-Council often tests the distinction between a wildcard `Principal` (public access) and a wildcard `Resource` (which is normal for bucket policies), so candidates mistakenly think the `/*` in the Resource field is the security issue, when it is actually the `"*"` in the Principal field that creates the vulnerability.

How to eliminate wrong answers

Option A is wrong because the `Resource` field uses `arn:aws:s3:::example-bucket/*`, which correctly includes all objects within the bucket (the `/*` suffix covers all object keys). Option B is wrong because the policy version `2012-10-17` is the current and recommended version for IAM policies; there is no security concern tied to using this version. Option D is wrong because the policy only grants `s3:GetObject` (read) permission, not `s3:PutObject` or any write action, so it does not allow anyone to write objects to the bucket.

2
MCQmedium

During a cloud forensics investigation, the investigator discovers that the cloud provider uses shared storage for multiple tenants. Which challenge is MOST likely to arise when acquiring a forensic image?

A.Physical acquisition of the storage device is required
B.No API access to the storage system
C.Inability to decrypt data at rest
D.Data commingling with other tenants
AnswerD

Shared storage can result in data from multiple tenants occupying the same physical media, complicating isolation.

Why this answer

In cloud environments with shared storage, data from multiple tenants resides on the same physical or logical volume. When acquiring a forensic image, the investigator cannot isolate a single tenant's data without also capturing other tenants' data, leading to data commingling. This violates chain-of-custody and privacy principles, making it the primary challenge.

Exam trap

EC-Council often tests the misconception that physical access or encryption are the main hurdles, but the real challenge in cloud forensics is data commingling due to shared tenancy, which complicates legal and technical acquisition.

How to eliminate wrong answers

Option A is wrong because cloud storage is abstracted from physical hardware; physical acquisition is rarely possible or necessary, as forensic acquisition is performed via APIs or snapshots. Option B is wrong because cloud providers typically offer APIs (e.g., AWS S3 API, Azure Blob Storage REST API) for accessing storage, though permissions may be restricted. Option C is wrong because while encryption at rest is common, it is not an inherent challenge of shared storage; decryption keys are usually managed by the provider or tenant and can be obtained through proper legal channels.

3
MCQhard

A forensic analyst is examining a network intrusion detection system (NIDS) alert that triggered on a packet with the FIN, PSH, and URG flags set. What type of scan does this indicate?

A.Xmas scan
B.NULL scan
C.SYN scan
D.ACK scan
AnswerA

Xmas scan sets FIN, PSH, and URG flags to evade detection and elicit responses.

Why this answer

A is correct because an Xmas scan sends packets with the FIN, PSH, and URG flags set (like a Christmas tree lit up). According to RFC 793, a closed port must respond with an RST packet, while an open port should drop the packet silently (no response). The NIDS alert triggered on these three flags together, which is the signature of an Xmas scan.

Exam trap

EC-Council often tests the distinction between Xmas, NULL, and SYN scans by focusing on the exact flag combinations; the trap here is that candidates confuse the FIN, PSH, URG combination with a NULL scan (no flags) or a SYN scan (single flag).

How to eliminate wrong answers

Option B is wrong because a NULL scan sends packets with no flags set (all flags off), not the FIN, PSH, and URG flags. Option C is wrong because a SYN scan sends packets with only the SYN flag set, used for half-open connections, not the combination of FIN, PSH, and URG. Option D is wrong because an ACK scan sends packets with only the ACK flag set, used to map firewall rules, not the FIN, PSH, and URG flags.

4
Multi-Selecthard

Which TWO of the following are valid techniques for collecting volatile network evidence from a live system during incident response?

Select 2 answers
A.Using route print to view the IP routing table.
B.Using ipconfig /displaydns to view the DNS resolver cache.
C.Running arp -a to view the ARP table.
D.Running netstat -an to view active TCP/UDP connections.
E.Executing tcpdump -i eth0 -w capture.pcap to capture live packets.
AnswersD, E

Active connections are volatile and show current network activity.

Why this answer

Option D is correct because `netstat -an` displays all active TCP and UDP connections along with their listening ports and states, which is critical for identifying unauthorized or malicious network connections on a live system. This command provides a snapshot of current network sessions without altering system state, making it a standard volatile evidence collection technique.

Exam trap

The trap here is that candidates confuse static configuration commands (route print, arp -a) or cached data (ipconfig /displaydns) with live volatile evidence, when only commands that capture active network sessions or raw traffic qualify as volatile evidence collection.

5
MCQhard

You are a forensic investigator responding to a data breach at a mid-sized company. The company uses a hybrid cloud environment with AWS for production workloads and on-premises servers for legacy applications. The breach was detected when an internal monitoring system flagged unusual outbound traffic from an AWS EC2 instance (i-0a1b2c3d4e5f) to an external IP address (198.51.100.20) on TCP port 4444 during off-hours. The EC2 instance runs a Linux-based web server. The security team has already isolated the instance by removing its security group rules and stopping the instance. You have been provided with the following: (1) AWS CloudTrail logs for the past 72 hours, (2) VPC Flow Logs for the same period, (3) a snapshot of the instance’s root volume (EBS), and (4) the instance metadata log from the AWS console. The company’s incident response policy requires preservation of all volatile data before powering off the instance. Which of the following steps should you take FIRST to ensure a forensically sound investigation?

