ECCouncil 112-57 EC-Council Digital Forensics Essentials (DFE) Exam Practice Test

The requirement is tolist devices connected to a local Windows machine, specifically to identifyexternal storage devicesthat may be attached and potentially used for data theft or malware introduction. In Windows forensic practice, investigators often start by enumerating currently mounted volumes and recently connected removable media so they can correlate device presence with suspicious activity timelines and user actions.DriveLetterViewis a utility designed to display the complete mapping ofdrive letters to storage devices/volumes, includingremovable drives(USB flash drives, external HDDs), optical media, network-mapped drives, and local partitions. It helps quickly identify what storage devices are present and accessible on the system at the time of inspection, which fits the scenario where James captures a list of connected devices and removes suspicious ones.

The other tools do not match this purpose.ESEDatabaseViewis used to inspect Extensible Storage Engine databases, not enumerate attached storage.ProcDumpis used for creating process memory dumps for debugging/forensic analysis of processes, not for listing connected drives.PromiscDetectrelates to detecting network interfaces in promiscuous mode (packet sniffing), not external storage enumeration. Therefore, the correct tool for identifying connected storage devices isDriveLetterView (C).

On Windows systems,ipconfigis the standard command-line utility used to display and troubleshootTCP/IP configurationand the operational status of network interfaces. From a forensic and incident-response perspective, it helps investigators quickly identify whether a NIC is enabled and configured, and it reveals key network parameters tied to “network status,” such as theassigned IPv4/IPv6 addresses,subnet mask,default gateway, andDNS servers. Using variants likeipconfig /all, responders can also capture adapter-specific metadata includingMAC address (physical address), DHCP enablement, DHCP server, lease timestamps, and interface descriptions—useful for correlating an endpoint to switch-port logs, DHCP logs, and network monitoring data. This is often part of live triage because it documents the system’s current connectivity and routing context at the time of seizure or investigation.

The other options are not appropriate for NIC status:PsLoggedOnreports logged-on users, andPsListenumerates running processes—both are Sysinternals tools focused on user/process state rather than network interface configuration.ifconfigis a UNIX/Linux command (and not the primary Windows utility), so it would not be the correct choice for Windows-based systems. Therefore,ipconfig (A)is correct.

The question specifies anautomated tool to analyze the system’s memoryand detect malicious activity associated with amalware backdoor. In malware forensics and incident response practice, memory analysis is used to identify artifacts that may not be reliably visible on disk, such as injected code, hidden processes, suspicious DLLs/modules, live network connections, persistence objects loaded in memory, and indicators of compromise tied to backdoors.Redline(commonly referenced in DFIR training) is purpose-built forhost investigation and memory analysis. It can collect and analyze volatile data, including running processes, loaded modules, handles, drivers, network sessions, and other runtime indicators that help investigators spot malicious behavior and attribute it to specific executables or injected components.

The other options do not align with memory forensics.Medusais primarily a credential brute-force/login auditing tool, not a memory analysis utility.Shodanis an Internet-wide device search engine used for external reconnaissance, not for local host RAM inspection.Wiresharkis a packet capture and protocol analysis tool focused on network traffic, not automated memory artifact collection and analysis. Therefore, the tool Clark used to analyze memory and detect malicious activity isRedline (B).

Bulk Extractoris a digital forensics utility specifically designed to scan storage media (or forensic disk images) and automatically extractstructured artifacts and metadata-like featureswithout relying strictly on file system parsing. In Windows investigations, it is commonly used to identify and pull out items such as email addresses, URLs, domain names, credit card patterns, timestamps, GPS coordinates, and other feature records that can be treated as metadata indicators during triage and deep analysis. Because it works by scanning raw data blocks and producing feature reports, it can recover useful information even when files are deleted, partially corrupted, or when file system structures are damaged—conditions frequently encountered in forensic cases. Investigators use its outputs to correlate user activity, locate sensitive data exposure, and identify evidence-rich regions for further examination with file-level tools.

The other options do not match the requirement of analyzing file metadata broadly.Tor browseris an anonymity-focused web browser, not a forensic metadata analyzer.IECachesViewis a niche utility for viewing Internet Explorer cache/history artifacts rather than general file metadata analysis.Paraben P2 Commandertargets peer-to-peer investigations and related artifacts, not general metadata extraction across files. Therefore, the correct tool for analyzing metadata-like artifacts on a Windows-based system isBulk Extractor (A).

