Free ECCouncil 112-57 Practice Exam with Questions & Answers | Set: 2

TheSarbanes–Oxley Act (SOX)was enacted by the U.S. Congress in2002in response to major corporate accounting scandals and was specifically designed toprotect investorsby improving the accuracy, reliability, and integrity of corporate disclosures and financial reporting. SOX strengthens governance and accountability by requiring executive management (notably the CEO and CFO) to certify the correctness of financial statements and by mandating stronger internal controls over financial reporting. From a digital forensics and compliance perspective, SOX is closely tied to the need for reliableaudit trails, properrecords retention, and demonstrable control over systems that store or process financial data. Investigators frequently rely on SOX-driven logging, access controls, and change management records to determine who accessed financial systems, what changes were made, and whether those actions align with authorized procedures.

The other options do not match the question’s purpose or jurisdiction: theElectronic Communications Privacy Actaddresses interception and access to electronic communications,GDPRis an EU data protection regulation (not a 2002 U.S. act focused on investor protection), and “Information Privacy Act 2014” is not the 2002 U.S. corporate anti-fraud legislation. Therefore, the correct answer isSarbanes–Oxley Act (SOX) (C).

In Microsoft IIS (W3C Extended) logging, each request line records multiple standardized fields that help investigators reconstruct what was accessed, by whom, and with what outcome. Among these fields, the most direct indicator of whether the server successfully handled the request is theHTTP status codecaptured in thesc-statusfield. A status code of200means“OK”, indicating the server located the requested resource (here,/images/content/bg_body1.jpg) and returned it successfully to the client without application-level failure.

Other numbers in the entry represent different attributes:80is the server port used for the HTTP request,192values appear as part of IP addressing (client/server addresses), and537is embedded in the user-agent string (AppleWebKit build number), not a success indicator. IIS often logs additional substatus and Win32 status values (e.g.,sc-substatusandsc-win32-status) to refine the outcome; in the shown line, those follow the 200 as “200 0 0 …”, reinforcing that no substatus error or OS-level error occurred. Therefore,200is the element confirming the request was fulfilled without error.

On macOS, theBasic Security Module (BSM)provides the system’saudit framework, which records security-relevant activity such asfile access, process execution, authentication events, privilege changes, and other system calls. A key forensic characteristic of BSM auditing is that events are written asbinary audit records composed of “tokens.”Each token represents a structured piece of the event (for example: subject/user identity, process ID, command arguments, path, return value, timestamps), and tokens are assembled into complete audit records. Because these audit logs arebinary and tokenized, they are compact, consistent, and designed for reliable parsing and evidentiary reconstruction—important when building timelines of file-related actions and attributing them to specific users and processes.

The other options do not match the “binary token” description.Command-line inputsmay be stored in shell history files but are plain text and not tokenized binary audit records.User accountartifacts (e.g., directory services, plist files) describe identities and settings, not tokenized event logs.Kexts(kernel extensions) are drivers/modules; while they can affect system behavior, they are not the macOS component that stores file/event records in a binary token format. Therefore, the correct answer isBasic Security Module (C).

The protocols listed—Frame Relay, SMDS, Fast Ethernet, SLIP, PPP, FDDI, ATM, Ethernet, and ARP—belong to the portion of the TCP/IP model responsible forlocal network deliveryand direct interaction with the physical media and link-layer addressing. In TCP/IP terminology, this is theNetwork Access layer(also called the Link layer or Network Interface layer). It combines functions that map closely to the OSIData LinkandPhysicallayers.

This layer is essential for delivering frames within the same network segment because it governs how devices access the medium (e.g., Ethernet), how frames are formatted and transmitted, and how hardware addressing works.ARP (Address Resolution Protocol)is especially important here: it resolvesIP addresses to MAC addressesso that an IP packet can be encapsulated into a link-layer frame and delivered to the correct local host or next-hop gateway. Technologies like PPP/SLIP support point-to-point links, while Frame Relay/ATM represent WAN/link technologies, all of which still sit under IP and provide the mechanisms for moving data across the immediate network path.

TheInternet layerhandles IP routing between networks, theTransport layerprovides end-to-end host communications (TCP/UDP), and theApplication layerprovides user protocols. Therefore, the correct layer isNetwork access layer (A).

In an email crime investigation, the workflow should begin withseizing the computer and email accounts (5)to preserve evidence and prevent alteration, deletion, or continued misuse. This includes securing endpoints and ensuring account access is maintained under proper authority. Next, investigators proceed withacquiring the email data (1)using forensic methods (logical export, mailbox acquisition, or forensic imaging of local mail stores) to maintain integrity and chain of custody.

Once the data is preserved, investigatorsexamine email messages (3)to identify relevant communications, context, attachments, and indicators of fraud, harassment, data leakage, or impersonation. After identifying emails of interest, investigatorsretrieve email headers (6)(full headers, not just what the mail client displays) because headers contain routing metadata required for attribution and timeline reconstruction. They thenanalyze email headers (2)to interpret fields such as Received lines, Message-ID, originating IP clues (where applicable), sending infrastructure, and authentication results, which helps determine spoofing, relay paths, and sender legitimacy. Finally, theyrecover deleted email messages (4)from mail stores, server-side retention, or unallocated space to restore missing evidence. This sequence matches optionA.