A.Acquire a memory dump from the stopped instance by re-attaching the root volume to a forensic workstation.
B.Review the instance metadata log to identify the user who launched the instance.
C.Create a forensic copy of the EBS snapshot and attach it to a separate analysis EC2 instance in a different AWS account to avoid altering evidence.
D.Analyze the VPC Flow Logs to determine if other instances communicated with the same external IP.
AnswerC

The snapshot is the only disk evidence; making a copy in a separate account prevents accidental modification.

Why this answer

Option C is correct because the first step in a forensically sound investigation is to create a forensic copy (bit-for-bit) of the EBS snapshot before any analysis. This preserves the original evidence integrity, as required by the order of volatility and chain of custody. Attaching the copy to a separate analysis EC2 instance in a different AWS account prevents accidental modification of the original snapshot and isolates the forensic environment from the compromised production account.

Exam trap

The trap here is that candidates confuse volatile data preservation with the need to acquire memory from a stopped instance (Option A), not realizing that stopping the instance already destroys RAM, and the snapshot only captures disk data.

How to eliminate wrong answers

Option A is wrong because the instance is already stopped, so volatile data (memory) is lost; re-attaching the root volume to a forensic workstation would not recover memory, and the snapshot is of the root volume, not RAM. Option B is wrong because reviewing the instance metadata log to identify the user who launched the instance is a non-forensic administrative step that does not preserve or acquire evidence; it should be done after securing the evidence. Option D is wrong because analyzing VPC Flow Logs is a valid investigative step, but it is not the first priority; the immediate need is to preserve the EBS snapshot evidence before any analysis that might alter or overlook the original data.

6
MCQmedium

You are investigating a network breach at a financial institution. The organization uses a network-based intrusion detection system (NIDS) and maintains full packet capture (PCAP) for critical segments. The incident allegedly started with a spear-phishing email that delivered a remote access trojan (RAT). The security team has isolated the infected host and provided you with a disk image of the host and a PCAP file covering the network traffic from the host for the 24-hour period before isolation. In the PCAP, you see a series of TCP connections from the host to an external IP address on port 443 (HTTPS). The external IP is known to be associated with a command-and-control (C2) server. However, the disk image shows no evidence of the RAT binary or any malicious files. The host's antivirus logs are clean. Which of the following is the most likely explanation for the lack of evidence on the disk?

A.The antivirus software deleted the malicious files before the image was taken
B.The hard drive was reimaged before the forensic image was taken
C.The RAT uses a rootkit to hide its files
D.The malware was fileless and only resided in memory
AnswerD

Fileless malware leaves no persistent artifacts on disk.

Why this answer

The absence of the RAT binary and any malicious files on the disk, combined with clean antivirus logs and active C2 traffic over HTTPS, strongly indicates a fileless malware infection. Fileless malware operates entirely in memory (RAM), never writing its payload to disk, which explains why the disk image shows no artifacts and why traditional file-scanning antivirus did not detect it. The TCP connections to the C2 server on port 443 are consistent with a memory-resident RAT that loads directly into a legitimate process (e.g., PowerShell, WMI, or a script interpreter) and communicates over encrypted HTTPS to evade network inspection.

Exam trap

EC-Council often tests the distinction between file-based and fileless malware, and the trap here is assuming that a rootkit (Option C) is the only way to hide files, when in fact fileless malware never writes files to disk at all, making rootkits unnecessary for evasion.

How to eliminate wrong answers

Option A is wrong because antivirus software typically quarantines or logs deleted files, and the scenario states antivirus logs are clean — if deletion had occurred, the logs would show a detection event. Option B is wrong because the question explicitly states the security team isolated the infected host and provided a disk image; if the drive had been reimaged, there would be no disk image to analyze, and the scenario would mention a reimage event. Option C is wrong because while rootkits can hide files from the operating system, they still leave traces on disk (e.g., in the Master File Table or alternate data streams) that forensic tools can detect, and the question says there is no evidence of any malicious files — not just hidden files.

7
MCQmedium

A cloud forensic analyst is tasked with preserving evidence from an AWS S3 bucket that may contain malicious files. The bucket is publicly accessible, and the analyst wants to create a forensically sound copy. Which method BEST ensures integrity and chain of custody?

A.Download each object via the AWS Management Console and compute SHA256 hashes manually.
B.Use the AWS CLI cp command recursively without any flags.
C.Generate a presigned URL for the bucket and use wget to download all files.
D.Use the AWS CLI sync command with the --checksum-mode flag to verify integrity during transfer.
AnswerD

The sync command can verify checksums (e.g., SHA256) to ensure data integrity.

