[2026] 112-57 Answers 112-57 Free Demo Are Based On The Real Exam 112-57 [May-2026 Newly Released] Exam Questions For You To Pass NEW QUESTION # 17 Which of the following MAC forensic data components saves file information and related events using a token with a binary structure? A. Basic Security Module B. Kexts C. Command-line inputs D. User account Answer: A Explanation:On macOS, theBasic Security [...]

[2026] 112-57 Answers 112-57 Free Demo Are Based On The Real Exam [Q17-Q39]

Share

[2026] 112-57 Answers 112-57 Free Demo Are Based On The Real Exam

112-57 [May-2026 Newly Released] Exam Questions For You To Pass

NEW QUESTION # 17
Which of the following MAC forensic data components saves file information and related events using a token with a binary structure?

  • A. Basic Security Module
  • B. Kexts
  • C. Command-line inputs
  • D. User account

Answer: A

Explanation:
On macOS, theBasic Security Module (BSM)provides the system'saudit framework, which records security- relevant activity such asfile access, process execution, authentication events, privilege changes, and other system calls. A key forensic characteristic of BSM auditing is that events are written asbinary audit records composed of "tokens."Each token represents a structured piece of the event (for example: subject/user identity, process ID, command arguments, path, return value, timestamps), and tokens are assembled into complete audit records. Because these audit logs arebinary and tokenized, they are compact, consistent, and designed for reliable parsing and evidentiary reconstruction-important when building timelines of file- related actions and attributing them to specific users and processes.
The other options do not match the "binary token" description.Command-line inputsmay be stored in shell history files but are plain text and not tokenized binary audit records.User accountartifacts (e.g., directory services, plist files) describe identities and settings, not tokenized event logs.Kexts(kernel extensions) are drivers/modules; while they can affect system behavior, they are not the macOS component that stores file
/event records in a binary token format. Therefore, the correct answer isBasic Security Module (C).


NEW QUESTION # 18
Which of the following standards and criteria version of SWGDE mandates that any action with the potential to alter, damage, or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound manner?

  • A. Standards and Criteria 1.5
  • B. Standards and Criteria 1.3
  • C. Standards and Criteria 1.1
  • D. Standards and Criteria 1.7

Answer: D

Explanation:
The statement in the question matchesSWGDE Principle 1, Standards and Criteria 1.7, which explicitly requires thatany action that could alter, damage, or destroy original digital evidence must be performed by qualified personnel in a forensically sound manner. In digital forensics doctrine, this requirement exists because digital evidence is highly fragile: routine interactions (booting a system, opening a file, connecting storage, running commands) can change timestamps, overwrite unallocated space, modify logs, or trigger encryption/key rotation. SWGDE's emphasis on "qualified persons" and "forensically sound manner" aligns with core evidentiary expectations: minimizing changes to original media, using controlled and repeatable methods (e.g., write-blocking, validated imaging, documented procedures), and ensuring actions are defensible under scrutiny.
Options 1.1, 1.3, and 1.5 relate to broader quality and procedural requirements (quality systems, SOP review, appropriate tools), but they do not contain the specific mandate about potentially altering original evidence.
The exact phrasing about alteration/damage/destruction and qualified handling is associated withStandards and Criteria 1.7, makingBthe correct choice.


NEW QUESTION # 19
Jack, a forensic investigator, was appointed to investigate a Windows-based security incident. In this process, he employed an Autopsy tool to recover the deleted files from unallocated space, which helps in gathering potential evidence.
Which of the following functions of Autopsy helped Jack recover the deleted files?

