112-57 EC-Council Digital Forensics Essentials (DFE) Questions and Answers

TheSubjectfield is the primary email header element used to communicate thepurpose and urgencyof a message at a glance. Digital forensics training emphasizes that email messages consist ofheaders(routing and descriptive metadata) and abody(content). Among user-visible header fields, the Subject line is specifically intended to summarize what the email is about, helping recipients prioritize and correctly interpret the message without opening it. In the scenario, John routinely receives casual emails from Alice (often with pictures). When Alice sent a project-related email “without specifying the actual purpose,” John treated it like routine mail and overlooked its significance. A clear, descriptive subject such as “Final Year Project Seminar – Attendance Required” would have flagged the message as time-sensitive and different from her usual emails, reducing the chance it would be missed.

The other options do not serve this purpose.Dateis automatically assigned and mainly supports ordering and timeline reconstruction rather than highlighting importance.CcandBcccontrol who receives copies and can affect visibility or secrecy, but they do not summarize intent for the recipient. Therefore, the field best suited to highlight importance isSubject (A).

The Windowsnet view \\<computer>command is used to enumerateshared resources(SMB shares) that a remote Windows system is publishing. When Jessy runsnet view \\10.10.10.11, her goal is to retrieve a list of the target host’s visible shares—such as administrative shares (e.g.,C$,ADMIN$) and any custom shares created for departments, applications, or users. In forensic and incident-response practice, this is important because attackers commonly use SMB shares forlateral movement,staging tools,dropping payloads, andexfiltrating data. By reviewing the shares exposed by a suspected server, the investigator can quickly identify unexpected or overly permissive shares, locate potential repositories of web content or logs, and determine whether a compromised web server is also exposing file resources that expand the attacker’s options.

The other options map to different commands and artifacts: disk space usage is checked with storage utilities (notnet view), open sessions are examined with commands likenet session, and identifying users accessing files typically involvesnet fileor server auditing logs. Therefore, Jessy’s objective was toreview file shareson the remote host.

The listed actions describe theexamination and interpretation of acquired evidence, which aligns withdata analysisin the digital forensics investigation process. After collection and acquisition, examiners analyze evidence by validating what the data contains (file content and usage), interpretingMAC times(creation/modification and related timestamps), attributing actions tousers and accounts(who created, accessed, or modified the file), and determiningwhere the file resides physically/logicallyon storage (path, volume, clusters/blocks, and whether it appears in allocated/unallocated areas). Generating atimelineis a core analytical task used to correlate file events with system activity and other artifacts to reconstruct sequence and intent. Finally, “identify the root cause of the incident” represents the analytical conclusion derived from correlating artifacts and timeline events.

The other choices do not match the described work.Search and seizureis the legal/field activity of locating and securing evidence sources, not interpreting artifacts.Reportingis the documentation phase after analysis, where findings and methods are written up.Case analysisis broader and can include overall strategy and interpretation, but the question’s focus is explicitly on analyzing acquired data and producing forensic conclusions, which isdata analysis.

Forensic readiness planning focuses on ensuring an organization canlegally, efficiently, and reliablycollect usable digital evidence before an incident occurs. The planning sequence typically begins by definingwhat evidence would be neededto support likely incidents (3) and then mappingwhere that evidence residesacross systems, services, logs, endpoints, and network components (4). Once evidence needs and sources are known, readiness requires alegally compliant extraction pathwaythat minimizes business disruption and prevents evidence contamination (8). After defining extraction, an organization must formalizesecure handling and storage policies(chain of custody, access control, retention, integrity protection) so collected evidence remains admissible and trustworthy (7).

With those foundations in place, the organization can define decision criteria forwhen an event becomes a formal investigationand triggers deeper forensic procedures (6). A structureddocumentation processis then set so actions taken during acquisition and analysis are repeatable and defensible (2). Governance is reinforced by establishinglegal oversight/advisory supportto ensure compliance with jurisdictional requirements and internal policy (5). Finally, the plan is operationalized by ensuring anincident response team is preparedto preserve evidence promptly when incidents occur (1). Hence,3→4→8→7→6→2→5→1is the correct sequence.

