Eccouncil EC-Council Digital Forensics Essentials 112-57 DFE Exam Questions

Answer : D

On Linux, a key step in a forensic triage or security audit is mapping open/listening ports to the owning process so investigators can identify suspicious services (backdoors, unauthorized daemons, rogue remote-access tools) and correlate them with binaries, users, startup mechanisms, and timestamps. The command netstat -tulpn is designed for exactly this purpose. In this switch set: -t limits output to TCP sockets, -u includes UDP sockets, -l shows only listening sockets (open ports awaiting connections), -p displays the owning process name and PID, and -n prevents name resolution by showing numeric IP addresses and ports (faster and avoids altering evidence via DNS queries). This combination yields a concise list of active listening ports and the processes bound to them, which is highly valuable for detecting unexpected services and attributing network exposure to a specific executable.

The other options do not provide process-to-port attribution: netstat -i shows interface statistics, ip r shows the routing table, and netstat -rn displays the routing table in numeric form. Therefore, the correct command is netstat -tulpn (D).

Answer : C

In the TCP/IP model, the Transport layer is responsible for end-to-end communication between peer entities on the source and destination systems. ''Peer entities'' here refers to the corresponding transport components (and the applications that use them) on two different hosts communicating across a network. This layer forms the practical ''backbone'' of host-to-host data flow because it provides the mechanisms that allow data to be delivered from one endpoint process to another endpoint process reliably or efficiently, depending on the protocol used.

The Transport layer includes protocols such as TCP and UDP. TCP supports connection-oriented communication with sequencing, acknowledgments, retransmissions, and flow control---features that are fundamental when reconstructing sessions during network forensic investigations (e.g., rebuilding a file transfer or a web session). UDP provides connectionless delivery used by many services where speed is preferred over guaranteed delivery, which is also significant in investigations of DNS, streaming, or certain malware communications.

By contrast, the Internet layer focuses on logical addressing and routing (IP), the Network access layer handles local delivery on the physical/link network, and the Application layer provides user-facing protocols. Therefore, the layer enabling peer communication between endpoints is the Transport layer (C).

Answer : D

Microsoft Exchange Server stores mailbox contents (emails, attachments, folders, and related messaging objects) inside an ESE (Extensible Storage Engine) database that uses the .edb file format. In Exchange terminology this is the Mailbox Database, and its primary persistent store is the database .edb file along with associated transaction logs that support write-ahead logging and recovery. From a forensic perspective, the .edb file is the central artifact because it contains the structured mailbox data that investigators analyze for message content, metadata (timestamps, sender/recipient fields, message IDs), and folder structure.

Among the options, Database.edb best matches the Exchange ESE mailbox database file that stores mail data. The other options are either generic or associated with different Microsoft messaging components: Mail.MSMessageStore relates to the Windows Mail/Modern Mail app storage model rather than Exchange Server's mailbox database, and WLCalendarStore.edb is commonly tied to Windows Live/Windows Essentials calendar or communications storage, not Exchange's server-side mailbox store. DataStore.edb is also used by other Windows services, but the recognized Exchange mailbox store is the .edb database file, making Database.edb (D) the correct answer.

Answer : B

The question specifies an automated tool to analyze the system's memory and detect malicious activity associated with a malware backdoor. In malware forensics and incident response practice, memory analysis is used to identify artifacts that may not be reliably visible on disk, such as injected code, hidden processes, suspicious DLLs/modules, live network connections, persistence objects loaded in memory, and indicators of compromise tied to backdoors. Redline (commonly referenced in DFIR training) is purpose-built for host investigation and memory analysis. It can collect and analyze volatile data, including running processes, loaded modules, handles, drivers, network sessions, and other runtime indicators that help investigators spot malicious behavior and attribute it to specific executables or injected components.

The other options do not align with memory forensics. Medusa is primarily a credential brute-force/login auditing tool, not a memory analysis utility. Shodan is an Internet-wide device search engine used for external reconnaissance, not for local host RAM inspection. Wireshark is a packet capture and protocol analysis tool focused on network traffic, not automated memory artifact collection and analysis. Therefore, the tool Clark used to analyze memory and detect malicious activity is Redline (B).

Answer : A

On Windows systems, ipconfig is the standard command-line utility used to display and troubleshoot TCP/IP configuration and the operational status of network interfaces. From a forensic and incident-response perspective, it helps investigators quickly identify whether a NIC is enabled and configured, and it reveals key network parameters tied to ''network status,'' such as the assigned IPv4/IPv6 addresses, subnet mask, default gateway, and DNS servers. Using variants like ipconfig /all, responders can also capture adapter-specific metadata including MAC address (physical address), DHCP enablement, DHCP server, lease timestamps, and interface descriptions---useful for correlating an endpoint to switch-port logs, DHCP logs, and network monitoring data. This is often part of live triage because it documents the system's current connectivity and routing context at the time of seizure or investigation.

The other options are not appropriate for NIC status: PsLoggedOn reports logged-on users, and PsList enumerates running processes---both are Sysinternals tools focused on user/process state rather than network interface configuration. ifconfig is a UNIX/Linux command (and not the primary Windows utility), so it would not be the correct choice for Windows-based systems. Therefore, ipconfig (A) is correct.

Answer : C

SSH (Secure Shell) is specifically designed to provide an encrypted channel over an untrusted network. In digital forensics and incident response, SSH is well known for supporting tunneling/port forwarding, where traffic for another protocol (for example, HTTP, database connections, or remote desktop) is encapsulated inside an SSH session. Because the SSH session encrypts payload data (and can also protect authentication and command content), the tunneled traffic becomes obfuscated to network monitoring tools that can only see metadata such as source/destination IPs, port numbers (often TCP/22), timing, and byte counts. This capability is frequently discussed in forensic references as a mechanism that can hinder content inspection and complicate attribution of user actions purely from packet payload analysis.

By contrast, SNMP is primarily for network management and monitoring, not secure tunneling. ARP resolves IP-to-MAC addresses on local networks and does not provide encryption or tunneling. UDP is a transport protocol that can carry data for many applications but provides no built-in security or tunneling features by itself. Therefore, the protocol that creates secure tunneling enabling content obfuscation is SSH (C).

event logs) to establish user intent and sequence of actions. Therefore, the correct option is BrowsingHistoryView (B).

Answer : B

The scenario describes the investigator collecting volatile artifacts---specifically information in RAM, active DLLs, system and network state, and transient data held in cache and similar runtime locations---through the device's normal interface while the system is running. In digital forensics documentation, this is the defining characteristic of live acquisition (also called live response). Live acquisition is performed when the system remains powered on so that investigators can capture evidence that would be lost on shutdown, such as running processes, open network connections, logged-on sessions, loaded modules/DLLs, encryption keys, and portions of registry data that exist in memory or are actively changing.

By contrast, static acquisition and dead acquisition are conducted when the system is powered off (or the evidence drive is imaged outside the running OS), focusing primarily on persistent storage such as disk sectors and file system structures. Non-volatile data acquisition refers to collecting persistent data stored on media (e.g., files on disk), which does not match the emphasis on RAM and other volatile components in the question. Because the investigator is explicitly collecting volatile data from a running system via its normal interface, the correct method is Live acquisition (B).