UPDATED [2026] Pass EC-COUNCIL 112-57 Exam in First Attempt Guaranteed
Pass 112-57 Exam Latest Practice Questions
EC-COUNCIL 112-57 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
| Topic 6 |
|
| Topic 7 |
|
| Topic 8 |
|
| Topic 9 |
|
| Topic 10 |
|
NEW QUESTION # 41
Which of the following Windows system files is created in the system drive after OS installation to support the internal functions and system service dispatch stubs to executive functions?
- A. Ntoskrnl.exe
- B. Ntdll.dll
- C. Kernel32.dll
- D. Win32k.sys
Answer: B
Explanation:
Ntdll.dllis the Windows user-mode system library that provides manyinternal NT functions(commonly exposed as "NT Native API" routines such asNt*/Zw*) and, critically, contains thesystem service dispatch stubsused by user-mode code to transition into kernel mode for operating system services. In standard Windows architecture, most user-mode applications call higher-level APIs (for example, Win32 APIs inKernel32.dll), which then ultimately rely onNtdll.dllto perform the final step of invoking the kernel through these system call stubs. This is whyNtdll.dllis a core component loaded into nearly every process and is tightly associated with the boundary between user mode and theexecutivecomponents of the OS.
From a forensics viewpoint, understandingNtdll.dllmatters because it is central to how processes request privileged services, and it is frequently referenced in analyses of process execution, API call chains, and certain user-mode hooking techniques used by malware or anti-forensics tools.
By contrast,Ntoskrnl.exeis the kernel image itself (core kernel/executive),Win32k.sysis a kernel-mode graphics/windowing subsystem component, andKernel32.dllprovides higher-level Win32 APIs rather than the primary system-call stub layer. Hence,Ntdll.dll (C)is the correct answer.
NEW QUESTION # 42
Bob, a forensic investigator, was instructed to review a Windows machine and identify any anonymous activities performed using it. In this process, Bob used the command "netstat -ano" to view all the active connections in the system and determined that the connections established by the Tor browser were closed.
Which of the following states of the connections established by Tor indicates that the Tor browser is closed?
- A. CLOSE_WAIT
- B. ESTABLISHED
- C. LISTENING
- D. TIME_WAIT
Answer: D
Explanation:
In Windows network forensics,netstat -anois commonly used to correlateTCP connection stateswithprocess identifiers (PIDs)to understand which application created or used a connection. When Tor Browser is actively communicating, outbound circuits typically appear asESTABLISHEDconnections to Tor relays (entry/guard nodes) or local loopback endpoints used by Tor components. After the browser is closed and the application tears down connections, Windows TCP/IP behavior often leaves recently closed sockets inTIME_WAIT.
TIME_WAITis a normal TCP state that appears after a connection has been actively closed. It exists to ensure delayed packets from the old session are not misinterpreted as belonging to a new session and to allow proper retransmission of the final ACK if needed. From an investigative standpoint, seeing Tor-related endpoints transition from ESTABLISHED toTIME_WAITstrongly indicates the sessions were terminated and the application is no longer maintaining live network traffic.
By contrast,CLOSE_WAITusually means the remote side has closed but the local application has not fully closed its socket yet,LISTENINGindicates a service waiting for inbound connections, andESTABLISHEDmeans the session is still active. Therefore,TIME_WAIT (B)best indicates Tor Browser connections have been closed.
NEW QUESTION # 43
Cooper, a forensic analyst, was examining a RAM dump extracted from a Linux system. In this process, he employed an automated tool, Volatility Framework, to identify any malicious code hidden inside the memory.
Which of the following plugins of the Volatility Framework helps Cooper detect hidden or injected files in the memory?
- A. linux_netstat
- B. nmap -sU localhost
- C. linux_malfind
- D. ip addr show
Answer: C
Explanation:
In memory forensics, "hidden or injected" malicious code typically refers toprocess injection,code caves, unbacked executable mappings, or regions of memory that aremarked executablebut do not align with normal, file-backed program segments. The Volatility Framework provides specialized plugins to locate these suspicious patterns.linux_malfindis the plugin designed to detectpotentially injected codeby scanning a process's memory mappings for characteristics that commonly indicate malicious presence-such asexecutable anonymous mappings, unusual permissions (e.g., RWX), and memory regions that contain shellcode-like byte patterns. This is highly relevant when malware attempts to avoid disk artifacts by living in memory or by injecting payloads into legitimate processes.