Why this answer

Option D is correct because the AWS CLI `sync` command with the `--checksum-mode` flag automatically computes and compares checksums (e.g., SHA256) during the transfer, ensuring data integrity without manual intervention. This method also preserves metadata and timestamps, which is critical for maintaining a forensically sound copy and chain of custody in cloud forensics.

Exam trap

Cisco often tests the misconception that any download method (like `cp` or `wget`) inherently preserves integrity, but the trap is that only explicit checksum verification (e.g., `--checksum-mode`) provides cryptographic assurance required for forensic soundness and chain of custody.

How to eliminate wrong answers

Option A is wrong because manually downloading each object via the AWS Management Console and computing SHA256 hashes is error-prone, lacks automation, and does not provide a verifiable, auditable log of the transfer process, compromising chain of custody. Option B is wrong because the AWS CLI `cp` command recursively without any flags does not verify integrity during transfer; it only copies files and relies on the underlying HTTP checksums (e.g., ETag) which may not be cryptographically strong (e.g., multipart uploads use MD5-based ETags). Option C is wrong because generating a presigned URL and using `wget` does not automatically verify file integrity; `wget` only checks HTTP response codes and does not compute or compare cryptographic hashes, leaving the copy vulnerable to undetected corruption or tampering.

8
Multi-Selectmedium

Which THREE of the following are essential steps in network forensic investigation?

Select 3 answers
A.Conduct interviews with all network users
B.Create a timeline of network events
C.Secure the network to prevent further damage
D.Perform a bit-for-bit copy of all hard drives
E.Capture network packets using a sniffer
AnswersB, C, E

Timeline analysis helps correlate events.

Why this answer

Creating a timeline of network events (Option B) is essential in network forensic investigation because it establishes a sequence of activities, correlating packet captures, logs, and system events to reconstruct the attack path. This chronological mapping is critical for identifying the initial compromise point, lateral movement, and data exfiltration, often using tools like Wireshark or tcpdump with timestamps from NTP-synchronized sources.

Exam trap

EC-Council often tests the distinction between network forensics (focusing on packets, flows, and logs) and host-based forensics (focusing on disk images and memory), leading candidates to mistakenly select hard drive imaging as a network forensic step.

9
MCQhard

An organization uses a cloud-based SIEM to collect logs from multiple sources. The investigator notices gaps in the log data for a critical system during the incident timeframe. What is the MOST likely cause?

A.Network latency delayed log delivery
B.Log rotation policy deleted logs prematurely
C.Time drift between the system and the SIEM
D.The system's log level was set to ERROR only
AnswerC

Clock skew can cause logs to appear missing or out of order.

Why this answer

Time drift between the system and the SIEM causes logs to be timestamped incorrectly, leading to apparent gaps when the SIEM queries by time range. Even if logs are delivered, they may fall outside the incident timeframe in the SIEM's index, creating the illusion of missing data. This is a common issue in cloud-based SIEMs where NTP synchronization is not enforced across all sources.

Exam trap

The trap here is that candidates confuse 'missing logs' with 'logs not sent' (option A) or 'logs deleted' (option B), but the question specifically says 'gaps in the log data' during the incident timeframe, which points to a timestamp alignment issue rather than a delivery or retention problem.

How to eliminate wrong answers

Option A is wrong because network latency delays log delivery but does not cause gaps in the log data itself; logs will eventually arrive and be indexed, though possibly out of order. Option B is wrong because log rotation policies delete old logs, not logs from the incident timeframe unless the rotation interval is shorter than the retention period, which is unlikely for a critical system under investigation. Option D is wrong because setting the log level to ERROR only would reduce the volume of logs but not create gaps; all ERROR-level events would still be recorded and timestamped correctly.

10
MCQmedium

An investigator is analyzing cloud storage logs and finds an entry showing that a file was accessed using the root credentials from an IP address in a different geographic region. The organization has strict policies against root usage. What should the investigator do FIRST?

A.Check if the activity correlates with a known vulnerability or authorized task
B.Contact law enforcement for cybercrime investigation
C.Change the password of the root account
D.Immediately revoke the root access keys
AnswerA

This helps determine if the access is malicious or accidental.

Why this answer

Option A is correct because the first step in any forensic investigation is to correlate the suspicious activity with known events, such as authorized tasks or vulnerabilities, to avoid false positives. Root access from an unfamiliar IP could be legitimate if tied to a scheduled maintenance window or a known vulnerability exploitation attempt that requires verification. Prematurely changing credentials or contacting law enforcement could destroy evidence or alert an attacker before the scope is understood.

Exam trap

The trap here is that candidates panic and choose a reactive security action (like revoking keys or changing passwords) instead of following forensic best practice: preserve and validate before acting.