Forensics labs handling highly sensitive investigations must protect evidence confidentiality and prevent unauthorized disclosure. Strong physical security includes not only access control and surveillance, but also protections againstelectromagnetic (EM) emanationrisks. Computers and displays can unintentionally emit electromagnetic signals that, under certain conditions, may be intercepted and reconstructed to reveal sensitive information (for example, case notes, recovered evidence content, or credentials). Digital forensics lab design guidance recognizes this as a real threat in high-sensitivity environments and recommendsEM shielding / TEMPEST-style controlswhere appropriate. Shielding workstations reduces the chance of data leakage through side-channel interception and helps ensure that confidential investigative activities cannot be monitored from outside controlled areas.

The other options directly weaken physical security and safety. Fire extinguishers are required for facility safety and risk management, so “never place” them is unsafe and contrary to secure lab standards. Not maintaining an entrance log register undermines chain-of-custody support and accountability by removing a basic access auditing mechanism. “Never keep the lab under surveillance” removes a core deterrent and detection control for unauthorized entry, evidence tampering, and theft. Therefore, shielding workstations from transmitting electromagnetic signals is the only option thatstrengthensphysical security for a sensitive forensics lab.

The scenario describes a web application thatunintentionally reveals sensitive member biodatato attackers. This is a classic case ofinformation leakage, where confidential or private data becomes exposed due to poor access control, improper output handling, verbose error messages, misconfigured endpoints, insecure direct object references, or unintended exposure through pages, APIs, backups, or logs. In forensic and web security documentation, information leakage is defined by theunauthorized disclosure of data, even if the attacker does not alter the system. The key indicator here is that the application is “revealing” biodata—meaning confidentiality is breached.

Bob’s response—using acontent filtering mechanism—also aligns with mitigating data exposure. Content filtering can prevent sensitive fields from being returned, mask personally identifiable information, restrict responses based on user role, and sanitize outputs before they leave the server.

The other options do not match the described impact.Buffer overflowis a low-level memory corruption vulnerability, typically associated with native code execution rather than accidental biodata exposure.Authentication hijackinginvolves taking over sessions/credentials, andcookie poisoninginvolves manipulating cookie values to gain privileges or alter behavior—neither is explicitly indicated. Therefore, the identified threat isInformation leakage (B).

In Windows forensics, recovering deleted or corrupted files typically requires afile-system aware data recovery toolthat can interpret NTFS/FAT metadata and scan disk structures for lost file records and residual content.R-Studiois designed specifically for data recovery: it can locate and rebuild deleted files by analyzing file system metadata (such as NTFS MFT entries and directory records), recover data from formatted or damaged partitions, and perform raw “signature-based” scans to carve files when metadata is missing. This aligns directly with Kelvin’s need for an automated method to restoredamaged, corrupted, or deletedfiles from a Windows system.

The other options do not match the stated recovery objective.OphcrackandCain & Abelare password recovery/auditing tools used to obtain credentials (e.g., cracking hashes), not to restore deleted files.Rohos Mini Driveis primarily an encryption/secure storage utility for creating encrypted containers, which may protect data but does not function as a forensic recovery tool for deleted or corrupted files. Therefore, among the listed tools,R-Studio (C)is the correct choice for automated recovery of deleted files in a Windows forensic investigation.

In digital forensics, acquisition formats differ mainly in how they store evidence data, metadata, and whether they support features like compression, segmentation, and integrity verification. ARaw formatis a sector-by-sector bitstream image (often called “dd” style) and typically doesnotdefine built-in compression or structured metadata; any compression would be external to the format. “Proprietary format” is not a single defined standard—some proprietary images may compress data, but the option is too generic and not tied to a specific, documented compression method.

The format known in forensic documentation for explicitly supporting modern compression such asLZMAisAFF4 (Advanced Forensic Format 4), which is designed as a next-generation container supporting rich metadata, hashing, chunked storage, and pluggable compression options. AFF4’s architecture stores evidence in compressed chunks/streams and commonly associates LZMA with efficient, high-ratio compression while preserving forensic requirements such as repeatable verification through cryptographic hashes.

The option “Advanced ForensicFramework 4” corresponds toAFF4in many exam question banks and training materials. Therefore, the correct choice isC, because AFF4 is the acquisition format recognized for supportingLZMA compressionas part of its standardized capabilities.

Jennifer’s actions match the responsibilities of anincident responder, whose job spans immediatecontainment, preservation, and stabilizationactivities during an active or recently active security incident. In standard digital forensics and incident response (DFIR) procedures, responders first take steps topreserve evidence(e.g., documenting the scene, capturing volatile data when appropriate, and collecting relevant system artifacts) and then executecontainment measuresto prevent further harm. Disconnecting a compromised host from the network is a classic containment control used to stop malware propagation, block command-and-control communications, and prevent lateral movement to other systems.

