112-57 EC-Council Digital Forensics Essentials (DFE) Question and Answers

The scenario describes the investigator collectingvolatileartifacts—specifically information inRAM, activeDLLs, system and network state, and transient data held incacheand similar runtime locations—through the device’s normal interface while the system is running. In digital forensics documentation, this is the defining characteristic oflive acquisition(also called live response). Live acquisition is performed when the system remains powered on so that investigators can capture evidence that would be lost on shutdown, such as running processes, open network connections, logged-on sessions, loaded modules/DLLs, encryption keys, and portions of registry data that exist in memory or are actively changing.

By contrast,static acquisitionanddead acquisitionare conducted when the system is powered off (or the evidence drive is imaged outside the running OS), focusing primarily on persistent storage such as disk sectors and file system structures.Non-volatile data acquisitionrefers to collecting persistent data stored on media (e.g., files on disk), which does not match the emphasis on RAM and other volatile components in the question. Because the investigator is explicitly collecting volatile data from a running system via its normal interface, the correct method isLive acquisition (B).

Seek timeis the specific performance measure that describes how long a hard disk drive’s actuator takes tomove the read/write heads across the plattersfrom the current track (cylinder) to the target track where the requested data resides. In traditional magnetic HDDs, the heads must be physically repositioned before any sector can be read or written, making seek time a core component of mechanical latency.

Digital forensics materials emphasize understanding this distinction because HDD mechanical behavior affectsacquisition duration, the feasibility of repeated scans, and why imaging or carving operations can take longer on fragmented media. It also helps explain why solid-state drives (SSDs), which have no moving heads, do not have seek time in the same sense and therefore behave differently during large-scale reads.

The other choices are broader or unrelated:access timetypically refers to thetotal time to retrieve data, commonly combiningseek time + rotational latency + transfer time.Delay timeis not the standard term for head movement in disk performance definitions.Mean timeis incomplete as written and is usually part of reliability metrics like mean time between failures, not head positioning. Therefore, the correct measure for head movement time isSeek time (C).

In Windows network forensics,netstat -anois commonly used to correlateTCP connection stateswithprocess identifiers (PIDs)to understand which application created or used a connection. When Tor Browser is actively communicating, outbound circuits typically appear asESTABLISHEDconnections to Tor relays (entry/guard nodes) or local loopback endpoints used by Tor components. After the browser is closed and the application tears down connections, Windows TCP/IP behavior often leaves recently closed sockets inTIME_WAIT.

TIME_WAITis a normal TCP state that appears after a connection has been actively closed. It exists to ensure delayed packets from the old session are not misinterpreted as belonging to a new session and to allow proper retransmission of the final ACK if needed. From an investigative standpoint, seeing Tor-related endpoints transition from ESTABLISHED toTIME_WAITstrongly indicates the sessions were terminated and the application is no longer maintaining live network traffic.

By contrast,CLOSE_WAITusually means the remote side has closed but the local application has not fully closed its socket yet,LISTENINGindicates a service waiting for inbound connections, andESTABLISHEDmeans the session is still active. Therefore,TIME_WAIT (B)best indicates Tor Browser connections have been closed.

In the Apache Combined/Custom access log format, the value immediately after the quoted request (here,"GET ... HTTP/1.0") is theHTTP status codereturned by the server. In the provided entry, that field is500. From a forensic analysis standpoint, recognizing field positions matters because investigators correlate client IPs, timestamps, requested resources, and server outcomes to reconstruct attack timelines and identify failed exploitation attempts or misconfigurations.

It is important to note thatsuccessful HTTP responses are typically in the 2xx range, most commonly200 (OK), while3xxindicates redirects,4xxindicates client-side errors (such as 404 Not Found), and5xxindicates server-side failures. Specifically,500represents anInternal Server Error, meaning the server encountered an unexpected condition and could not fulfill the request successfully.