By contrast,linux_netstatis used to enumerate network connections and sockets from memory (useful for C2 analysis), but it does not focus on injected code regions.ip addr showandnmap -sU localhostare live-system networking commands, not Volatility plugins, and they are not suitable for analyzing a captured RAM image.
Therefore, to detect hidden/injected malicious code in a Linux RAM dump using Volatility, the correct plugin islinux_malfind (A).
NEW QUESTION # 44
Which of the following tools helps a forensics investigator develop and test across multiple operating systems in a virtual machine for Mac and allows access to Microsoft Office for Windows?
- A. Camtasia
- B. NetSim
- C. Riverbed Modeler
- D. Parallels Desktop 16
Answer: D
Explanation:
A common requirement in macOS-focused forensic labs is the ability to runmultiple operating systemson a single Mac for controlled testing, malware detonation in a sandbox, reproduction of user activity, and validation of artifacts across platforms. This is typically achieved throughdesktop virtualization, where a hypervisor hosts guest operating systems (such as Windows and various Linux distributions) inside virtual machines.Parallels Desktop 16is a Mac virtualization solution built specifically to run Windows on macOS with strong integration features (such as shared clipboard, folder sharing, and "coherence" modes that allow Windows applications to appear alongside Mac applications). This capability aligns with the question's description: developing and testing across multiple OSs in VMs on a Mac and enabling use ofMicrosoft Office for Windowswithin that Windows guest environment.
The other tools do not fit.Riverbed ModelerandNetSimare primarilynetwork modeling/simulationtools used for network design and training, not desktop virtualization.Camtasiais used forscreen recording and video editing, which can support documentation but does not provide a VM environment. Therefore, the only option that directly provides cross-OS virtual machines on macOS and supports running Windows applications like Microsoft Office isParallels Desktop 16 (B).
NEW QUESTION # 45
Below are the various steps involved in an email crime investigation.
1.Acquiring the email data
2.Analyzing email headers
3.Examining email messages
4.Recovering deleted email messages
5.Seizing the computer and email accounts
6.Retrieving email headers
What is the correct sequence of steps involved in the investigation of an email crime?
- A. 1-->3-->6-->4-->5-->2
- B. 5-->1-->3-->6-->2-->4
- C. 1-->3-->4-->2-->5-->6
- D. 2-->4-->3-->6-->5-->1
Answer: B
Explanation:
In an email crime investigation, the workflow should begin withseizing the computer and email accounts (5)to preserve evidence and prevent alteration, deletion, or continued misuse. This includes securing endpoints and ensuring account access is maintained under proper authority. Next, investigators proceed withacquiring the email data (1)using forensic methods (logical export, mailbox acquisition, or forensic imaging of local mail stores) to maintain integrity and chain of custody.
Once the data is preserved, investigatorsexamine email messages (3)to identify relevant communications, context, attachments, and indicators of fraud, harassment, data leakage, or impersonation. After identifying emails of interest, investigatorsretrieve email headers (6)(full headers, not just what the mail client displays) because headers contain routing metadata required for attribution and timeline reconstruction. They thenanalyze email headers (2)to interpret fields such as Received lines, Message-ID, originating IP clues (where applicable), sending infrastructure, and authentication results, which helps determine spoofing, relay paths, and sender legitimacy. Finally, theyrecover deleted email messages (4)from mail stores, server-side retention, or unallocated space to restore missing evidence. This sequence matches optionA.
NEW QUESTION # 46
Which of the following types of phishing attacks allows an attacker to exploit instant messaging platforms by employing IM as a tool to spread spam?