Anincident analyzertypically focuses on deeper technical analysis—timeline reconstruction, root cause determination, and correlating artifacts across hosts and logs—rather than performing immediate containment. Anevidence manageris primarily responsible for maintaining evidence integrity, chain of custody, storage, labeling, and access control, not operational containment. Anexpert witnessprovides formal testimony and interpretation in legal or disciplinary proceedings and is not usually involved in live containment actions. Since Jennifer bothgathered evidenceand thenisolated the system to stop spread, the role most consistent with documented DFIR responsibilities isIncident responder (A).

In Microsoft IIS (W3C Extended) logging, each request line records multiple standardized fields that help investigators reconstruct what was accessed, by whom, and with what outcome. Among these fields, the most direct indicator of whether the server successfully handled the request is theHTTP status codecaptured in thesc-statusfield. A status code of200means“OK”, indicating the server located the requested resource (here,/images/content/bg_body1.jpg) and returned it successfully to the client without application-level failure.

Other numbers in the entry represent different attributes:80is the server port used for the HTTP request,192values appear as part of IP addressing (client/server addresses), and537is embedded in the user-agent string (AppleWebKit build number), not a success indicator. IIS often logs additional substatus and Win32 status values (e.g.,sc-substatusandsc-win32-status) to refine the outcome; in the shown line, those follow the 200 as “200 0 0 …”, reinforcing that no substatus error or OS-level error occurred. Therefore,200is the element confirming the request was fulfilled without error.

The activity described—collectingnetwork topologydetails and compiling alist of live hosts—matches the reconnaissance phase commonly referred to asenumeration. In digital forensics and incident response documentation, enumeration is the systematic process of discovering and extracting information about a target environment to support later exploitation. It typically follows (or overlaps with) scanning and includes identifying active IP addresses, reachable systems, open ports/services, device roles, OS fingerprints, domain information, shared resources, user/group details, and routing or segmentation clues that reveal how the network is structured.

This information is then used to plan “further attacks,” such as targeting exposed services, choosing exploit paths, locating high-value systems, and selecting lateral movement routes. From a forensic standpoint, enumeration attempts often leave traces in firewall logs, IDS alerts, and endpoint artifacts (e.g., bursts of connection attempts across many hosts/ports, ICMP echo sweeps, ARP discovery on local segments, and repeated DNS queries).

The other options do not fit:data modificationinvolves altering data integrity;session hijackingtargets active sessions/tokens; andbuffer overflowis an exploitation technique against vulnerable software, not the information-gathering step described. Therefore, the correct answer isEnumeration (B)

In Windows forensics and incident response, investigators often need to linknetwork activity(remote IPs, ports, connection states) to theresponsible processto determine whether traffic is legitimate or associated with malware, unauthorized tools, or data exfiltration. The Windowsnetstatutility can enumerate current TCP connections and listening ports, but the key flag that enables attribution to a running program is-o. The-oparameter instructs netstat to include theOwning Process ID (PID)with each connection or listening socket. Once the PID is known, examiners can correlate it with process listings (e.g., Task Manager,tasklist, memory forensics output) to identify the executable name, path, user context, and parent process—critical steps in reconstructing attacker behavior and persistence.

The other options do not provide PID mapping:-nshows addresses and ports in numeric form (useful for speed and to avoid DNS lookups),-adisplays all connections and listening ports but without PID attribution by itself, and-sshows protocol statistics rather than per-connection ownership. Therefore, the parameter that shows active connectionsandincludes the PID for each is[-o](Option C).

Under the Electronic Communications Privacy Act (ECPA),Title IIis commonly known as theStored Communications Act (SCA). Digital forensics and e-discovery references treat the SCA as the key legal framework governing access tostored electronic communications and associated subscriber/account recordsheld by service providers. The question specifically mentions (1) “contents of files stored by service providers” and (2) “records held about the subscriber … such as subscriber name, billing records, and IP addresses.” These map directly to the SCA’s two broad categories:content(what a communication or stored file contains) andnon-content records(subscriber identity, connection logs, billing information, IP assignment/history, and related transactional metadata).

From an investigative perspective, Title II matters because it sets the legal process and restrictions for compelled disclosure—typically requiring different forms of legal process depending on whether the investigator seekscontentversussubscriber/transactional records, and depending on factors like how the data is stored and retention timeframes. In contrast,Title Ifocuses on real-time interception (wiretap-style capture), andTitle IIIaddresses pen register/trap-and-trace style dialing/routing information rather than stored content. Therefore, the correct title isTitle II (Option A).