How to eliminate wrong answers

Option B is wrong because contacting law enforcement is a premature escalation step that should only occur after internal validation and evidence preservation, not as the first action. Option C is wrong because changing the root password could alert an active attacker and destroy volatile evidence such as active sessions or memory artifacts. Option D is wrong because immediately revoking root access keys could disrupt legitimate operations and also destroy evidence; the investigator must first verify the activity's legitimacy and preserve logs.

11
MCQeasy

Based on the log exhibit, what type of attack is occurring?

A.Man-in-the-middle attack
B.SQL injection attack
C.Denial of Service attack
D.Brute-force attack on SSH
AnswerD

Repeated failed attempts for root user from same IP.

Why this answer

The log shows multiple failed SSH login attempts from the same IP address with different usernames and passwords, which is characteristic of a brute-force attack targeting SSH. The repeated 'Failed password' entries for various user accounts (e.g., root, admin, user) indicate an automated attempt to guess credentials, not a single successful compromise or a different attack type.

Exam trap

EC-Council often tests the distinction between a brute-force attack and a DoS attack by including logs with repeated authentication failures, leading candidates to mistakenly choose DoS due to the high volume of events, but the key indicator is the specific 'Failed password' message targeting SSH, not a flood of traffic.

How to eliminate wrong answers

Option A is wrong because a man-in-the-middle attack would involve intercepting or modifying traffic between two parties, not repeated failed login attempts; there is no evidence of ARP spoofing, session hijacking, or traffic redirection in the log. Option B is wrong because SQL injection attacks target web application databases via malicious SQL queries in input fields, not SSH authentication logs; the log shows no SQL syntax or database error messages. Option C is wrong because a Denial of Service attack aims to overwhelm a service with traffic to cause disruption, not to repeatedly attempt authentication; the log shows sequential login failures without a flood of packets or resource exhaustion indicators.

12
MCQeasy

An investigator needs to capture network traffic from a live network segment without altering the traffic flow. Which technique should they use?

A.Enable NetFlow on the router and capture flows
B.Configure a SPAN port on the switch
C.Deploy an ARP spoofing tool to redirect traffic
D.Set the NIC to promiscuous mode on the forensic workstation
AnswerB

Port mirroring (SPAN) copies traffic to a monitor port without interrupting the original flow.

Why this answer

A SPAN (Switched Port Analyzer) port, also known as a mirror port, copies all traffic from a specified source port or VLAN to a destination port where the forensic workstation is connected. This allows the investigator to capture traffic without injecting any frames or altering the forwarding behavior of the switch, thus preserving the integrity of the live network segment.

Exam trap

EC-Council often tests the misconception that promiscuous mode alone is sufficient for capturing all traffic on a switched network, but candidates forget that switches isolate traffic per port unless a SPAN port is configured.

How to eliminate wrong answers

Option A is wrong because NetFlow is a flow-based accounting and monitoring technology that exports aggregated flow records (e.g., source/destination IP, ports, protocol) rather than capturing full packet payloads; it cannot provide the raw packet-level data needed for deep forensic analysis. Option C is wrong because ARP spoofing actively sends forged ARP replies to redirect traffic through the attacker's machine, which alters the traffic flow and can cause network disruptions or detection, violating the requirement to not alter the traffic flow. Option D is wrong because setting a NIC to promiscuous mode only allows the workstation to receive all frames on the collision domain of its connected switch port, but on a modern switched network, the switch will not forward traffic destined for other ports to the forensic workstation, so promiscuous mode alone cannot capture traffic from other hosts without additional techniques like ARP spoofing or a SPAN port.

13
Multi-Selecteasy

During a cloud forensic investigation of an AWS EC2 instance, which TWO sources should be preserved to capture volatile data before instance termination?

Select 2 answers
A.Memory dump of the instance
B.VPC flow logs
C.Disk snapshot (EBS snapshot)
D.S3 server access logs
E.AWS CloudTrail logs
AnswersA, C

Volatile data captured from RAM.

Why this answer

A memory dump of the EC2 instance captures RAM contents, including running processes, network connections, encryption keys, and other volatile data that is lost when the instance is terminated. This is critical for forensic analysis of live system state. An EBS snapshot preserves the root and data volumes, providing a point-in-time copy of the file system and persistent storage, which is also lost upon termination.

Exam trap

EC-Council often tests the distinction between volatile data (lost on termination) and persistent logs (stored externally), leading candidates to mistakenly include VPC flow logs or CloudTrail logs as sources of volatile data.

14
MCQhard

You are investigating a network breach at a financial institution. The perimeter firewall logs show an inbound connection from IP 203.0.113.5 to the internal web server (192.168.1.10) on TCP port 443 at 02:34:12 UTC. At 02:34:15, an outbound connection from the web server to an external IP 198.51.100.20 on TCP port 80 is logged. Simultaneously, a network intrusion detection system (NIDS) detected a SQL injection payload in the inbound HTTP request. The web server's access logs show a successful login to the admin panel at 02:34:18 from the same external IP 203.0.113.5. The database server (192.168.1.20) logs show a query execution at 02:34:20 that exported customer records. The company uses a jump box for administrative access, and all admin sessions are logged. The jump box logs show no activity during the incident. The web server hosts a public-facing application and is in a DMZ. The database server is in the internal network, with a firewall rule allowing only the web server to connect to it on TCP port 3306. Which course of action is MOST appropriate to determine the root cause and scope?