The other options are not HTTP status codes in this entry:+0300is the timezone offset in the timestamp,1.0is the HTTP protocol version, and2019is part of the date. Therefore, the only HTTP status code present—and the correct choice among the options—is500 (B), even though it reflects an error rather than success.

The activity described—collectingnetwork topologydetails and compiling alist of live hosts—matches the reconnaissance phase commonly referred to asenumeration. In digital forensics and incident response documentation, enumeration is the systematic process of discovering and extracting information about a target environment to support later exploitation. It typically follows (or overlaps with) scanning and includes identifying active IP addresses, reachable systems, open ports/services, device roles, OS fingerprints, domain information, shared resources, user/group details, and routing or segmentation clues that reveal how the network is structured.

This information is then used to plan “further attacks,” such as targeting exposed services, choosing exploit paths, locating high-value systems, and selecting lateral movement routes. From a forensic standpoint, enumeration attempts often leave traces in firewall logs, IDS alerts, and endpoint artifacts (e.g., bursts of connection attempts across many hosts/ports, ICMP echo sweeps, ARP discovery on local segments, and repeated DNS queries).

The other options do not fit:data modificationinvolves altering data integrity;session hijackingtargets active sessions/tokens; andbuffer overflowis an exploitation technique against vulnerable software, not the information-gathering step described. Therefore, the correct answer isEnumeration (B)

Apple’s original Macintosh computers initially usedMFS (Macintosh File System), which had important limitations, including a relatively flat directory model and constraints that became problematic as storage sizes and file organization needs grew. To address these limitations, Apple introducedHFS (Hierarchical File System)—explicitly designed to replace MFS and provide a truehierarchical directory structure(folders within folders), improved metadata handling, and better scalability for the Macintosh platform. From a digital forensics perspective, this historical transition matters because examiners may encounter legacy Macintosh media or disk images where understanding the file system family helps interpret catalog structures, allocation behavior, and metadata artifacts.

The other options do not fit the “replace MFS” requirement.NTFSis Microsoft’s Windows file system.APFS (Apple File System)is Apple’s modern file system introduced much later (primarily for SSDs, with features like snapshots and strong encryption support) and it replaced HFS+ in newer macOS versions—not MFS.Filesystem Hierarchy Standard (FHS)is a UNIX/Linux directory layout standard, not a Macintosh disk file system. Therefore, the Apple-developed file system that replaced MFS isHierarchical File System (HFS), which corresponds toOption D.

In Windows forensics, the Registry is organized into logical root keys (“hives”) that aggregate configuration and security data. The items named in the question—SAM,SECURITY, andSOFTWARE—aresystem-wide registry hivesstored on disk (typically under the system’s configuration directory) and loaded at runtime underHKEY_LOCAL_MACHINE (HKLM). Investigators rely on these hives because they contain high-value evidence: theSAMhive stores local account database information (including user and group identifiers and credential-related material), theSECURITYhive holds system security policy and LSA-related settings, and theSOFTWAREhive contains installed software, application configuration, and many operating system settings relevant for program execution and persistence analysis.

Tools likeFTK Imagercan extract these hives (or their live-memory representations) during triage to preserve volatile context and enable offline parsing while maintaining evidentiary integrity. The other root keys do not match these specific hives:HKEY_CURRENT_USERis per-user profile data,HKEY_CURRENT_CONFIGreflects current hardware profile, andHKEY_CLASSES_ROOTis primarily file association/COM class mapping (largely derived from HKLM\Software\Classes and HKCU\Software\Classes). Therefore, the correct hive root that provides SAM, SECURITY, and SOFTWARE subkeys isHKEY_LOCAL_MACHINE (B).