In a standard Tor circuit, a client typically builds a three-hop path:Entry/Guard → Middle → Exit. Tor usesonion routing, where the client wraps the payload in multiple encryption layers—one for each hop. Each relay removes (decrypts) only its own layer to learn thenext hop, but not the complete route or the original payload in the clear. Themiddle relayis specifically positioned toforward traffic between the entry/guard and the exit while it remains onion-encrypted end-to-end within the Tor network. Because it neither connects to the user’s local network (like the entry/guard) nor to the public destination (like the exit), its primary role isencrypted transit/forwarding, helping break the linkage between source and destination. By contrast, theexit relayis where traffic leaves Tor; unless the application layer uses TLS/HTTPS, the exit may deliver data to the destination inunencryptedform on the open Internet. Theentry/guardprotects against certain traffic-correlation risks by being stable, but it is not uniquely “the” encrypted-transfer node. Therefore, the best single answer isMiddle relay (D).

In forensic readiness planning, the goal is to ensure that when an incident occurs, the organization can collect, preserve, and present digital evidence in a manner that remainsreliable, repeatable, and legally defensible. A key requirement for courtroom acceptance is cleardocumentation—often referred to as proper documentation and chain-of-custody support—showing what actions were taken, by whom, when, using which tools, and under what conditions. Creating a defined process for documenting procedures ensures investigators consistently record acquisition steps, handling methods, hashing/verification results, storage locations, access history, and any changes in evidence possession. This documentation becomes a “backup” in the sense that it preserves institutional memory of the investigation steps, allowing future reviewers (auditors, opposing experts, courts) to reconstruct and validate what occurred even long after the incident.

While identifying potential evidence (B) and determining evidence sources (C) are important readiness tasks, they do not themselves create the structured record needed to defend evidence integrity. Keeping an incident response team ready (D) supports operational response, but does not directly ensure admissibility. Therefore, the step that provides future reference and supports court presentation isCreating a process for documenting the procedure (A).

The UNIX/Linuxddutility performs abit-by-bit (sector-by-sector) copyfrom an input device (such as a physical disk) to an output target (another device or a flat file). In digital forensics guidance, this type of output is known as araw (bitstream) imagebecause it captures the exact sequence of bytes from the source media without embedding structured case metadata, compression, or container features by default. The resulting file is often referred to as a “dd image” and may use extensions like.ddor.img, but the key point is theformat is raw: it represents a straightforward byte-for-byte representation of the original storage, including allocated data, unallocated space, slack space, and file system structures.

By contrast,AFFandAFF4are forensic container formats designed to store evidence data along with metadata (and often support features such as chunking, compression, and richer integrity structures). “Proprietary format” refers to vendor-specific containers (for example, formats created by certain commercial forensic tools) rather than the generic output produced by dd. Since Philip specifically usedddto create bit-by-bit disk images, the extracted acquisition image format isRaw Format (A).

The command path /bin/rm is a hallmark of UNIX/POSIX-style operating systems, where core userland utilities are commonly stored under directories such as /bin, /sbin, and /usr/bin. The utility rm (remove) is the standard UNIX command used to delete directory entries that reference a file’s data blocks on disk. This layout and command structure do not match Windows, whichuses different filesystem conventions (drive letters, backslashes, and Windows-native executables) and does not provide /bin/rm as a native path. Android, while Linux-kernel-based, typically exposes shell utilities through environments like /system/bin (and newer systems may use toybox/busybox variants), not the classic /bin hierarchy expected on general-purpose UNIX systems. Between the remaining options, both Linux and macOS are UNIX-like and can include an rm command; however, in digital forensics training and examination contexts, the explicit reference to /bin/rm is most commonly used to indicate a Linux/UNIX command-line environment on a compromised host. Therefore, the best single-choice answer from the provided options is Linux (D).

In macOS, each user account is assigned aHome Directorythat serves as the primary container for that user’s data and profile-specific configuration. This directory typically resides under/Users//and includes standard subfolders such asDesktop,Documents,Downloads,Pictures,Movies,Music, and crucially the user’sLibraryfolder (~/Library). From a digital forensics standpoint, the Home Directory is one of the most important evidence locations because it holds user-generated content and a large volume of user activity artifacts: application preferences and settings (plist files), browser data, caches, saved state, key application databases, recent items, and other per-user traces. Although some applications are installed system-wide under/Applications, macOS also supports per-user application storage and extensive per-user data under the Home Directory’s Library structure.