A.Correlate the database server logs with the web server logs to identify which records were queried and verify if they were exfiltrated via the outbound HTTP connection.
B.Immediately isolate the web server from the network to prevent further data exfiltration, then perform memory forensics to find any malware.
C.Check the NTP logs to see if the timestamps are accurate, as the attack may be a time-based SQL injection.
D.Extract and analyze the full packet capture from the firewall to identify the SQL injection payload and any encrypted traffic.
AnswerA

This directly determines the scope of data loss and confirms exfiltration.

Why this answer

Option A is correct because correlating the database server logs with the web server logs allows you to identify exactly which customer records were queried and then cross-reference that with the outbound HTTP connection (from the web server to 198.51.100.20 on TCP port 80) to determine if the data was exfiltrated. This approach directly addresses both the root cause (SQL injection via the inbound request) and the scope (which records were stolen and how they left the network).

Exam trap

EC-Council often tests the misconception that immediate containment (Option B) is always the first step, but in forensic investigations, preserving evidence and correlating logs to determine scope takes precedence over reactive isolation.

How to eliminate wrong answers

Option B is wrong because immediately isolating the web server would destroy volatile evidence (e.g., memory, active connections) and prevent further forensic analysis of the ongoing exfiltration; the priority is to preserve logs and correlate data, not to blindly contain. Option C is wrong because NTP log accuracy is irrelevant to the attack vector—SQL injection is a code injection technique, not a time-based attack that relies on timestamp manipulation; the timestamps are already consistent across logs. Option D is wrong because while packet capture could reveal the SQL injection payload, the traffic to port 443 (HTTPS) is encrypted, so the payload would not be visible in plaintext; moreover, the outbound connection on port 80 is unencrypted, but the focus should be on log correlation to determine scope, not just payload extraction.

15
MCQhard

A forensic analyst is investigating a network breach and finds that the attacker used a technique that bypasses Network Access Control (NAC). Which of the following methods is commonly used to evade 802.1X authentication?

A.MAC address spoofing
B.VLAN hopping using double tagging
C.DNS tunneling to exfiltrate data
D.ARP poisoning to redirect traffic
AnswerA

Spoofing the MAC of an authorized device can allow the attacker to authenticate via 802.1X.

Why this answer

MAC address spoofing is commonly used to bypass 802.1X authentication because 802.1X typically authenticates devices based on their MAC address after the EAP (Extensible Authentication Protocol) handshake. By spoofing the MAC address of an already-authenticated device, the attacker can impersonate that device and gain network access without valid credentials, effectively bypassing the NAC enforcement.

Exam trap

The trap here is that candidates often confuse MAC address spoofing with ARP poisoning or VLAN hopping, thinking that any network-layer attack can bypass NAC, but 802.1X specifically relies on MAC-based port security after authentication, making MAC spoofing the direct bypass method.

How to eliminate wrong answers

Option B is wrong because VLAN hopping using double tagging is a technique to gain unauthorized access to traffic on a different VLAN by manipulating 802.1Q tags, but it does not bypass 802.1X authentication itself; it exploits switch configuration after authentication. Option C is wrong because DNS tunneling is a data exfiltration method that encodes data in DNS queries and responses, not a technique to evade NAC or 802.1X authentication. Option D is wrong because ARP poisoning is a man-in-the-middle attack that redirects traffic by corrupting ARP caches, but it does not bypass the initial 802.1X authentication process; it operates after the attacker has already gained network access.

16
MCQhard

During a forensic investigation of a cloud environment, a forensic analyst discovers that the virtual machine (VM) used by a suspect was terminated three days prior. The cloud provider offers snapshots, backups, and instance metadata. Which of the following is the BEST course of action to recover forensic evidence?

A.Examine CloudTrail logs for disk contents.
B.Access the VM’s operating system via the cloud console’s serial console.
C.Use SSH credentials from the investigation to connect to the terminated instance.
D.Restore the VM from a recent snapshot or backup provided by the cloud provider.
AnswerD

Snapshots preserve the disk state and can be attached to a new instance for analysis.

Why this answer

Option D is correct because once a VM is terminated, its underlying instance store or ephemeral disks are destroyed, but persistent snapshots and backups retain the disk state at the time they were taken. Restoring from a recent snapshot or backup is the only reliable method to recover the VM's file system, application data, and user artifacts for forensic analysis in a cloud environment.

Exam trap

Cisco often tests the misconception that CloudTrail or similar audit logs contain disk-level data, leading candidates to choose option A, when in fact these logs only capture metadata and API activity, not the contents of virtual disks.