- A. Spimming
- B. Whaling
- C. Spear phishing
- D. Pharming
Answer: A
Explanation:
Spimmingis defined in digital forensics and cybercrime references asspam over instant messaging (IM). It is a social-engineering variant where attackers use instant messaging platforms (and sometimes chat apps) to deliver unsolicited bulk messages containing malicious links, fraudulent offers, credential-harvesting lures, or malware downloads. Because IM messages are often delivered in real time and can appear to come from known contacts (via compromised accounts), spimming can achieve higher click-through rates than traditional email spam. For investigators, spimming incidents commonly leave artifacts such as chat logs, message timestamps, sender identifiers, embedded URLs, and sometimes downloaded payload traces on the endpoint.
These artifacts help establish attacker infrastructure (domains, IPs), victim interaction (click events, file creation), and timeline correlation with network logs.
The other options do not match the "IM as a tool to spread spam" description.Whalingtargets high-profile individuals via highly tailored phishing, typically email-based.Pharmingredirects users to fraudulent websites (often via DNS or host-file manipulation) without relying on bulk IM spam.Spear phishingis targeted phishing toward specific individuals or groups, not necessarily IM spam. Therefore, the phishing/spam attack that exploits instant messaging platforms isSpimming (C).
NEW QUESTION # 47
Below are the various steps involved in forensic readiness planning.
Keep an incident response team ready to review the incident and preserve the evidence.
Create a process for documenting the procedure.
Identify the potential evidence required for an incident.
Determine the sources of evidence.
Establish a legal advisory board to guide the investigation process.
Identify if the incident requires full or formal investigation.
Establish a policy for securely handling and storing the collected evidence.
Define a policy that determines the pathway to legally extract electronic evidence with minimal disruption.
Identify the correct sequence of steps involved in forensic readiness planning.
- A. 2-->3-->1-->4-->6-->5-->7-->8
- B. 3-->1-->4-->5-->8-->2-->6-->7
- C. 1-->2-->3-->4-->5-->6-->7-->8
- D. 3-->4-->8-->7-->6-->2-->5-->1
Answer: D
Explanation:
Forensic readiness planning focuses on ensuring an organization canlegally, efficiently, and reliablycollect usable digital evidence before an incident occurs. The planning sequence typically begins by definingwhat evidence would be neededto support likely incidents (3) and then mappingwhere that evidence residesacross systems, services, logs, endpoints, and network components (4). Once evidence needs and sources are known, readiness requires alegally compliant extraction pathwaythat minimizes business disruption and prevents evidence contamination (8). After defining extraction, an organization must formalizesecure handling and storage policies(chain of custody, access control, retention, integrity protection) so collected evidence remains admissible and trustworthy (7).
With those foundations in place, the organization can define decision criteria forwhen an event becomes a formal investigationand triggers deeper forensic procedures (6). A structureddocumentation processis then set so actions taken during acquisition and analysis are repeatable and defensible (2). Governance is reinforced by establishinglegal oversight/advisory supportto ensure compliance with jurisdictional requirements and internal policy (5). Finally, the plan is operationalized by ensuring anincident response team is preparedto preserve evidence promptly when incidents occur (1). Hence,3#4#8#7#6#2#5#1is the correct sequence.
NEW QUESTION # 48
Andrew, a system administrator, is performing a UEFI boot process. The current phase of the UEFI boot process consists of the initialization code that the system executes after powering on the EFI system. This phase also manages platform reset events and sets up the system so that it can find, validate, install, and run the PEI.
Which of the following UEFI boot phases is the process currently in?
- A. Pre-EFI initialization phase
- B. Security phase
- C. Boot device selection phase
- D. Driver execution environment phase
Answer: B
Explanation:
In the UEFI/PI boot architecture, the phase that runsimmediately after power-on or resetis theSEC (Security) phase. Digital forensics references include UEFI phases because firmware-level activity can affect the trustworthiness of the platform (e.g., bootkits, persistence, and measured boot artifacts). The SEC phase is responsible for executing the earliest initialization instructions, handlingplatform reset events, and establishing a minimal, controlled execution environment. Critically, SEC prepares the system so it canlocate, verify, and hand off controlto the next stage-PEI (Pre-EFI Initialization)-by setting up temporary memory and foundational CPU/chipset state required for PEI modules to execute.