Promiscuous mode is a network interface configuration in which the NIC passesall observed framesto the operating system, not only frames addressed to that host’s MAC address. In investigations, this matters because promiscuous mode is commonly enabled bypacket sniffers, certain intrusion tools, or misconfigured monitoring software, and it can indicate covert traffic capture on a host.

On UNIX/Linux systems, the traditional command used to view interface flags and status isifconfig <interface name>. When an interface is set to promiscuous mode,ifconfigdisplays aPROMISCflag in the interface’s status line, allowing an investigator to confirm whether the NIC is accepting all frames. This directly matches Kane’s goal of checking if the interface is running in promiscuous mode.

The other commands do not provide this specific interface flag.nmap -sT localhostscans for open TCP ports, not interface modes.ipconfigis a Windows command (and does not take an interface name in that form to show PROMISC status), and it primarily reports IP configuration.netstat -ishows network interface statistics (packets, errors, drops) but typically does not explicitly indicate promiscuous mode. Therefore, the correct command isifconfig (C).

In the UEFI/PI boot architecture, the phase that runsimmediately after power-on or resetis theSEC (Security) phase. Digital forensics references include UEFI phases because firmware-level activity can affect the trustworthiness of the platform (e.g., bootkits, persistence, and measured boot artifacts). The SEC phase is responsible for executing the earliest initialization instructions, handlingplatform reset events, and establishing a minimal, controlled execution environment. Critically, SEC prepares the system so it canlocate, verify, and hand off controlto the next stage—PEI (Pre-EFI Initialization)—by setting up temporary memory and foundational CPU/chipset state required for PEI modules to execute.

The wording in the question precisely matches SEC responsibilities: “initialization code executed after powering on,” “manages platform reset events,” and “sets up the system so it can find, validate, install, and run the PEI.” By contrast,PEIfocuses on discovering and initializing permanent memory and producing the Hand-Off Blocks for DXE;DXEloads drivers and boot services; andBDSselects and launches the boot option. Therefore, the phase described is theSecurity phase (SEC), which corresponds to optionD.

In a standard Tor circuit, a client typically builds a three-hop path:Entry/Guard → Middle → Exit. Tor usesonion routing, where the client wraps the payload in multiple encryption layers—one for each hop. Each relay removes (decrypts) only its own layer to learn thenext hop, but not the complete route or the original payload in the clear. Themiddle relayis specifically positioned toforward traffic between the entry/guard and the exit while it remains onion-encrypted end-to-end within the Tor network. Because it neither connects to the user’s local network (like the entry/guard) nor to the public destination (like the exit), its primary role isencrypted transit/forwarding, helping break the linkage between source and destination. By contrast, theexit relayis where traffic leaves Tor; unless the application layer uses TLS/HTTPS, the exit may deliver data to the destination inunencryptedform on the open Internet. Theentry/guardprotects against certain traffic-correlation risks by being stable, but it is not uniquely “the” encrypted-transfer node. Therefore, the best single answer isMiddle relay (D).

TheSarbanes–Oxley Act (SOX)was enacted by the U.S. Congress in2002in response to major corporate accounting scandals and was specifically designed toprotect investorsby improving the accuracy, reliability, and integrity of corporate disclosures and financial reporting. SOX strengthens governance and accountability by requiring executive management (notably the CEO and CFO) to certify the correctness of financial statements and by mandating stronger internal controls over financial reporting. From a digital forensics and compliance perspective, SOX is closely tied to the need for reliableaudit trails, properrecords retention, and demonstrable control over systems that store or process financial data. Investigators frequently rely on SOX-driven logging, access controls, and change management records to determine who accessed financial systems, what changes were made, and whether those actions align with authorized procedures.