How to eliminate wrong answers

Option A is wrong because CloudTrail logs record API calls and management events, not the actual disk contents of a VM; they cannot provide file-level data or operating system artifacts. Option B is wrong because the serial console provides console output and limited troubleshooting access, but it cannot be used to access a terminated VM's operating system since the instance no longer exists. Option C is wrong because SSH credentials are useless for a terminated instance; the VM is no longer running and cannot accept network connections, so SSH cannot establish a session.

17
Multi-Selecthard

Which TWO of the following are effective methods for detecting a man-in-the-middle attack on a network?

Select 2 answers
A.Analyze DNS amplification traffic
B.Check for SSL certificate mismatches
C.Implement port knocking for access control
D.Monitor for ARP cache poisoning
E.Detect ICMP flood attacks
AnswersB, D

MITM often uses forged certificates causing mismatches.

Why this answer

SSL certificate mismatches occur when a man-in-the-middle (MITM) attacker presents a forged or self-signed certificate that does not match the legitimate server's certificate. Browsers and security tools will flag this mismatch (e.g., different Common Name, invalid issuer, or expired validity), providing a clear indicator of an ongoing MITM attack. This is a direct detection method because the attacker cannot easily obtain a valid certificate for the target domain without the private key.

Exam trap

EC-Council often tests the distinction between attack detection methods and attack mitigation or unrelated attack types, so candidates mistakenly choose ICMP flood or DNS amplification as MITM detection techniques when they are actually indicators of different attack vectors.

18
MCQeasy

During a network forensic investigation, the analyst recovers a PCAP file. What type of information can be directly extracted from this file?

A.Files transferred via HTTP
B.Operating system version of the source host
C.Registry data of the destination host
D.Disk partition table of the sending computer
AnswerA

HTTP file transfers are visible in the payload of packets.

Why this answer

A PCAP file captures raw network packets. HTTP is an application-layer protocol that transmits data (e.g., files, web pages) in cleartext over TCP. By reassembling TCP streams from the captured packets, an analyst can directly extract files transferred via HTTP, as the payload contains the actual file content.

Exam trap

EC-Council often tests the distinction between what is directly extractable from packet payloads (e.g., HTTP files) versus what requires inference or additional forensic artifacts (e.g., OS fingerprinting or disk data), leading candidates to overestimate the information available in a PCAP.

How to eliminate wrong answers

Option B is wrong because the operating system version of the source host is not directly stored in packet headers; it can only be inferred through techniques like TCP/IP fingerprinting (e.g., analyzing TTL values, window sizes), not directly extracted. Option C is wrong because registry data resides on the local disk of the destination host and is never transmitted over the network in standard protocols; a PCAP contains only network traffic, not local filesystem artifacts. Option D is wrong because the disk partition table is a low-level disk structure that is not sent over the network during normal communication; it would require a full disk image, not a packet capture.

19
MCQeasy

A forensic investigator needs to capture network traffic from a SPAN port on a switch to analyze an ongoing compromise. Which tool should the investigator use to collect the full packet capture (pcap) for later analysis?

A.NetFlow
B.nmap
C.Wireshark
D.tcpdump
AnswerD

tcpdump captures full packets and writes to pcap format.

Why this answer

tcpdump is a command-line packet capture utility that captures raw network traffic at the link layer, making it ideal for collecting full packet captures (PCAP) from a SPAN port. Unlike GUI tools, it can run headless on a forensic workstation and write binary PCAP files for later analysis with tools like Wireshark. It captures all packets traversing the SPAN port without filtering by default, ensuring a complete record of the compromise.

Exam trap

Cisco often tests the distinction between flow-based monitoring (NetFlow) and full packet capture (tcpdump), leading candidates to mistakenly choose NetFlow because it is associated with network monitoring, even though it lacks the payload data required for forensic analysis.

How to eliminate wrong answers

Option A is wrong because NetFlow is a flow-level monitoring protocol that exports aggregated metadata (e.g., source/destination IPs, ports, byte counts) rather than full packet payloads, so it cannot provide the complete packet capture needed for deep forensic analysis. Option B is wrong because nmap is a network scanning and discovery tool used for port scanning and service enumeration, not for capturing live network traffic or generating PCAP files. Option C is wrong because Wireshark is a GUI-based packet analyzer that can capture traffic, but it is not the optimal tool for headless, long-duration capture from a SPAN port; it consumes more system resources and is typically used for interactive analysis rather than raw PCAP collection in a forensic acquisition scenario.

20
MCQhard

You are a forensic investigator for a healthcare organization that uses a hybrid cloud model. Your team receives an alert that a large amount of protected health information (PHI) was exfiltrated from an AWS S3 bucket to an external IP address. The organization uses AWS CloudTrail for API logging and VPC Flow Logs for network traffic. The incident occurred between 02:00 and 03:00 UTC. Upon reviewing CloudTrail logs, you see that the bucket policy was modified at 01:55 UTC to allow public read access, and then a series of GetObject requests from an IP address in a foreign country occurred. The VPC Flow Logs show outbound traffic from the bucket's VPC to that IP. The bucket policy change was made using the root user credentials of the AWS account. The organization has multi-factor authentication (MFA) enabled for all users, including root. However, the CloudTrail log for the policy change does not indicate MFA usage. You need to determine the most likely root cause of the breach. Which of the following is the most plausible explanation?