File fingerprintingis the forensic technique of generating acryptographic hash(such as MD5, SHA-1, SHA-256) for a file to create aunique, repeatable identifierfor that exact byte sequence. In malware forensics, analysts compute hashes to (1)uniquely identifya suspicious binary across cases and tools, (2) confirm whether two samples are identical or different variants, and (3)verify integrity over time—for example, ensuring the sample did not change during copying, extraction, sandbox handling, or during an analysis workflow that might inadvertently modify the file (e.g., patching, unpacking outputs, or tool-side normalization). Re-hashing at different stages provides a defensible way to demonstrate that the analyzed artifact is the same as the acquired artifact, supporting evidentiary integrity and chain-of-custody principles commonly emphasized in digital forensics documentation.

The other techniques do not primarily serve this purpose.Strings searchextracts readable text fragments but does not produce a unique integrity identifier.Local and online malware scanninguses signatures/reputation and may identify families, but it is not an integrity verification mechanism for the exact file bytes.Malware disassemblyhelps understand logic and instructions, not compute an identity hash. Therefore, the correct answer isFile fingerprinting (A).

The activity described—collectingnetwork topologydetails and compiling alist of live hosts—matches the reconnaissance phase commonly referred to asenumeration. In digital forensics and incident response documentation, enumeration is the systematic process of discovering and extracting information about a target environment to support later exploitation. It typically follows (or overlaps with) scanning and includes identifying active IP addresses, reachable systems, open ports/services, device roles, OS fingerprints, domain information, shared resources, user/group details, and routing or segmentation clues that reveal how the network is structured.

This information is then used to plan “further attacks,” such as targeting exposed services, choosing exploit paths, locating high-value systems, and selecting lateral movement routes. From a forensic standpoint, enumeration attempts often leave traces in firewall logs, IDS alerts, and endpoint artifacts (e.g., bursts of connection attempts across many hosts/ports, ICMP echo sweeps, ARP discovery on local segments, and repeated DNS queries).

The other options do not fit:data modificationinvolves altering data integrity;session hijackingtargets active sessions/tokens; andbuffer overflowis an exploitation technique against vulnerable software, not the information-gathering step described. Therefore, the correct answer isEnumeration (B)

On Linux, a key step in a forensic triage or security audit is mappingopen/listening portsto theowning processso investigators can identify suspicious services (backdoors, unauthorized daemons, rogue remote-access tools) and correlate them with binaries, users, startup mechanisms, and timestamps. The commandnetstat -tulpnis designed for exactly this purpose. In this switch set:-tlimits output to TCP sockets,-uincludes UDP sockets,-lshows only listening sockets (open ports awaiting connections),-pdisplays the owningprocess name and PID, and-nprevents name resolution by showing numeric IP addresses and ports (faster and avoids altering evidence via DNS queries). This combination yields a concise list of active listening ports and the processes bound to them, which is highly valuable for detecting unexpected services and attributing network exposure to a specific executable.

The other options do not provide process-to-port attribution:netstat -ishows interface statistics,ip rshows the routing table, andnetstat -rndisplays the routing table in numeric form. Therefore, the correct command isnetstat -tulpn(D).

The activities described align withcase analysis, which is the structured, high-level evaluation performed at the beginning (and throughout) a digital forensic investigation to define scope, strategy, resources, and expected deliverables. Case analysis focuses on understanding theoverall incident context: how the organization is affected (business/operational impact), what is believed to have happened (incident reasons and likely source), and what must be done to control and investigate it (containment steps and investigative approach). It also includes planning elements such as identifying theinvestigation team composition(roles, skills, authority), definingproceduresto be followed (evidence handling, chain of custody, acquisition priorities, legal/HR requirements), and anticipating thepossible outcomes(reports, remediation actions, disciplinary/legal actions, or prosecution support).

By contrast,traffic analysisis narrowly focused on examining network packets/flows to infer communications and attacker behavior;log analysiscenters on parsing and correlating event records (firewall, server, endpoint logs); anddata analysistypically refers to examining acquired artifacts (files, memory images, timelines) for evidentiary content. Because Clark is assessing impact, cause/source, response steps, staffing, procedures, and outcomes—an overall investigative planning and evaluation function—the correct choice isCase analysis (B).

Jennifer’s actions match the responsibilities of anincident responder, whose job spans immediatecontainment, preservation, and stabilizationactivities during an active or recently active security incident. In standard digital forensics and incident response (DFIR) procedures, responders first take steps topreserve evidence(e.g., documenting the scene, capturing volatile data when appropriate, and collecting relevant system artifacts) and then executecontainment measuresto prevent further harm. Disconnecting a compromised host from the network is a classic containment control used to stop malware propagation, block command-and-control communications, and prevent lateral movement to other systems.

Anincident analyzertypically focuses on deeper technical analysis—timeline reconstruction, root cause determination, and correlating artifacts across hosts and logs—rather than performing immediate containment. Anevidence manageris primarily responsible for maintaining evidence integrity, chain of custody, storage, labeling, and access control, not operational containment. Anexpert witnessprovides formal testimony and interpretation in legal or disciplinary proceedings and is not usually involved in live containment actions. Since Jennifer bothgathered evidenceand thenisolated the system to stop spread, the role most consistent with documented DFIR responsibilities isIncident responder (A).