The other options do not match the question’s purpose or jurisdiction: theElectronic Communications Privacy Actaddresses interception and access to electronic communications,GDPRis an EU data protection regulation (not a 2002 U.S. act focused on investor protection), and “Information Privacy Act 2014” is not the 2002 U.S. corporate anti-fraud legislation. Therefore, the correct answer isSarbanes–Oxley Act (SOX) (C).

In Windows forensics, recovering deleted or corrupted files typically requires afile-system aware data recovery toolthat can interpret NTFS/FAT metadata and scan disk structures for lost file records and residual content.R-Studiois designed specifically for data recovery: it can locate and rebuild deleted files by analyzing file system metadata (such as NTFS MFT entries and directory records), recover data from formatted or damaged partitions, and perform raw “signature-based” scans to carve files when metadata is missing. This aligns directly with Kelvin’s need for an automated method to restoredamaged, corrupted, or deletedfiles from a Windows system.

The other options do not match the stated recovery objective.OphcrackandCain & Abelare password recovery/auditing tools used to obtain credentials (e.g., cracking hashes), not to restore deleted files.Rohos Mini Driveis primarily an encryption/secure storage utility for creating encrypted containers, which may protect data but does not function as a forensic recovery tool for deleted or corrupted files. Therefore, among the listed tools,R-Studio (C)is the correct choice for automated recovery of deleted files in a Windows forensic investigation.

On Windows systems, thePrefetchfeature records execution-related artifacts to speed up subsequent program launches. When an executable is run, Windows often creates a.pf prefetch fileinC:\Windows\Prefetchthat contains valuable forensic indicators such as the executable name (mapped into the prefetch filename), last run time(s) (depending on Windows version), run count (in many versions), and a list of files and directories referenced during startup. Because these artifacts can persist even after an application is lateruninstalled or deleted, investigators commonly use the Prefetch directory to demonstrate that a program executed on a host and to help build timelines around suspicious activity. This is especially useful in intrusion investigations for identifying the execution of attacker tools, droppers, scripts launched via interpreters, or renamed binaries.

The other options are not standard repositories for program execution history.C:\Windows\debugmay contain specific debug logs for certain components but is not the canonical execution-tracking folder.C:\Windows\BookandC:\subdirare not standard Windows forensic artifact locations. Therefore, the folder that stores information on applications run on the system isC:\Windows\Prefetch (C).

The activity described—collectingnetwork topologydetails and compiling alist of live hosts—matches the reconnaissance phase commonly referred to asenumeration. In digital forensics and incident response documentation, enumeration is the systematic process of discovering and extracting information about a target environment to support later exploitation. It typically follows (or overlaps with) scanning and includes identifying active IP addresses, reachable systems, open ports/services, device roles, OS fingerprints, domain information, shared resources, user/group details, and routing or segmentation clues that reveal how the network is structured.

This information is then used to plan “further attacks,” such as targeting exposed services, choosing exploit paths, locating high-value systems, and selecting lateral movement routes. From a forensic standpoint, enumeration attempts often leave traces in firewall logs, IDS alerts, and endpoint artifacts (e.g., bursts of connection attempts across many hosts/ports, ICMP echo sweeps, ARP discovery on local segments, and repeated DNS queries).

The other options do not fit:data modificationinvolves altering data integrity;session hijackingtargets active sessions/tokens; andbuffer overflowis an exploitation technique against vulnerable software, not the information-gathering step described. Therefore, the correct answer isEnumeration (B)

In classic hard-disk geometry, total capacity is computed fromCHS parameters(Cylinders × Heads × Sectors per track) multiplied bybytes per sector. Forensic examiners learn this because it helps validate whether an image acquisition size is consistent with the physical disk geometry and to spot anomalies caused by misreported device geometry or capture errors.

First compute total addressable sectors:

16,384 cylinders × 80 heads = 1,310,720 tracks(because each head provides a track per cylinder).