The other options are not user-data containers.Spotlightis a search/indexing service (it creates indexes, not a user’s complete data store).Time Machineis a backup mechanism that stores versioned backups rather than the live per-user working directory.Finderis the graphical file manager, not a storage folder. Therefore, the folder that stores files and user-specific libraries for a particular user is theHome Directory (D).

The statement in the question matchesSWGDE Principle 1, Standards and Criteria 1.7, which explicitly requires thatany action that could alter, damage, or destroy original digital evidence must be performed by qualified personnel in a forensically sound manner. In digital forensics doctrine, this requirement exists because digital evidence is highly fragile: routine interactions (booting a system, opening a file, connecting storage, running commands) can change timestamps, overwrite unallocated space, modify logs, or trigger encryption/key rotation. SWGDE’s emphasis on “qualified persons” and “forensically sound manner” aligns with core evidentiary expectations: minimizing changes to original media, using controlled and repeatable methods (e.g., write-blocking, validated imaging, documented procedures), and ensuring actions are defensible under scrutiny.

Options 1.1, 1.3, and 1.5 relate to broader quality and procedural requirements (quality systems, SOP review, appropriate tools), but they do not contain the specific mandate about potentially altering original evidence. The exact phrasing about alteration/damage/destruction and qualified handling is associated withStandards and Criteria 1.7, makingBthe correct choice.

On macOS, theBasic Security Module (BSM)provides the system’saudit framework, which records security-relevant activity such asfile access, process execution, authentication events, privilege changes, and other system calls. A key forensic characteristic of BSM auditing is that events are written asbinary audit records composed of “tokens.”Each token represents a structured piece of the event (for example: subject/user identity, process ID, command arguments, path, return value, timestamps), and tokens are assembled into complete audit records. Because these audit logs arebinary and tokenized, they are compact, consistent, and designed for reliable parsing and evidentiary reconstruction—important when building timelines of file-related actions and attributing them to specific users and processes.

The other options do not match the “binary token” description.Command-line inputsmay be stored in shell history files but are plain text and not tokenized binary audit records.User accountartifacts (e.g., directory services, plist files) describe identities and settings, not tokenized event logs.Kexts(kernel extensions) are drivers/modules; while they can affect system behavior, they are not the macOS component that stores file/event records in a binary token format. Therefore, the correct answer isBasic Security Module (C).

Microsoft Exchange Server stores mailbox contents (emails, attachments, folders, and related messaging objects) inside anESE (Extensible Storage Engine) databasethat uses the.edbfile format. In Exchange terminology this is theMailbox Database, and its primary persistent store is thedatabase .edb filealong with associated transaction logs that support write-ahead logging and recovery. From a forensic perspective, the.edbfile is the central artifact because it contains the structured mailbox data that investigators analyze for message content, metadata (timestamps, sender/recipient fields, message IDs), and folder structure.

Among the options,Database.edbbest matches the Exchange ESE mailbox database file that stores mail data. The other options are either generic or associated with different Microsoft messaging components:Mail.MSMessageStorerelates to the Windows Mail/Modern Mail app storage model rather than Exchange Server’s mailbox database, andWLCalendarStore.edbis commonly tied to Windows Live/Windows Essentials calendar or communications storage, not Exchange’s server-side mailbox store.DataStore.edbis also used by other Windows services, but the recognized Exchange mailbox store is the.edb database file, makingDatabase.edb (D)the correct answer.

In forensic examinations, investigators must correctly interpret a disk’spartitioning schemebecause it determines where volumes begin, where file systems reside, and how to validate acquisition completeness. Modern systems may useGPT(commonly associated with UEFI) while legacy systems often useMBR. A practical forensic command therefore needs to detect and parse partition informationregardless of whether the disk uses MBR or GPT, and present the results in a consistent, investigator-friendly output for verification and downstream analysis (e.g., selecting the correct partition offsets for imaging or mounting).

Get-ForensicPartitionTableis designed for exactly this role in forensic PowerShell tooling: it parses partition table structures in a forensically oriented manner and supports disks partitioned usingeither MBR or GPT. That “forensic” emphasis typically means it reads raw structures directly, reports partition entries and offsets, and helps avoid ambiguity when the protective MBR (present on GPT disks) could confuse simplistic parsers.

By contrast,Get-BootSectortargets boot sector/VBR data rather than the full partition layout;Get-GPTis GPT-specific and does not cover MBR-only disks; andGet-PartitionTableis a more generic label that may not guarantee dual-scheme forensic parsing. Therefore, the correct option isC.