  • A. Data carving
  • B. Multimedia
  • C. Timeline analysis
  • D. Web artifacts

Answer: A

Explanation:
When a file is deleted on common file systems, the operating system typically removes the directory reference and marks the previously used clusters/blocks asunallocated, but the underlying file content may remain on disk until it is overwritten. Digital forensics procedures emphasize that recovering such deleted content often requires examining unallocated space rather than relying only on file system metadata.Autopsy's "Data Carving"function is specifically intended for this purpose: it scans unallocated space (and sometimes slack space) forfile signatures(headers/footers and internal structure patterns) and reconstructs recoverable files even when the original filename, path, or metadata is missing.
This directly matches the scenario: Jack recovered deleted files fromunallocated space, which is the classic use case for carving. The other options in Autopsy support different investigative goals.Timeline analysiscorrelates timestamps from multiple artifacts to reconstruct sequences of activity, but it does not itself reconstruct deleted file content from raw disk areas.Web artifactsfocuses on browser history, downloads, cookies, and related traces.Multimediahelps categorize and analyze media files (e.g., images/videos), but it is not the primary mechanism for recovering deleted data from unallocated space. Therefore, the Autopsy function that enabled the recovery described isData carving (D)


NEW QUESTION # 20
Sarah, a forensic investigator, is working on a criminal case. She was provided with all the suspect devices.
Sarah employs an imaging software tool for duplicating the original data from the suspect devices. However, the tool she employed failed to image the data as the suspect version of the drive was very old and incompatible with imaging software. Hence, Sarah used an alternative data acquisition technique and succeeded in imaging the data.
Which of the following types of data acquisition techniques did Sarah employ in the above scenario?

  • A. Sparse acquisition
  • B. Bit-stream disk-to-disk
  • C. Logical acquisition
  • D. Bit-stream disk-to-image-file

Answer: B

Explanation:
The key detail is that Sarah'simaging softwarecould not acquire the device because the drive wasvery old and incompatiblewith the software-based approach. In such situations, forensic practice recommends switching to an acquisition method that isless dependent on the operating system or specific imaging application compatibility, while still producing a forensic-accurate duplicate.Bit-stream disk-to-diskacquisition (also called forensic cloning) creates asector-by-sectorcopy of the entire source drive directly onto another physical drive. This method is commonly performed using dedicated duplicators or hardware-assisted workflows that can interface with legacy media more reliably than certain disk-to-image software utilities.
Sparse acquisition would intentionally capture only selected portions of a disk (used to reduce time/storage), which does not fit the goal of "succeeded in imaging the data" after a failure due to incompatibility. Logical acquisition captures only active files/folders through the file system and is not the preferred alternative when full forensic imaging is required, especially in criminal cases. Bit-stream disk-to-image-file is still software
/container dependent and is essentially what failed initially. Therefore, the most appropriate alternative that explains success with an older incompatible drive isBit-stream disk-to-disk (D).


NEW QUESTION # 21
Clark, a security professional, identified that one of the systems in the organization is infected with malware and was used for creating a backdoor. Clark employed an automated tool to analyze the system's memory and detect malicious activities performed on the system.
In the above scenario, which of the following tools did Clark employ to detect malicious activities performed on the system?

  • A. Shodan
  • B. Medusa
  • C. Redline
  • D. Wireshark

Answer: C

Explanation:
The question specifies anautomated tool to analyze the system's memoryand detect malicious activity associated with amalware backdoor. In malware forensics and incident response practice, memory analysis is used to identify artifacts that may not be reliably visible on disk, such as injected code, hidden processes, suspicious DLLs/modules, live network connections, persistence objects loaded in memory, and indicators of compromise tied to backdoors.Redline(commonly referenced in DFIR training) is purpose-built forhost investigation and memory analysis. It can collect and analyze volatile data, including running processes, loaded modules, handles, drivers, network sessions, and other runtime indicators that help investigators spot malicious behavior and attribute it to specific executables or injected components.
The other options do not align with memory forensics.Medusais primarily a credential brute-force/login auditing tool, not a memory analysis utility.Shodanis an Internet-wide device search engine used for external reconnaissance, not for local host RAM inspection.Wiresharkis a packet capture and protocol analysis tool focused on network traffic, not automated memory artifact collection and analysis. Therefore, the tool Clark used to analyze memory and detect malicious activity isRedline (B).