The wording in the question precisely matches SEC responsibilities: "initialization code executed after powering on," "manages platform reset events," and "sets up the system so it can find, validate, install, and run the PEI." By contrast,PEIfocuses on discovering and initializing permanent memory and producing the Hand-Off Blocks for DXE;DXEloads drivers and boot services; andBDSselects and launches the boot option.
Therefore, the phase described is theSecurity phase (SEC), which corresponds to optionD.
NEW QUESTION # 49
In which of the following malware distribution techniques does the attacker use tactics such as keyword stuffing, doorway pages, page swapping, and adding unrelated keywords to improve the search-engine ranking of their malware pages?
- A. Drive-by downloads
- B. Spearphishing sites
- C. Black-hat search-engine optimization
- D. Social-engineered clickjacking
Answer: C
Explanation:
The technique described-keyword stuffing, doorway pages, page swapping, and inserting unrelated high- traffic keywords-matchesblack-hat search-engine optimization (SEO), often calledSEO poisoningin digital forensics and threat intelligence materials. In this distribution method, attackers manipulate search engine ranking algorithms so that malicious or malware-hosting pages appear near the top of search results for popular queries (breaking news, software downloads, trending events, adult content, etc.). Doorway pages are created to rank well for specific terms and then funnel victims to malicious landing pages. Page swapping (or
"bait-and-switch") occurs when a page is optimized and indexed as benign content, but later replaced or dynamically served as malicious content once it has gained ranking and trust signals. Keyword stuffing and unrelated keyword injection further exploit ranking heuristics by artificially increasing perceived relevance.
From a forensic perspective, black-hat SEO campaigns often leave artifacts such as compromised websites with injected spam links, abnormal redirect chains, cloaking behavior (different content for crawlers vs.
users), and malicious scripts or exploit kit references. The other options do not primarily rely on search ranking manipulation: drive-by downloads are about silent exploitation on visit, spearphishing relies on targeted messaging, and clickjacking tricks users into unintended clicks. Hence,Black-hat search-engine optimization (C)is correct.
NEW QUESTION # 50
Bob, a network specialist in an organization, is attempting to identify malicious activities in the network. In this process, Bob analyzed specific data that provided him a summary of a conversation between two network devices, including a source IP and source port, a destination IP and destination port, the duration of the conversation, and the information shared during the conversation.
Which of the following types of network-based evidence was collected by Bob in the above scenario?
- A. Statistical data
- B. Session data
- C. Full content data
- D. Alert data
Answer: B
Explanation:
The description matchessession data, often calledflow records(for example, NetFlow/IPFIX-style evidence).
In network forensics, session/flow evidence summarizes a communication "conversation" between two endpoints using the5-tuple(source IP, source port, destination IP, destination port, and protocol) and typically addsstart/end time or duration,bytes/packets sent, and sometimes directionality. This allows an investigator to reconstructwho talked to whom, when, and for how long, even when packet payloads are unavailable (because of encryption, storage limits, or privacy constraints).
"Full content data" refers to complete packet captures (PCAP) containing payload bytes; that is far more detailed and would include the actual transmitted content, not just a summary. "Statistical data" is broader aggregate metrics (overall bandwidth trends, interface counters) and generally lacks per-conversation attribution. "Alert data" comes from IDS/IPS/SIEM detections and represents triggered events or signatures, not a neutral conversation summary.
Because Bob's evidence contains per-connection identifiers (IPs/ports) and conversation duration-typical of flow/session summaries-the correct evidence type isSession data (C).
NEW QUESTION # 51
Which of the following commands can an investigator use to parse GPTs of both types of hard disks, including those formatted with either UEFI or MBR?
- A. Get-BootSector
- B. Get-ForensicPartitionTable
- C. Get-PartitionTable
- D. Get-GPT
Answer: B
Explanation:
In forensic examinations, investigators must correctly interpret a disk'spartitioning schemebecause it determines where volumes begin, where file systems reside, and how to validate acquisition completeness.