The scenario describes an email-retrieval configuration in which messages aredownloaded to a client deviceandnot retained on the server. This behavior aligns withPOP3 (Post Office Protocol v3), a legacy but widely referenced mail access protocol that retrieves email from a server mailbox to a local client. In standard POP3 operation, the client authenticates to the mail server, issues retrieval commands (e.g., to list and download messages), and may then issue a delete command so that downloaded messages are removed from the server mailbox. Digital forensics references commonly contrast POP3 with IMAP:IMAP is designed for server-side mailbox synchronization and typically leaves mail stored on the server, whereas POP3 is oriented towardclient-side storageand supports workflows where server copies are not preserved after download. The other options are unrelated to email retrieval:SHA-1is a cryptographic hash function used for integrity checks,ICMPsupports network diagnostics and control messaging, andSNMPis used for network device management and monitoring. From an investigative standpoint, POP3 usage can reduce server-resident evidence and shift evidentiary value tolocal artifacts(mail client databases, cache, OS traces, backups), which is consistent with the intent described in the question.

The scenario describes a targeted social-engineering attack aimed specifically athigh-profile individuals(CEOs, CFOs, politicians, celebrities) and usesemail or website spoofingto deceive them into disclosing sensitive information. In digital forensics and incident response documentation, this is most accurately categorized aswhaling, a specialized form of phishing that focuses on “big targets” (often called “high-value targets” or “VIPs”). Whaling campaigns typically use highly tailored pretexts (e.g., legal subpoenas, board communications, invoice/payment requests, HR or executive directives) and may include spoofed sender domains, look-alike websites, or fraudulent login pages to harvest credentials and confidential corporate data. Because executives often have access to financial systems, strategic documents, and privileged communications, attackers concentrate effort on realism and personalization, making whaling distinct from broad, generic phishing.

By contrast,smishingis phishing conducted via SMS/text messages,spimmingis spam over instant messaging platforms, andidentity fraudis a broader category involving impersonation/misuse of personal data but does not specifically denote the executive-targeted spoofing technique described. Therefore, the attack type in the question isWhaling (A).

In the NTFS file system, theMaster File Table (MFT)is the core metadata structure that tracksevery file and directoryon the volume. NTFS implements this as a special system file named$MFT(shown here as$mft). Each file or folder on an NTFS partition is represented by at least oneMFT record entry, which stores essential metadata such as file name(s), timestamps, security identifiers/ACL references, file size, attributes, and pointers to the file’s data runs (or, for very small files, the content can be stored resident inside the record). Because it is the authoritative “index” of file objects, forensic examiners rely heavily on $MFT to reconstruct user activity and file history, including evidence of deleted files (when records are marked unused but remnants of attributes may remain) and timeline building from timestamp attributes.

The other options are different NTFS metadata files with narrower purposes:$LogFilerecords NTFS transaction logs to support recovery,$Volumestores volume-level information (like version/label), and$Quotamanages disk quota tracking. None of these contain a record for every file on the system. Therefore, the NTFS system file that contains a record of every file present is$mft (B).

Ahoneypotis a deliberately deployed decoy system or service designed toattract attackersby appearing valuable or vulnerable, thereby enabling defenders to observe malicious behavior in a controlled manner. Digital forensics and incident response references describe honeypots as tools forthreat intelligence and evidence collection, because they can record interaction details such as connection sources, exploited services, commands executed, malware dropped, and attempted privilege escalation. This directly matches the scenario: Steven deployed something that “appears to contain very useful information” tolure attackersand help identify theirlocations and techniques. Honeypots are typically instrumented with extensive logging and monitoring, making them especially useful for building timelines, extracting indicators of compromise, and understanding adversary tactics, techniques, and procedures.

The other options do not align with the “bait attackers” goal. AnIDSprimarily detects and alerts on suspicious activity but is not intended to impersonate a valuable target. Afirewallenforces access control rules to block/allow traffic, not entice attackers. Arouterforwards packets and provides network connectivity; it is not a deception platform. Therefore, the device type described is aHoneypot (C).