NEW QUESTION # 22
Cheryl, a forensic expert, was recruited to investigate a malicious activity performed by an anonymous hackers' group on an organization's systems. Using an automated tool, Cheryl was able to extract the malware file and analyze the assembly code instructions, which helped him understand the malware's purpose.
Which of the following tools helped Cheryl extract and analyze the assembly code of the malware?

  • A. Virtual Box
  • B. OllyDbg
  • C. VMware vSphere
  • D. QualNet

Answer: B

Explanation:
To understand a malware sample's purpose at the instruction level, investigators usereverse-engineering toolsthat candisassemblecompiled binaries intoassembly codeand often allowinteractive debuggingto observe runtime behavior (API calls, unpacking routines, decryption loops, process injection, and control-flow decisions).OllyDbgis a classic Windows user-mode debugger widely referenced in malware analysis workflows because it provides an integrated view ofdisassembly, CPU registers, memory, breakpoints, and execution tracing. This makes it suitable for extracting behavioral insight from the actual assembly instructions, especially when malware uses obfuscation or packers that require stepping through execution to reach the real payload.
The other options do not primarily perform assembly-level analysis.VirtualBoxandVMware vSphereare virtualization platforms; they help safely run malware in isolated environments, but they are not disassemblers
/debuggers for examining assembly instructions.QualNetis a network simulation tool used for modeling network behavior, not binary reverse engineering. Because the question specifically emphasizesanalyzing assembly code instructionsto understand malware purpose, the correct tool among the choices isOllyDbg (C).


NEW QUESTION # 23
Benoy, a security professional at an organization, extracted Apache access log entries to view critical information about all the operations performed on a web server. The Apache access log extracted by Benoy is given below:
"10.10.10.10 - Jason [17/Aug/2019:00:12:34 +0300] "GET /images/content/bg_body_1.jpg HTTP/1.0" 500
1458"
Identify the HTTP status code in the Apache access log entry above that indicates the response was successful.

  • A. 0
  • B. 1.0
  • C. 1
  • D. +0300

Answer: C

Explanation:
In the Apache Combined/Custom access log format, the value immediately after the quoted request (here," GET ... HTTP/1.0") is theHTTP status codereturned by the server. In the provided entry, that field is500.
From a forensic analysis standpoint, recognizing field positions matters because investigators correlate client IPs, timestamps, requested resources, and server outcomes to reconstruct attack timelines and identify failed exploitation attempts or misconfigurations.
It is important to note thatsuccessful HTTP responses are typically in the 2xx range, most commonly200 (OK), while3xxindicates redirects,4xxindicates client-side errors (such as 404 Not Found), and5xxindicates server-side failures. Specifically,500represents anInternal Server Error, meaning the server encountered an unexpected condition and could not fulfill the request successfully.
The other options are not HTTP status codes in this entry:+0300is the timezone offset in the timestamp,1.0is the HTTP protocol version, and2019is part of the date. Therefore, the only HTTP status code present-and the correct choice among the options-is500 (B), even though it reflects an error rather than success.


NEW QUESTION # 24
Which of the following measures is defined as the time to move read or write disc heads from one point to another on the disk?

  • A. Delay time
  • B. Mean time
  • C. Access time
  • D. Seek time

Answer: D

Explanation:
Seek timeis the specific performance measure that describes how long a hard disk drive's actuator takes tomove the read/write heads across the plattersfrom the current track (cylinder) to the target track where the requested data resides. In traditional magnetic HDDs, the heads must be physically repositioned before any sector can be read or written, making seek time a core component of mechanical latency.
Digital forensics materials emphasize understanding this distinction because HDD mechanical behavior affectsacquisition duration, the feasibility of repeated scans, and why imaging or carving operations can take longer on fragmented media. It also helps explain why solid-state drives (SSDs), which have no moving heads, do not have seek time in the same sense and therefore behave differently during large-scale reads.
The other choices are broader or unrelated:access timetypically refers to thetotal time to retrieve data, commonly combiningseek time + rotational latency + transfer time.Delay timeis not the standard term for head movement in disk performance definitions.Mean timeis incomplete as written and is usually part of reliability metrics like mean time between failures, not head positioning. Therefore, the correct measure for head movement time isSeek time (C).