Modern systems may useGPT(commonly associated with UEFI) while legacy systems often useMBR. A practical forensic command therefore needs to detect and parse partition informationregardless of whether the disk uses MBR or GPT, and present the results in a consistent, investigator-friendly output for verification and downstream analysis (e.g., selecting the correct partition offsets for imaging or mounting).
Get-ForensicPartitionTableis designed for exactly this role in forensic PowerShell tooling: it parses partition table structures in a forensically oriented manner and supports disks partitioned usingeither MBR or GPT.
That "forensic" emphasis typically means it reads raw structures directly, reports partition entries and offsets, and helps avoid ambiguity when the protective MBR (present on GPT disks) could confuse simplistic parsers.
By contrast,Get-BootSectortargets boot sector/VBR data rather than the full partition layout;Get-GPTis GPT- specific and does not cover MBR-only disks; andGet-PartitionTableis a more generic label that may not guarantee dual-scheme forensic parsing. Therefore, the correct option isC.
NEW QUESTION # 52
Jennifer, a forensics investigation team member, was inspecting a compromised system. After gathering all the evidence related to the compromised system, she disconnected the system from the network to stop the spread of the incident to other systems.
Identify the role played by Jennifer in the forensics investigation.
- A. Incident analyzer
- B. Evidence manager
- C. Expert witness
- D. Incident responder
Answer: D
Explanation:
Jennifer's actions match the responsibilities of anincident responder, whose job spans immediatecontainment, preservation, and stabilizationactivities during an active or recently active security incident. In standard digital forensics and incident response (DFIR) procedures, responders first take steps topreserve evidence(e.g., documenting the scene, capturing volatile data when appropriate, and collecting relevant system artifacts) and then executecontainment measuresto prevent further harm. Disconnecting a compromised host from the network is a classic containment control used to stop malware propagation, block command-and-control communications, and prevent lateral movement to other systems.
Anincident analyzertypically focuses on deeper technical analysis-timeline reconstruction, root cause determination, and correlating artifacts across hosts and logs-rather than performing immediate containment.
Anevidence manageris primarily responsible for maintaining evidence integrity, chain of custody, storage, labeling, and access control, not operational containment. Anexpert witnessprovides formal testimony and interpretation in legal or disciplinary proceedings and is not usually involved in live containment actions.
Since Jennifer bothgathered evidenceand thenisolated the system to stop spread, the role most consistent with documented DFIR responsibilities isIncident responder (A).
NEW QUESTION # 53
David, a cybercriminal, targeted a community and initiated anti-social campaigns online. In this process, he used a layer of the web that allowed him to maintain anonymity during the campaign.
Which of the following layers of the web allowed David to hide his presence during the anti-social campaign?
- A. Surface Web
- B. Deep Web
- C. World Wide Web
- D. Dark Web
Answer: D
Explanation:
The layer of the web most associated withmaintaining anonymityfor users and services is theDark Web. In digital forensics terminology, the Dark Web refers to services hosted on overlay networks (such as Tor hidden services) that arenot indexed by standard search enginesand are typically accessible only through specialized software and configurations. Its core characteristic is that it is deliberately designed to reduce traceability by routing traffic through multiple relays and separating identifying information (like the user's real IP address) from the destination. This makes attribution and geolocation significantly harder using traditional network logs alone, which is why adversaries often choose it to conduct covert communications, host content, or coordinate campaigns.
By contrast, theSurface Web(the regular, indexed portion of the web) is generally reachable through normal browsers and is easier to monitor and attribute using conventional ISP, server, and platform logs. "World Wide Web" is a general term for web content accessed via HTTP/HTTPS and does not specifically imply anonymity. TheDeep Webrefers to content not indexed by search engines (e.g., webmail, databases, authenticated portals), but it is not inherently anonymizing-many deep web resources are simply private or access-controlled. Therefore, the layer enabling David to hide his presence is theDark Web (C).
NEW QUESTION # 54
Which of the following layers of the TCP/IP model serves as the backbone for data flow between two devices in a network and enables peer entities on the source and destination devices to communicate with each other?