Then multiply by sectors per track:

1,310,720 × 63 = 82,575,360 sectors.

Convert sectors to bytes using the sector size:

82,575,360 sectors × 512 bytes/sector = 42,278,584,320 bytes.

This matches optionAexactly. In practice, modern drives often use LBA and may report different logical geometries, but the forensic principle remains the same: capacity equals the number of logical blocks times the logical block size, and CHS-style values are a structured way to perform that verification.

The requirement is tolist devices connected to a local Windows machine, specifically to identifyexternal storage devicesthat may be attached and potentially used for data theft or malware introduction. In Windows forensic practice, investigators often start by enumerating currently mounted volumes and recently connected removable media so they can correlate device presence with suspicious activity timelines and user actions.DriveLetterViewis a utility designed to display the complete mapping ofdrive letters to storage devices/volumes, includingremovable drives(USB flash drives, external HDDs), optical media, network-mapped drives, and local partitions. It helps quickly identify what storage devices are present and accessible on the system at the time of inspection, which fits the scenario where James captures a list of connected devices and removes suspicious ones.

The other tools do not match this purpose.ESEDatabaseViewis used to inspect Extensible Storage Engine databases, not enumerate attached storage.ProcDumpis used for creating process memory dumps for debugging/forensic analysis of processes, not for listing connected drives.PromiscDetectrelates to detecting network interfaces in promiscuous mode (packet sniffing), not external storage enumeration. Therefore, the correct tool for identifying connected storage devices isDriveLetterView (C).

Microsoft Exchange Server stores mailbox contents (emails, attachments, folders, and related messaging objects) inside anESE (Extensible Storage Engine) databasethat uses the.edbfile format. In Exchange terminology this is theMailbox Database, and its primary persistent store is thedatabase .edb filealong with associated transaction logs that support write-ahead logging and recovery. From a forensic perspective, the.edbfile is the central artifact because it contains the structured mailbox data that investigators analyze for message content, metadata (timestamps, sender/recipient fields, message IDs), and folder structure.

Among the options,Database.edbbest matches the Exchange ESE mailbox database file that stores mail data. The other options are either generic or associated with different Microsoft messaging components:Mail.MSMessageStorerelates to the Windows Mail/Modern Mail app storage model rather than Exchange Server’s mailbox database, andWLCalendarStore.edbis commonly tied to Windows Live/Windows Essentials calendar or communications storage, not Exchange’s server-side mailbox store.DataStore.edbis also used by other Windows services, but the recognized Exchange mailbox store is the.edb database file, makingDatabase.edb (D)the correct answer.

The key detail is that Sarah’simaging softwarecould not acquire the device because the drive wasvery old and incompatiblewith the software-based approach. In such situations, forensic practice recommends switching to an acquisition method that isless dependent on the operating system or specific imaging application compatibility, while still producing a forensic-accurate duplicate.Bit-stream disk-to-diskacquisition (also called forensic cloning) creates asector-by-sectorcopy of the entire source drive directly onto another physical drive. This method is commonly performed using dedicated duplicators or hardware-assisted workflows that can interface with legacy media more reliably than certain disk-to-image software utilities.

Sparse acquisition would intentionally capture only selected portions of a disk (used to reduce time/storage), which does not fit the goal of “succeeded in imaging the data” after a failure due to incompatibility. Logical acquisition captures only active files/folders through the file system and is not the preferred alternative when full forensic imaging is required, especially in criminal cases. Bit-stream disk-to-image-file is still software/container dependent and is essentially what failed initially. Therefore, the most appropriate alternative that explains success with an older incompatible drive isBit-stream disk-to-disk (D).

In the TCP/IP model, theTransport layeris responsible forend-to-end communication between peer entitieson the source and destination systems. “Peer entities” here refers to the corresponding transport components (and the applications that use them) on two different hosts communicating across a network. This layer forms the practical “backbone” of host-to-host data flow because it provides the mechanisms that allow data to be deliveredfrom one endpoint process to another endpoint processreliably or efficiently, depending on the protocol used.