A.The root user's credentials were compromised and used to modify the bucket policy
B.The bucket policy was automatically modified by an AWS service
C.An insider with IAM permissions made the change using a legitimate session
D.The CloudTrail logs are inaccurate and the policy change was not made
AnswerA

Root access without MFA indicates credential theft.

Why this answer

The root user credentials were likely compromised because the CloudTrail log for the bucket policy change at 01:55 UTC shows no MFA usage, despite MFA being enforced for all users including root. This indicates the attacker used stolen root access keys or password without the MFA token, which is a common attack vector when credentials are phished or leaked. The subsequent GetObject requests from a foreign IP and outbound VPC Flow Logs confirm the exfiltration path.

Exam trap

EC-Council often tests the misconception that MFA enforcement alone prevents credential misuse, but the trap here is that attackers can use stolen access keys or passwords without the MFA token if the session is initiated outside the MFA challenge (e.g., via API calls with long-term credentials).

How to eliminate wrong answers

Option B is wrong because AWS services do not automatically modify S3 bucket policies to allow public read access; such changes require explicit user action or an automated script using valid credentials. Option C is wrong because an insider with IAM permissions would have used a legitimate session that would show MFA usage in CloudTrail logs, given MFA is enforced for all users, and the log shows no MFA indicator. Option D is wrong because CloudTrail logs are immutable and tamper-evident; assuming inaccuracy without evidence contradicts forensic best practices and the question's premise that the logs are reliable.

21
MCQmedium

Based on the ARP table exhibit, what is the most likely security issue?

A.The gateway is unreachable
B.Duplicate IP addresses on the network
C.ARP poisoning attack
D.MAC address filtering is enabled
AnswerC

Multiple IPs with same MAC is a classic sign of ARP spoofing.

Why this answer

The ARP table exhibit shows a single IP address (192.168.1.1) mapped to two different MAC addresses (00:11:22:33:44:55 and AA:BB:CC:DD:EE:FF). This is a classic indicator of an ARP poisoning attack, where an attacker sends forged ARP replies to associate their MAC address with the gateway's IP, enabling man-in-the-middle interception of traffic.

Exam trap

The trap here is that candidates may confuse ARP poisoning with duplicate IP addresses, but duplicate IPs cause a 'conflict' message and only one MAC survives in the ARP table, whereas ARP poisoning shows two distinct MACs for the same IP simultaneously.

How to eliminate wrong answers

Option A is wrong because the gateway being unreachable would result in no ARP entry or an incomplete entry, not multiple MAC addresses for the same IP. Option B is wrong because duplicate IP addresses cause address conflicts and connectivity issues, but the ARP table would typically show only one MAC per IP (the last to respond), not two simultaneous entries. Option D is wrong because MAC address filtering restricts which devices can connect, but it does not cause multiple MAC addresses to appear for a single IP in the ARP table.

22
Matchingmedium

Match each forensic artifact to its location in Windows (typical).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

C:\Windows\Prefetch

C:\Windows\System32\winevt\Logs

C:\$Recycle.Bin

C:\Windows\System32\config

C:\Users\[user]\AppData\Local\Microsoft\Windows\Explorer

Why these pairings

These paths are standard for Windows 10/11.

23
MCQmedium

During a forensic investigation, the analyst runs netstat -ano on a compromised workstation. Based on the exhibit, which connection is MOST suspicious and should be investigated further?

A.The established HTTPS connection to 203.0.113.5:443 (PID 5678).
B.The DNS query to 192.168.1.1:53 in TIME_WAIT state.
C.The UDP listener on port 5353 (mDNS) with PID 910.
D.The listening RDP service on port 3389 (PID 1234).
AnswerA

203.0.113.5 is a test address and likely indicates a connection to a suspicious host.

Why this answer

The established HTTPS connection to 203.0.113.5:443 (PID 5678) is most suspicious because it is an external IP address (not in the private RFC 1918 range) with an established TCP connection, indicating active data transfer. In a forensic context, an outbound HTTPS connection to an unknown external IP is a common indicator of command-and-control (C2) communication or data exfiltration, especially when the PID can be traced to an unknown or malicious process.

Exam trap

EC-Council often tests the misconception that any listening service (like RDP or mDNS) is inherently suspicious, when in fact established external connections to unknown IPs are far more indicative of active compromise.