- A. Network access layer
- B. Application layer
- C. Internet layer
- D. Transport layer
Answer: D
Explanation:
In the TCP/IP model, theTransport layeris responsible forend-to-end communication between peer entitieson the source and destination systems. "Peer entities" here refers to the corresponding transport components (and the applications that use them) on two different hosts communicating across a network. This layer forms the practical "backbone" of host-to-host data flow because it provides the mechanisms that allow data to be deliveredfrom one endpoint process to another endpoint processreliably or efficiently, depending on the protocol used.
The Transport layer includes protocols such asTCPandUDP. TCP supports connection-oriented communication with sequencing, acknowledgments, retransmissions, and flow control-features that are fundamental when reconstructing sessions during network forensic investigations (e.g., rebuilding a file transfer or a web session). UDP provides connectionless delivery used by many services where speed is preferred over guaranteed delivery, which is also significant in investigations of DNS, streaming, or certain malware communications.
By contrast, theInternet layerfocuses on logical addressing and routing (IP), theNetwork access layerhandles local delivery on the physical/link network, and theApplication layerprovides user-facing protocols.
Therefore, the layer enabling peer communication between endpoints is theTransport layer (C).
NEW QUESTION # 55
Which of the following techniques is used to compute the hash value for a given binary code to uniquely identify malware or periodically verify changes made to the binary code during analysis?
- A. Strings search
- B. File fingerprinting
- C. Malware disassembly
- D. Local and online malware scanning
Answer: B
Explanation:
File fingerprintingis the forensic technique of generating acryptographic hash(such as MD5, SHA-1, SHA-
256) for a file to create aunique, repeatable identifierfor that exact byte sequence. In malware forensics, analysts compute hashes to (1)uniquely identifya suspicious binary across cases and tools, (2) confirm whether two samples are identical or different variants, and (3)verify integrity over time-for example, ensuring the sample did not change during copying, extraction, sandbox handling, or during an analysis workflow that might inadvertently modify the file (e.g., patching, unpacking outputs, or tool-side normalization). Re-hashing at different stages provides a defensible way to demonstrate that the analyzed artifact is the same as the acquired artifact, supporting evidentiary integrity and chain-of-custody principles commonly emphasized in digital forensics documentation.
The other techniques do not primarily serve this purpose.Strings searchextracts readable text fragments but does not produce a unique integrity identifier.Local and online malware scanninguses signatures/reputation and may identify families, but it is not an integrity verification mechanism for the exact file bytes.Malware disassemblyhelps understand logic and instructions, not compute an identity hash. Therefore, the correct answer isFile fingerprinting (A).
NEW QUESTION # 56
Kane, an investigation specialist, was appointed to investigate an incident in an organization's network. In this process, Kane executed a command and identified that a network interface is running in the promiscuous mode and is allowing all incoming packets without any restriction.
In the above scenario, which of the following commands did Kane use to check whether the network interface is set to the promiscuous mode?
- A. ipconfig <interface name>
- B. netstat -i
- C. nmap -sT localhost
- D. ifconfig <interface name>
Answer: D
Explanation:
Promiscuous mode is a network interface configuration in which the NIC passesall observed framesto the operating system, not only frames addressed to that host's MAC address. In investigations, this matters because promiscuous mode is commonly enabled bypacket sniffers, certain intrusion tools, or misconfigured monitoring software, and it can indicate covert traffic capture on a host.
On UNIX/Linux systems, the traditional command used to view interface flags and status isifconfig < interface name>. When an interface is set to promiscuous mode,ifconfigdisplays aPROMISCflag in the interface's status line, allowing an investigator to confirm whether the NIC is accepting all frames. This directly matches Kane's goal of checking if the interface is running in promiscuous mode.
The other commands do not provide this specific interface flag.nmap -sT localhostscans for open TCP ports, not interface modes.ipconfigis a Windows command (and does not take an interface name in that form to show PROMISC status), and it primarily reports IP configuration.netstat -ishows network interface statistics (packets, errors, drops) but typically does not explicitly indicate promiscuous mode. Therefore, the correct command isifconfig <interface name> (C).
NEW QUESTION # 57
Which of the following standards and criteria version of SWGDE mandates that any action with the potential to alter, damage, or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound manner?