In Windows forensics and incident response, investigators often need to linknetwork activity(remote IPs, ports, connection states) to theresponsible processto determine whether traffic is legitimate or associated with malware, unauthorized tools, or data exfiltration. The Windowsnetstatutility can enumerate current TCP connections and listening ports, but the key flag that enables attribution to a running program is-o. The-oparameter instructs netstat to include theOwning Process ID (PID)with each connection or listening socket. Once the PID is known, examiners can correlate it with process listings (e.g., Task Manager,tasklist, memory forensics output) to identify the executable name, path, user context, and parent process—critical steps in reconstructing attacker behavior and persistence.

The other options do not provide PID mapping:-nshows addresses and ports in numeric form (useful for speed and to avoid DNS lookups),-adisplays all connections and listening ports but without PID attribution by itself, and-sshows protocol statistics rather than per-connection ownership. Therefore, the parameter that shows active connectionsandincludes the PID for each is[-o](Option C).

On Windows systems,ipconfigis the standard command-line utility used to display and troubleshootTCP/IP configurationand the operational status of network interfaces. From a forensic and incident-response perspective, it helps investigators quickly identify whether a NIC is enabled and configured, and it reveals key network parameters tied to “network status,” such as theassigned IPv4/IPv6 addresses,subnet mask,default gateway, andDNS servers. Using variants likeipconfig /all, responders can also capture adapter-specific metadata includingMAC address (physical address), DHCP enablement, DHCP server, lease timestamps, and interface descriptions—useful for correlating an endpoint to switch-port logs, DHCP logs, and network monitoring data. This is often part of live triage because it documents the system’s current connectivity and routing context at the time of seizure or investigation.

The other options are not appropriate for NIC status:PsLoggedOnreports logged-on users, andPsListenumerates running processes—both are Sysinternals tools focused on user/process state rather than network interface configuration.ifconfigis a UNIX/Linux command (and not the primary Windows utility), so it would not be the correct choice for Windows-based systems. Therefore,ipconfig (A)is correct.

In a standard Tor circuit, a client typically builds a three-hop path:Entry/Guard → Middle → Exit. Tor usesonion routing, where the client wraps the payload in multiple encryption layers—one for each hop. Each relay removes (decrypts) only its own layer to learn thenext hop, but not the complete route or the original payload in the clear. Themiddle relayis specifically positioned toforward traffic between the entry/guard and the exit while it remains onion-encrypted end-to-end within the Tor network. Because it neither connects to the user’s local network (like the entry/guard) nor to the public destination (like the exit), its primary role isencrypted transit/forwarding, helping break the linkage between source and destination. By contrast, theexit relayis where traffic leaves Tor; unless the application layer uses TLS/HTTPS, the exit may deliver data to the destination inunencryptedform on the open Internet. Theentry/guardprotects against certain traffic-correlation risks by being stable, but it is not uniquely “the” encrypted-transfer node. Therefore, the best single answer isMiddle relay (D).

Promiscuous mode is a network interface configuration in which the NIC passesall observed framesto the operating system, not only frames addressed to that host’s MAC address. In investigations, this matters because promiscuous mode is commonly enabled bypacket sniffers, certain intrusion tools, or misconfigured monitoring software, and it can indicate covert traffic capture on a host.

On UNIX/Linux systems, the traditional command used to view interface flags and status isifconfig <interface name>. When an interface is set to promiscuous mode,ifconfigdisplays aPROMISCflag in the interface’s status line, allowing an investigator to confirm whether the NIC is accepting all frames. This directly matches Kane’s goal of checking if the interface is running in promiscuous mode.

The other commands do not provide this specific interface flag.nmap -sT localhostscans for open TCP ports, not interface modes.ipconfigis a Windows command (and does not take an interface name in that form to show PROMISC status), and it primarily reports IP configuration.netstat -ishows network interface statistics (packets, errors, drops) but typically does not explicitly indicate promiscuous mode. Therefore, the correct command isifconfig (C).

