Free ECCouncil 112-57 Practice Exam with Questions & Answers

HKEY_CLASSES_ROOT (HKCR)is the Windows Registry location that storesfile-association and COM registration data, including mappings forfile extensions(e.g.,.docx) toProgIDs, and COM object identifiers such asCLSIDand interface-related identifiers likeIID. In forensic examinations, HKCR is frequently consulted to determine which application is registered to open a specific file type, to identify COM objects that may enable persistence or abuse (e.g., through COM hijacking), and to correlate suspicious registry-based execution mechanisms with installed software.

HKCR is often described asvolatile in naturebecause it is not a single standalone hive file stored independently in the same way as SAM or SYSTEM; instead, it is amerged, runtime viewcreated by the OS primarily fromHKLM\Software\Classes(machine-wide registrations) andHKCU\Software\Classes(per-user overrides). This means what you see under HKCR can vary depending on the current user context and system state, and the effective associations/registrations may change when software is installed, updated, or when per-user settings override machine defaults.

The other options represent different scopes: HKLM is system configuration, HKCU is user profile configuration, and HKCC reflects the current hardware profile—not the primary COM/file association repository.

The statement in the question matchesSWGDE Principle 1, Standards and Criteria 1.7, which explicitly requires thatany action that could alter, damage, or destroy original digital evidence must be performed by qualified personnel in a forensically sound manner. In digital forensics doctrine, this requirement exists because digital evidence is highly fragile: routine interactions (booting a system, opening a file, connecting storage, running commands) can change timestamps, overwrite unallocated space, modify logs, or trigger encryption/key rotation. SWGDE’s emphasis on “qualified persons” and “forensically sound manner” aligns with core evidentiary expectations: minimizing changes to original media, using controlled and repeatable methods (e.g., write-blocking, validated imaging, documented procedures), and ensuring actions are defensible under scrutiny.

Options 1.1, 1.3, and 1.5 relate to broader quality and procedural requirements (quality systems, SOP review, appropriate tools), but they do not contain the specific mandate about potentially altering original evidence. The exact phrasing about alteration/damage/destruction and qualified handling is associated withStandards and Criteria 1.7, makingBthe correct choice.

The key detail is that Sarah’simaging softwarecould not acquire the device because the drive wasvery old and incompatiblewith the software-based approach. In such situations, forensic practice recommends switching to an acquisition method that isless dependent on the operating system or specific imaging application compatibility, while still producing a forensic-accurate duplicate.Bit-stream disk-to-diskacquisition (also called forensic cloning) creates asector-by-sectorcopy of the entire source drive directly onto another physical drive. This method is commonly performed using dedicated duplicators or hardware-assisted workflows that can interface with legacy media more reliably than certain disk-to-image software utilities.

Sparse acquisition would intentionally capture only selected portions of a disk (used to reduce time/storage), which does not fit the goal of “succeeded in imaging the data” after a failure due to incompatibility. Logical acquisition captures only active files/folders through the file system and is not the preferred alternative when full forensic imaging is required, especially in criminal cases. Bit-stream disk-to-image-file is still software/container dependent and is essentially what failed initially. Therefore, the most appropriate alternative that explains success with an older incompatible drive isBit-stream disk-to-disk (D).

The scenario describes an email-retrieval configuration in which messages aredownloaded to a client deviceandnot retained on the server. This behavior aligns withPOP3 (Post Office Protocol v3), a legacy but widely referenced mail access protocol that retrieves email from a server mailbox to a local client. In standard POP3 operation, the client authenticates to the mail server, issues retrieval commands (e.g., to list and download messages), and may then issue a delete command so that downloaded messages are removed from the server mailbox. Digital forensics references commonly contrast POP3 with IMAP:IMAP is designed for server-side mailbox synchronization and typically leaves mail stored on the server, whereas POP3 is oriented towardclient-side storageand supports workflows where server copies are not preserved after download. The other options are unrelated to email retrieval:SHA-1is a cryptographic hash function used for integrity checks,ICMPsupports network diagnostics and control messaging, andSNMPis used for network device management and monitoring. From an investigative standpoint, POP3 usage can reduce server-resident evidence and shift evidentiary value tolocal artifacts(mail client databases, cache, OS traces, backups), which is consistent with the intent described in the question.

In Windows forensics, recovering deleted or corrupted files typically requires afile-system aware data recovery toolthat can interpret NTFS/FAT metadata and scan disk structures for lost file records and residual content.R-Studiois designed specifically for data recovery: it can locate and rebuild deleted files by analyzing file system metadata (such as NTFS MFT entries and directory records), recover data from formatted or damaged partitions, and perform raw “signature-based” scans to carve files when metadata is missing. This aligns directly with Kelvin’s need for an automated method to restoredamaged, corrupted, or deletedfiles from a Windows system.

The other options do not match the stated recovery objective.OphcrackandCain & Abelare password recovery/auditing tools used to obtain credentials (e.g., cracking hashes), not to restore deleted files.Rohos Mini Driveis primarily an encryption/secure storage utility for creating encrypted containers, which may protect data but does not function as a forensic recovery tool for deleted or corrupted files. Therefore, among the listed tools,R-Studio (C)is the correct choice for automated recovery of deleted files in a Windows forensic investigation.