- A. Standards and Criteria 1.7
- B. Standards and Criteria 1.1
- C. Standards and Criteria 1.5
- D. Standards and Criteria 1.3
Answer: A
Explanation:
The statement in the question matchesSWGDE Principle 1, Standards and Criteria 1.7, which explicitly requires thatany action that could alter, damage, or destroy original digital evidence must be performed by qualified personnel in a forensically sound manner. In digital forensics doctrine, this requirement exists because digital evidence is highly fragile: routine interactions (booting a system, opening a file, connecting storage, running commands) can change timestamps, overwrite unallocated space, modify logs, or trigger encryption/key rotation. SWGDE's emphasis on "qualified persons" and "forensically sound manner" aligns with core evidentiary expectations: minimizing changes to original media, using controlled and repeatable methods (e.g., write-blocking, validated imaging, documented procedures), and ensuring actions are defensible under scrutiny.
Options 1.1, 1.3, and 1.5 relate to broader quality and procedural requirements (quality systems, SOP review, appropriate tools), but they do not contain the specific mandate about potentially altering original evidence.
The exact phrasing about alteration/damage/destruction and qualified handling is associated withStandards and Criteria 1.7, makingBthe correct choice.
NEW QUESTION # 58
Which of the following NTFS system files contains a record of every file present in the system?
- A. $logfile
- B. $quota
- C. $volume
- D. $mft
Answer: D
Explanation:
In the NTFS file system, theMaster File Table (MFT)is the core metadata structure that tracksevery file and directoryon the volume. NTFS implements this as a special system file named$MFT(shown here as$mft).
Each file or folder on an NTFS partition is represented by at least oneMFT record entry, which stores essential metadata such as file name(s), timestamps, security identifiers/ACL references, file size, attributes, and pointers to the file's data runs (or, for very small files, the content can be stored resident inside the record). Because it is the authoritative "index" of file objects, forensic examiners rely heavily on $MFT to reconstruct user activity and file history, including evidence of deleted files (when records are marked unused but remnants of attributes may remain) and timeline building from timestamp attributes.
The other options are different NTFS metadata files with narrower purposes:$LogFilerecords NTFS transaction logs to support recovery,$Volumestores volume-level information (like version/label), and$Quotamanages disk quota tracking. None of these contain a record for every file on the system.
Therefore, the NTFS system file that contains a record of every file present is$mft (B).
NEW QUESTION # 59
Given below are different steps involved in event correlation.
Event masking
Event aggregation
Root cause analysis
Event filtering
Identify the correct sequence of steps involved in event correlation.
- A. 1-->3-->4-->2
- B. 2-->4-->3-->1
- C. 2-->1-->4-->3
- D. 1-->3-->2-->4
Answer: C
Explanation:
In event correlation (as applied in SOC/SIEM-driven investigations), the workflow typically starts byreducing complexityandnormalizing what "one incident" looks likebefore attempting conclusions about causality.Event aggregation (2)is performed early to combine multiple low-level, related events (for example repeated authentication failures, repeated firewall denies, or multiple IDS hits for the same signature) into higher-level
"grouped" records. This prevents analysts from treating every raw log line as a separate incident and makes correlation computationally and operationally feasible.
Next,event masking (1)suppresses events that are already known to be irrelevant or repetitive in a way that does not add investigative value (for example, routine scheduled scans, approved admin tools, or duplicate alerts already represented in the aggregated set). After masking,event filtering (4)further removes remaining noise using rules, thresholds, whitelists, time windows, or relevance criteria (scope, asset criticality, and known-benign sources), leaving a cleaner dataset that represents probable security-relevant activity.
Only after the dataset is consolidated and noise-reduced doesroot cause analysis (3)become reliable, because RCA depends on a clear chain of correlated events to identify the initiating action and propagation path.
Hence the correct sequence is2 # 1 # 4 # 3 (Option B).
NEW QUESTION # 60
......
EC-COUNCIL 112-57 Study Guide Archives : https://examcollection.dumpsactual.com/112-57-actualtests-dumps.html