NEW QUESTION # 25
Which of the following acts was passed by the U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations?

  • A. General Data Protection Regulation (GDPR)
  • B. The Electronic Communications Privacy Act
  • C. Sarbanes-Oxley Act (SOX)
  • D. Information Privacy Act 2014

Answer: C

Explanation:
TheSarbanes-Oxley Act (SOX)was enacted by the U.S. Congress in2002in response to major corporate accounting scandals and was specifically designed toprotect investorsby improving the accuracy, reliability, and integrity of corporate disclosures and financial reporting. SOX strengthens governance and accountability by requiring executive management (notably the CEO and CFO) to certify the correctness of financial statements and by mandating stronger internal controls over financial reporting. From a digital forensics and compliance perspective, SOX is closely tied to the need for reliableaudit trails, properrecords retention, and demonstrable control over systems that store or process financial data. Investigators frequently rely on SOX- driven logging, access controls, and change management records to determine who accessed financial systems, what changes were made, and whether those actions align with authorized procedures.
The other options do not match the question's purpose or jurisdiction: theElectronic Communications Privacy Actaddresses interception and access to electronic communications,GDPRis an EU data protection regulation (not a 2002 U.S. act focused on investor protection), and "Information Privacy Act 2014" is not the 2002 U.S.
corporate anti-fraud legislation. Therefore, the correct answer isSarbanes-Oxley Act (SOX) (C).


NEW QUESTION # 26
Given below is a regex signature used by security professionals for detecting an XSS attack:
/((%3C)|<)[^\n]+((%3E)|>)/i
Which of the following types of XSS attack does the above regex expression detect?

  • A. Simple XSS attack
  • B. CSS attack
  • C. HTML tags-based XSS attempt
  • D. In-line comment XSS attack

Answer: C

Explanation:
The regex/((%3C)|<)[^\n]+((%3E)|>)/iis designed to detectHTML tag injection patterns, which are a common indicator of XSS payloads. It matches either a literal"<"character or its URL-encoded form"%3C"(case- insensitive due to theiflag), followed by one or more characters that are not a newline ([^\n]+), and then either a literal">"or its encoded form"%3E". This pattern essentially looks foranything that resembles an HTML tag, such as<script>,<img ...>,<svg ...>, or other element constructs that attackers frequently use to execute JavaScript via attributes likeonerror,onload, etc.
In web-attack investigations, this kind of signature is used during log review and input validation checks to flag requests containing tag delimiters, because many reflected/stored XSS attempts rely on injecting markup into an HTML context. It does not specifically target CSS-only payloads, nor inline comments, and "simple XSS" is too vague; the expression is explicitly focused onangle-bracket (or encoded) tag structures, which correspond most directly toHTML tags-based XSS attempts.


NEW QUESTION # 27
Michael, a forensic expert, was assigned to investigate an incident that involved unauthorized intrusion attempts. In this process, Michael identified all the open ports on a system and disabled them because these open ports can allow attackers to install malicious services and compromise the security of the system or network.
Which of the following commands assisted Michael in identifying open ports in the above scenario?

  • A. ifconfig <interface> -promisc
  • B. netstat -rn
  • C. netstat -i
  • D. nmap -sT localhost

Answer: D

Explanation:
To identifyopen ports, investigators need a method that actively checks which TCP/UDP ports on a host are accepting connections. The commandnmap -sT localhostperforms aTCP Connect scanagainst the local system. In a connect scan, Nmap uses the operating system's normal networking API to attempt a full TCP three-way handshake to each targeted port. If the handshake completes, the port is reported asopen; if it is refused, it isclosed; and if filtered by firewall rules, it may appearfiltered. This directly supports Michael's objective of enumerating open ports so they can be reviewed and disabled to reduce the attack surface and prevent malicious services from being installed.
The other options do not enumerate open ports in the same way.netstat -ishows interface-level statistics (packets, errors) rather than listing listening services.netstat -rndisplays the routing table (routes and gateways), which helps understand network paths but not which ports are open.ifconfig <interface> -promisc relates to enabling/disabling promiscuous mode on an interface for packet capture, not port discovery.
Therefore, the command that assisted in identifying open ports isnmap -sT localhost (C).