In memory forensics, “hidden or injected” malicious code typically refers toprocess injection,code caves,unbacked executable mappings, or regions of memory that aremarked executablebut do not align with normal, file-backed program segments. The Volatility Framework provides specialized plugins to locate these suspicious patterns.linux_malfindis the plugin designed to detectpotentially injected codeby scanning a process’s memory mappings for characteristics that commonly indicate malicious presence—such asexecutable anonymous mappings, unusual permissions (e.g., RWX), and memory regions that contain shellcode-like byte patterns. This is highly relevant when malware attempts to avoid disk artifacts by living in memory or by injecting payloads into legitimate processes.

By contrast,linux_netstatis used to enumerate network connections and sockets from memory (useful for C2 analysis), but it does not focus on injected code regions.ip addr showandnmap -sU localhostare live-system networking commands, not Volatility plugins, and they are not suitable for analyzing a captured RAM image. Therefore, to detect hidden/injected malicious code in a Linux RAM dump using Volatility, the correct plugin islinux_malfind (A).

In Windows forensics and incident response, investigators often need to linknetwork activity(remote IPs, ports, connection states) to theresponsible processto determine whether traffic is legitimate or associated with malware, unauthorized tools, or data exfiltration. The Windowsnetstatutility can enumerate current TCP connections and listening ports, but the key flag that enables attribution to a running program is-o. The-oparameter instructs netstat to include theOwning Process ID (PID)with each connection or listening socket. Once the PID is known, examiners can correlate it with process listings (e.g., Task Manager,tasklist, memory forensics output) to identify the executable name, path, user context, and parent process—critical steps in reconstructing attacker behavior and persistence.

The other options do not provide PID mapping:-nshows addresses and ports in numeric form (useful for speed and to avoid DNS lookups),-adisplays all connections and listening ports but without PID attribution by itself, and-sshows protocol statistics rather than per-connection ownership. Therefore, the parameter that shows active connectionsandincludes the PID for each is[-o](Option C).

TheSubjectfield is the primary email header element used to communicate thepurpose and urgencyof a message at a glance. Digital forensics training emphasizes that email messages consist ofheaders(routing and descriptive metadata) and abody(content). Among user-visible header fields, the Subject line is specifically intended to summarize what the email is about, helping recipients prioritize and correctly interpret the message without opening it. In the scenario, John routinely receives casual emails from Alice (often with pictures). When Alice sent a project-related email “without specifying the actual purpose,” John treated it like routine mail and overlooked its significance. A clear, descriptive subject such as “Final Year Project Seminar – Attendance Required” would have flagged the message as time-sensitive and different from her usual emails, reducing the chance it would be missed.

The other options do not serve this purpose.Dateis automatically assigned and mainly supports ordering and timeline reconstruction rather than highlighting importance.CcandBcccontrol who receives copies and can affect visibility or secrecy, but they do not summarize intent for the recipient. Therefore, the field best suited to highlight importance isSubject (A).

In macOS, each user account is assigned aHome Directorythat serves as the primary container for that user’s data and profile-specific configuration. This directory typically resides under/Users//and includes standard subfolders such asDesktop,Documents,Downloads,Pictures,Movies,Music, and crucially the user’sLibraryfolder (~/Library). From a digital forensics standpoint, the Home Directory is one of the most important evidence locations because it holds user-generated content and a large volume of user activity artifacts: application preferences and settings (plist files), browser data, caches, saved state, key application databases, recent items, and other per-user traces. Although some applications are installed system-wide under/Applications, macOS also supports per-user application storage and extensive per-user data under the Home Directory’s Library structure.

The other options are not user-data containers.Spotlightis a search/indexing service (it creates indexes, not a user’s complete data store).Time Machineis a backup mechanism that stores versioned backups rather than the live per-user working directory.Finderis the graphical file manager, not a storage folder. Therefore, the folder that stores files and user-specific libraries for a particular user is theHome Directory (D).

The scenario describes a web application thatunintentionally reveals sensitive member biodatato attackers. This is a classic case ofinformation leakage, where confidential or private data becomes exposed due to poor access control, improper output handling, verbose error messages, misconfigured endpoints, insecure direct object references, or unintended exposure through pages, APIs, backups, or logs. In forensic and web security documentation, information leakage is defined by theunauthorized disclosure of data, even if the attacker does not alter the system. The key indicator here is that the application is “revealing” biodata—meaning confidentiality is breached.

Bob’s response—using acontent filtering mechanism—also aligns with mitigating data exposure. Content filtering can prevent sensitive fields from being returned, mask personally identifiable information, restrict responses based on user role, and sanitize outputs before they leave the server.

The other options do not match the described impact.Buffer overflowis a low-level memory corruption vulnerability, typically associated with native code execution rather than accidental biodata exposure.Authentication hijackinginvolves taking over sessions/credentials, andcookie poisoninginvolves manipulating cookie values to gain privileges or alter behavior—neither is explicitly indicated. Therefore, the identified threat isInformation leakage (B).