Eccouncil EC-Council Digital Forensics Essentials 112-57 DFE Exam Questions

Answer : C

On Windows systems, the Prefetch feature records execution-related artifacts to speed up subsequent program launches. When an executable is run, Windows often creates a .pf prefetch file in C:\Windows\Prefetch that contains valuable forensic indicators such as the executable name (mapped into the prefetch filename), last run time(s) (depending on Windows version), run count (in many versions), and a list of files and directories referenced during startup. Because these artifacts can persist even after an application is later uninstalled or deleted, investigators commonly use the Prefetch directory to demonstrate that a program executed on a host and to help build timelines around suspicious activity. This is especially useful in intrusion investigations for identifying the execution of attacker tools, droppers, scripts launched via interpreters, or renamed binaries.

The other options are not standard repositories for program execution history. C:\Windows\debug may contain specific debug logs for certain components but is not the canonical execution-tracking folder. C:\Windows\Book and C:\subdir are not standard Windows forensic artifact locations. Therefore, the folder that stores information on applications run on the system is C:\Windows\Prefetch (C).

Answer : B

RFC 3227's ''order of volatility'' principle guides responders to collect the most perishable evidence first because some data can disappear immediately when power is lost, processes terminate, or the system state changes during response actions. The most volatile items are CPU registers and processor cache (4) because they change continuously at instruction speed and are lost instantly on shutdown or context switching. Next are routing table, process table, kernel statistics, and memory (3) because live RAM contents and active system tables can change within seconds and are lost if the machine is powered off or rebooted.

After volatile memory, temporary system files (7) are collected because they are frequently overwritten or cleaned by the OS, users, or malware. Then comes disk or other storage media (6) which is more persistent but still subject to modification, log rotation, and overwriting through normal activity; hence imaging should occur before extensive interaction.

Less volatile still are remote logging and monitoring data (2) since they may persist off-host, but can be rotated or altered by retention policies. Physical configuration and network topology (5) generally changes less frequently and can often be re-documented later. Finally, archival media (1) is the least volatile because it is typically write-once or preserved storage. Thus the correct sequence is 4376251 (Option B).

Answer : C

In Microsoft IIS (W3C Extended) logging, each request line records multiple standardized fields that help investigators reconstruct what was accessed, by whom, and with what outcome. Among these fields, the most direct indicator of whether the server successfully handled the request is the HTTP status code captured in the sc-status field. A status code of 200 means ''OK'', indicating the server located the requested resource (here, /images/content/bg_body1.jpg) and returned it successfully to the client without application-level failure.

Other numbers in the entry represent different attributes: 80 is the server port used for the HTTP request, 192 values appear as part of IP addressing (client/server addresses), and 537 is embedded in the user-agent string (AppleWebKit build number), not a success indicator. IIS often logs additional substatus and Win32 status values (e.g., sc-substatus and sc-win32-status) to refine the outcome; in the shown line, those follow the 200 as ''200 0 0 ...'', reinforcing that no substatus error or OS-level error occurred. Therefore, 200 is the element confirming the request was fulfilled without error.

Answer : B

The scenario describes a web application that unintentionally reveals sensitive member biodata to attackers. This is a classic case of information leakage, where confidential or private data becomes exposed due to poor access control, improper output handling, verbose error messages, misconfigured endpoints, insecure direct object references, or unintended exposure through pages, APIs, backups, or logs. In forensic and web security documentation, information leakage is defined by the unauthorized disclosure of data, even if the attacker does not alter the system. The key indicator here is that the application is ''revealing'' biodata---meaning confidentiality is breached.

Bob's response---using a content filtering mechanism---also aligns with mitigating data exposure. Content filtering can prevent sensitive fields from being returned, mask personally identifiable information, restrict responses based on user role, and sanitize outputs before they leave the server.

The other options do not match the described impact. Buffer overflow is a low-level memory corruption vulnerability, typically associated with native code execution rather than accidental biodata exposure. Authentication hijacking involves taking over sessions/credentials, and cookie poisoning involves manipulating cookie values to gain privileges or alter behavior---neither is explicitly indicated. Therefore, the identified threat is Information leakage (B).

Answer : A

In forensic readiness planning, the goal is to ensure that when an incident occurs, the organization can collect, preserve, and present digital evidence in a manner that remains reliable, repeatable, and legally defensible. A key requirement for courtroom acceptance is clear documentation---often referred to as proper documentation and chain-of-custody support---showing what actions were taken, by whom, when, using which tools, and under what conditions. Creating a defined process for documenting procedures ensures investigators consistently record acquisition steps, handling methods, hashing/verification results, storage locations, access history, and any changes in evidence possession. This documentation becomes a ''backup'' in the sense that it preserves institutional memory of the investigation steps, allowing future reviewers (auditors, opposing experts, courts) to reconstruct and validate what occurred even long after the incident.

While identifying potential evidence (B) and determining evidence sources (C) are important readiness tasks, they do not themselves create the structured record needed to defend evidence integrity. Keeping an incident response team ready (D) supports operational response, but does not directly ensure admissibility. Therefore, the step that provides future reference and supports court presentation is Creating a process for documenting the procedure (A).

Answer : D

In Tor Browser deployments, Tor typically runs a local client (''tor'' process) that exposes a SOCKS proxy for applications (the browser) to send traffic into the Tor network and, optionally, a control interface for managing circuits and obtaining runtime status. In many forensic lab guides and Tor Browser bundle configurations, the default local SOCKS listening port is 9150, and the associated Tor control port is commonly 9151. This pairing is frequently referenced in investigations because endpoint triage (e.g., netstat outputs, firewall logs, EDR socket telemetry) may show local loopback connections from the browser to 127.0.0.1:9150 (SOCKS) and management communications involving 9151 (control).

From a network-forensics viewpoint, these ports help distinguish Tor Browser activity from other proxy tools: the browser does not directly connect to Tor relays; instead, it hands traffic to the local SOCKS proxy, which then establishes encrypted circuits to Tor nodes. While Tor can be configured to use different ports, the question asks about the specific ports used for establishing Tor connections in typical Tor Browser setups, which aligns with 9150/9151. Therefore, the correct option is D.

Answer : A

In memory forensics, ''hidden or injected'' malicious code typically refers to process injection, code caves, unbacked executable mappings, or regions of memory that are marked executable but do not align with normal, file-backed program segments. The Volatility Framework provides specialized plugins to locate these suspicious patterns. linux_malfind is the plugin designed to detect potentially injected code by scanning a process's memory mappings for characteristics that commonly indicate malicious presence---such as executable anonymous mappings, unusual permissions (e.g., RWX), and memory regions that contain shellcode-like byte patterns. This is highly relevant when malware attempts to avoid disk artifacts by living in memory or by injecting payloads into legitimate processes.

By contrast, linux_netstat is used to enumerate network connections and sockets from memory (useful for C2 analysis), but it does not focus on injected code regions. ip addr show and nmap -sU localhost are live-system networking commands, not Volatility plugins, and they are not suitable for analyzing a captured RAM image. Therefore, to detect hidden/injected malicious code in a Linux RAM dump using Volatility, the correct plugin is linux_malfind (A).