SSH (Secure Shell)is specifically designed to provide anencrypted channelover an untrusted network. In digital forensics and incident response, SSH is well known for supportingtunneling/port forwarding, where traffic for another protocol (for example, HTTP, database connections, or remote desktop) is encapsulated inside an SSH session. Because the SSH session encrypts payload data (and can also protect authentication and command content), the tunneled traffic becomesobfuscated to network monitoring toolsthat can only see metadata such as source/destination IPs, port numbers (often TCP/22), timing, and byte counts. This capability is frequently discussed in forensic references as a mechanism that can hinder content inspection and complicate attribution of user actions purely from packet payload analysis.

By contrast,SNMPis primarily for network management and monitoring, not secure tunneling.ARPresolves IP-to-MAC addresses on local networks and does not provide encryption or tunneling.UDPis a transport protocol that can carry data for many applications but provides no built-in security or tunneling features by itself. Therefore, the protocol that creates secure tunneling enabling content obfuscation isSSH (C).

event logs) to establish user intent and sequence of actions. Therefore, the correct option isBrowsingHistoryView (B).

On Windows systems, thePrefetchfeature records execution-related artifacts to speed up subsequent program launches. When an executable is run, Windows often creates a.pf prefetch fileinC:\Windows\Prefetchthat contains valuable forensic indicators such as the executable name (mapped into the prefetch filename), last run time(s) (depending on Windows version), run count (in many versions), and a list of files and directories referenced during startup. Because these artifacts can persist even after an application is lateruninstalled or deleted, investigators commonly use the Prefetch directory to demonstrate that a program executed on a host and to help build timelines around suspicious activity. This is especially useful in intrusion investigations for identifying the execution of attacker tools, droppers, scripts launched via interpreters, or renamed binaries.

The other options are not standard repositories for program execution history.C:\Windows\debugmay contain specific debug logs for certain components but is not the canonical execution-tracking folder.C:\Windows\BookandC:\subdirare not standard Windows forensic artifact locations. Therefore, the folder that stores information on applications run on the system isC:\Windows\Prefetch (C).

The layer of the web most associated withmaintaining anonymityfor users and services is theDark Web. In digital forensics terminology, the Dark Web refers to services hosted on overlay networks (such as Tor hidden services) that arenot indexed by standard search enginesand are typically accessible only through specialized software and configurations. Its core characteristic is that it is deliberately designed to reduce traceability by routing traffic through multiple relays and separating identifying information (like the user’s real IP address) from the destination. This makes attribution and geolocation significantly harder using traditional network logs alone, which is why adversaries often choose it to conduct covert communications, host content, or coordinate campaigns.

By contrast, theSurface Web(the regular, indexed portion of the web) is generally reachable through normal browsers and is easier to monitor and attribute using conventional ISP, server, and platform logs. “World Wide Web” is a general term for web content accessed via HTTP/HTTPS and does not specifically imply anonymity. TheDeep Webrefers to content not indexed by search engines (e.g., webmail, databases, authenticated portals), but it is not inherently anonymizing—many deep web resources are simply private or access-controlled. Therefore, the layer enabling David to hide his presence is theDark Web (C).

The question specifies anautomated tool to analyze the system’s memoryand detect malicious activity associated with amalware backdoor. In malware forensics and incident response practice, memory analysis is used to identify artifacts that may not be reliably visible on disk, such as injected code, hidden processes, suspicious DLLs/modules, live network connections, persistence objects loaded in memory, and indicators of compromise tied to backdoors.Redline(commonly referenced in DFIR training) is purpose-built forhost investigation and memory analysis. It can collect and analyze volatile data, including running processes, loaded modules, handles, drivers, network sessions, and other runtime indicators that help investigators spot malicious behavior and attribute it to specific executables or injected components.

The other options do not align with memory forensics.Medusais primarily a credential brute-force/login auditing tool, not a memory analysis utility.Shodanis an Internet-wide device search engine used for external reconnaissance, not for local host RAM inspection.Wiresharkis a packet capture and protocol analysis tool focused on network traffic, not automated memory artifact collection and analysis. Therefore, the tool Clark used to analyze memory and detect malicious activity isRedline (B).