How to eliminate wrong answers

Option B is wrong because a DNS query to 192.168.1.1:53 in TIME_WAIT state is normal internal network traffic; DNS queries are expected to resolve names, and TIME_WAIT indicates the connection has ended, not active malicious activity. Option C is wrong because a UDP listener on port 5353 (mDNS) with PID 910 is a standard service for local network discovery (RFC 6762) and is not inherently suspicious unless the PID is known to be malicious. Option D is wrong because the listening RDP service on port 3389 (PID 1234) is a common administrative service; while RDP can be exploited, a listening state alone does not indicate compromise without evidence of unauthorized access or unusual source IPs.

24
MCQmedium

In a cloud forensic investigation, the analyst needs to obtain a memory dump of a virtual machine. Which method is considered forensically sound?

A.Log into the VM and use a tool to create a crash dump
B.Copy the virtual disk file (.vmdk) and extract memory from it
C.Use a live forensic tool inside the VM to capture memory
D.Take a snapshot of the VM via the hypervisor and export the .vmem file
AnswerD

This method captures the VM's memory in a forensically sound manner.

Why this answer

Option D is forensically sound because taking a snapshot of the VM via the hypervisor and exporting the .vmem file captures the entire volatile memory state from outside the guest OS, without altering any data inside the VM. This method preserves the memory in its pristine state and avoids the contamination that occurs when executing tools inside the suspect VM.

Exam trap

Cisco often tests the misconception that a virtual disk file (.vmdk) contains memory data, when in fact it only stores persistent storage, and that live tools inside the VM are acceptable despite violating forensic soundness by altering the evidence.

How to eliminate wrong answers

Option A is wrong because logging into the VM and creating a crash dump modifies the guest OS state (e.g., writing to disk, altering page tables) and may trigger anti-forensic mechanisms, violating the principle of minimal interaction. Option B is wrong because the virtual disk file (.vmdk) contains only persistent storage data, not volatile memory; memory contents are stored in a separate .vmem or .vmsn file, and extracting memory from a disk image is technically impossible. Option C is wrong because using a live forensic tool inside the VM requires executing code within the compromised environment, which alters memory contents (e.g., overwriting pages, changing process states) and risks triggering malware or tampering with evidence.

25
Multi-Selecteasy

Which TWO of the following are common challenges in cloud forensics?

Select 2 answers
A.Jurisdictional and legal issues due to data stored in multiple regions
B.All cloud environments provide the same forensic capabilities
C.Reliance on the cloud provider's APIs for data acquisition
D.Easier evidence acquisition compared to traditional forensics
E.Physical access to the hard drive is always available
AnswersA, C

Data may be stored across different jurisdictions with conflicting laws.

Why this answer

Option A is correct because cloud forensic investigations often involve data stored across multiple geographic regions, each with its own data protection laws (e.g., GDPR, CLOUD Act). This creates jurisdictional conflicts regarding lawful access, data privacy, and chain of custody, which are not present in traditional on-premises forensics.

Exam trap

EC-Council often tests the misconception that cloud forensics is easier or similar to traditional forensics, but the trap here is that candidates overlook the unique legal and technical dependencies on cloud providers, such as API reliance and jurisdictional issues.

26
Drag & Dropmedium

Drag and drop the steps to create a forensic timeline using the Sleuth Kit (TSK) and log2timeline into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Timeline creation involves parsing metadata, exporting, and analyzing events.

27
MCQeasy

A security team needs to preserve network evidence for a potential legal case. What is the BEST practice for capturing volatile network data?

A.Wait until normal business hours to capture traffic
B.Only record summary logs from the firewall
C.Perform packet capture using a portable tool and store the capture with a cryptographic hash
D.Use a dedicated forensic workstation with a write blocker
AnswerC

This ensures minimal impact and integrity of the captured data.

Why this answer

Option C is correct because capturing volatile network data requires immediate acquisition of live traffic before it is lost, and using a portable tool (e.g., tcpdump, Wireshark) allows rapid deployment. Storing the capture with a cryptographic hash (e.g., SHA-256) ensures data integrity and chain of custody, which is essential for admissibility in legal proceedings. This approach preserves the most volatile evidence (packet contents) while providing verifiable proof that the data has not been altered.

Exam trap

EC-Council often tests the distinction between volatile and non-volatile evidence; the trap here is that candidates confuse the write blocker (used for disk forensics) with network capture tools, incorrectly assuming that a write blocker can somehow preserve network traffic.

How to eliminate wrong answers

Option A is wrong because waiting until normal business hours introduces unacceptable delay; volatile network data (e.g., active sessions, real-time traffic) is lost the moment it passes, and delaying capture risks losing critical evidence. Option B is wrong because recording only summary logs from the firewall discards the full packet payload and metadata (e.g., TCP sequence numbers, application-layer data), which are often necessary for reconstructing incidents and proving intent. Option D is wrong because a dedicated forensic workstation with a write blocker is designed for acquiring non-volatile storage media (e.g., hard drives, SSDs) to prevent writes; network traffic is volatile and cannot be captured via a write blocker, which has no role in live network packet capture.

Ready to test yourself?

Try a timed practice session using only Network Cloud Forensics questions.