EC-Council 112-53 Sample

Questions:
01. Which macOS feature should a forensic analyst be particularly aware of
due to its potential to overwrite deleted data?

a) Time Machine

b) FileVault

c) Spotlight

d) Fusion Drive

02. During the investigation phase, the process of evidence acquisition is

critical. Which of the following best describes a proper procedure for
evidence acquisition?

a) Powering off the device immediately to preserve evidence

b) Documenting the system’s physical and digital condition

c) Connecting to the internet to update forensic software

d) Interrogating involved personnel before securing digital evidence

03. What aspect of Windows memory analysis can provide insights into
recently executed programs?

a) File size analysis

b) User account settings

c) Analysis of page file.sys

d) Examination of prefetch files

04. Why might an investigator choose the Advanced Forensics Format (AFF)
over the Raw format?

a) AFF supports metadata storage and compression.

b) AFF is faster to create and process.

c) Raw format cannot be used on Windows systems.

d) Raw format requires more specialized hardware.

05. In disk partitioning, what is the primary purpose of creating multiple
partitions on a single physical disk?

a) To increase the disk speed

b) To enable dual booting of different operating systems

c) To physically separate data for security reasons

d) To create additional physical disks

06. When investigating Mac forensics, which feature is crucial for

understanding user data changes over time?

a) Spotlight indexing

b) Launch Agents and Daemons

c) Time Machine backups

d) FileVault encryption

07. Which of the following are objectives during the postinvestigation

phase?

(Select two)

a) Ensuring all evidence is returned to rightful owners

b) Updating investigation policies based on recent experiences

c) Planning the press conference for case disclosure

d) Archiving all documentation and evidence properly

08. For Linux and Mac forensics, what is the importance of analyzing the
/tmp directory?

a) It may contain remnants of malicious scripts.

b) It is where the system stores its kernel logs.

c) It provides a history of installed applications.

d) It includes user download history.

09. Why is it important to analyze GET and POST requests during a web
application forensic investigation?

a) To optimize the multimedia content delivery

b) To determine the load balancing efficiency of the web application

c) To identify potential injection points for attacks

d) To evaluate the effectiveness of the web application's marketing

strategies

10. How can web server logs aid in the forensic investigation of a
distributed denial of service (DDoS) attack?

a) By displaying the color depth of visitor displays

b) By revealing the uptime of the server

c) By indicating changes in the advertising click-through rates

d) By showing an unusual increase in traffic from varied sources

Answers:
Question: 01 Question: 02 Question: 03 Question: 04 Question: 05

Answer: a Answer: b Answer: d Answer: a Answer: b

Question: 06 Question: 07 Question: 08 Question: 09 Question: 10

Answer: c Answer: b, d Answer: a Answer: c Answer: d

EC-Council 312-49 Sample

Questions:
01. The file content of evidence files can be viewed using the View Pane.
The View pane provides several tabs to view file content.
Which of this tab provides native views of formats supported by Oracle
outside in technology?
a) Text tab
b) Hex tab
c) Picture tab
d) Doc tab

02. During live response, you can retrieve and analyze much of the
information in the Registry, and the complete data during post-mortem
investigation.
Which of this registry Hive contains configuration information relating to
which application is used to open various files on the system?
a) HKEY_USERS
b) HKEY_CURRENT_USER
c) HKEY_CLASSES_ROOT
d) HKEY_CURRENT_CONFIG

03. Which one of the following is the smallest allocation unit of a hard disk,
which contains a set of tracks and sectors ranging from 2 to 32, or more,
depending on the formatting scheme?
a) Sector
b) Cluster
c) Track
d) 4Platter

04. Source Processor automates and streamlines common investigative

tasks that collect, analyze, and report on evidence. Which of this source
processor module obtains drives and memory from a target machine?
a) Acquisition Module
b) Internet Artifacts Module
c) Personal Information Module
d) File Processor Module

05. Which of this attack technique is the combination of both a brute-force

attack and a dictionary attack to crack a password?
a) Hybrid Attack
b) Rule-based Attack
c) Syllable Attack
d) Fusion Attack

06. Mike is a Computer Forensic Investigator. He got a task from an

organization to investigate a forensic case. When Mike reached the
organization to investigate the place, he found that the computer at the
crime scene was switched off.
In this scenario, what do you think Mike should do?
a) He should turn on the computer
b) He should leave the computer off
c) He should turn on the computer and extract the data
d) He should turn on the computer and should start analyzing it

07. The process of examining acquired evidence is cyclical in nature and

reflected in the relationship among the four panes of the EnCase interface.
Which of the following pane represents a structured view of all gathered
evidence in a Windows-like folder hierarchy?
a) Tree Pane
b) Table Pane
c) View Pane
d) Filter Pane

08. Which type of digital data stores a document file on a computer when it
is deleted and helps in the process of retrieving the file until that file space
is reused?
a) Metadata
b) Transient Data
c) Archival Data
d) Residual Data

09. Redundant Array of Inexpensive Disks (RAID) is a technology that uses

multiple smaller disks simultaneously which functions as a single large
volume.
In which RAID level disk mirroring is done?
a) RAID Level 3
b) RAID Level 0
c) RAID Level 1
d) RAID Level 5

10. Which of the following is a legal document that demonstrates the

progression of evidence as it travels from original evidence location to the
forensic laboratory?
a) Chain of Custody
b) Origin of Custody
c) Evidence Document
d) Evidence Examine

Answers:
Question: 01 Question: 02 Question: 03 Question: 04 Question: 05
Answer: d Answer: c Answer: b Answer: a Answer: c
Question: 06 Question: 07 Question: 08 Question: 09 Question: 10
Answer: b Answer: a Answer: d Answer: c Answer: a