The Transport layer includes protocols such asTCPandUDP. TCP supports connection-oriented communication with sequencing, acknowledgments, retransmissions, and flow control—features that are fundamental when reconstructing sessions during network forensic investigations (e.g., rebuilding a file transfer or a web session). UDP provides connectionless delivery used by many services where speed is preferred over guaranteed delivery, which is also significant in investigations of DNS, streaming, or certain malware communications.

By contrast, theInternet layerfocuses on logical addressing and routing (IP), theNetwork access layerhandles local delivery on the physical/link network, and theApplication layerprovides user-facing protocols. Therefore, the layer enabling peer communication between endpoints is theTransport layer (C).

The scenario describes a targeted social-engineering attack aimed specifically athigh-profile individuals(CEOs, CFOs, politicians, celebrities) and usesemail or website spoofingto deceive them into disclosing sensitive information. In digital forensics and incident response documentation, this is most accurately categorized aswhaling, a specialized form of phishing that focuses on “big targets” (often called “high-value targets” or “VIPs”). Whaling campaigns typically use highly tailored pretexts (e.g., legal subpoenas, board communications, invoice/payment requests, HR or executive directives) and may include spoofed sender domains, look-alike websites, or fraudulent login pages to harvest credentials and confidential corporate data. Because executives often have access to financial systems, strategic documents, and privileged communications, attackers concentrate effort on realism and personalization, making whaling distinct from broad, generic phishing.

By contrast,smishingis phishing conducted via SMS/text messages,spimmingis spam over instant messaging platforms, andidentity fraudis a broader category involving impersonation/misuse of personal data but does not specifically denote the executive-targeted spoofing technique described. Therefore, the attack type in the question isWhaling (A).

The activities described align withcase analysis, which is the structured, high-level evaluation performed at the beginning (and throughout) a digital forensic investigation to define scope, strategy, resources, and expected deliverables. Case analysis focuses on understanding theoverall incident context: how the organization is affected (business/operational impact), what is believed to have happened (incident reasons and likely source), and what must be done to control and investigate it (containment steps and investigative approach). It also includes planning elements such as identifying theinvestigation team composition(roles, skills, authority), definingproceduresto be followed (evidence handling, chain of custody, acquisition priorities, legal/HR requirements), and anticipating thepossible outcomes(reports, remediation actions, disciplinary/legal actions, or prosecution support).

By contrast,traffic analysisis narrowly focused on examining network packets/flows to infer communications and attacker behavior;log analysiscenters on parsing and correlating event records (firewall, server, endpoint logs); anddata analysistypically refers to examining acquired artifacts (files, memory images, timelines) for evidentiary content. Because Clark is assessing impact, cause/source, response steps, staffing, procedures, and outcomes—an overall investigative planning and evaluation function—the correct choice isCase analysis (B).

The scenario describes the investigator collectingvolatileartifacts—specifically information inRAM, activeDLLs, system and network state, and transient data held incacheand similar runtime locations—through the device’s normal interface while the system is running. In digital forensics documentation, this is the defining characteristic oflive acquisition(also called live response). Live acquisition is performed when the system remains powered on so that investigators can capture evidence that would be lost on shutdown, such as running processes, open network connections, logged-on sessions, loaded modules/DLLs, encryption keys, and portions of registry data that exist in memory or are actively changing.

By contrast,static acquisitionanddead acquisitionare conducted when the system is powered off (or the evidence drive is imaged outside the running OS), focusing primarily on persistent storage such as disk sectors and file system structures.Non-volatile data acquisitionrefers to collecting persistent data stored on media (e.g., files on disk), which does not match the emphasis on RAM and other volatile components in the question. Because the investigator is explicitly collecting volatile data from a running system via its normal interface, the correct method isLive acquisition (B).