NEW QUESTION # 28
In which of the following attacks does an attacker trick high-profile executives such as CEOs, CFOs, politicians, and celebrities to reveal critical corporate and personal information through email or website spoofing?

  • A. Spimming
  • B. Whaling
  • C. Identity fraud
  • D. Smishing

Answer: B

Explanation:
The scenario describes a targeted social-engineering attack aimed specifically athigh-profile individuals (CEOs, CFOs, politicians, celebrities) and usesemail or website spoofingto deceive them into disclosing sensitive information. In digital forensics and incident response documentation, this is most accurately categorized aswhaling, a specialized form of phishing that focuses on "big targets" (often called "high-value targets" or "VIPs"). Whaling campaigns typically use highly tailored pretexts (e.g., legal subpoenas, board communications, invoice/payment requests, HR or executive directives) and may include spoofed sender domains, look-alike websites, or fraudulent login pages to harvest credentials and confidential corporate data.
Because executives often have access to financial systems, strategic documents, and privileged communications, attackers concentrate effort on realism and personalization, making whaling distinct from broad, generic phishing.
By contrast,smishingis phishing conducted via SMS/text messages,spimmingis spam over instant messaging platforms, andidentity fraudis a broader category involving impersonation/misuse of personal data but does not specifically denote the executive-targeted spoofing technique described. Therefore, the attack type in the question isWhaling (A).


NEW QUESTION # 29
Kelly, a professional hacker, used her laptop to perform illegal cyber activities for monetary gain on many victims. She securely locked her laptop using BitLocker software. Using this tool, she locked an entire volume using a secret key to deny access to the system.
Identify the anti-forensic technique used by Don in the above scenario.

  • A. Encryption
  • B. Trail obfuscation
  • C. Artifact wiping
  • D. File carving

Answer: A

Explanation:
The scenario describes the use ofBitLockerto lock an entire disk volume with asecret key, preventing access to the contents. In digital forensics, this is a classic example ofencryption as an anti-forensics technique. Full- disk or full-volume encryption transforms readable data into ciphertext using cryptographic algorithms so that, without the correct key (password, recovery key, TPM-bound protector, etc.), the data is computationally infeasible to interpret. This directly obstructs evidence acquisition and analysis because a forensic image of the drive will largely contain encrypted blocks rather than interpretable file system structures and user data.
This differs from the other options:file carvingis a forensic recovery method (often used by investigators) that reconstructs files from unallocated space; it is not an anti-forensics method used to block access.Artifact wipingattempts to erase traces by deleting or overwriting files, logs, or free space, but it does not inherently prevent access to remaining data if wiping is incomplete.Trail obfuscationinvolves misleading or altering logs and traces to confuse investigators, whereas encryption primarilydenies content visibilityby design. Because BitLocker is explicitly a volume encryption mechanism used here to deny access, the correct anti-forensic technique isEncryption (D).


NEW QUESTION # 30
Which of the following types of phishing attacks allows an attacker to exploit instant messaging platforms by employing IM as a tool to spread spam?

  • A. Whaling
  • B. Spimming
  • C. Spear phishing
  • D. Pharming

Answer: B

Explanation:
Spimmingis defined in digital forensics and cybercrime references asspam over instant messaging (IM). It is a social-engineering variant where attackers use instant messaging platforms (and sometimes chat apps) to deliver unsolicited bulk messages containing malicious links, fraudulent offers, credential-harvesting lures, or malware downloads. Because IM messages are often delivered in real time and can appear to come from known contacts (via compromised accounts), spimming can achieve higher click-through rates than traditional email spam. For investigators, spimming incidents commonly leave artifacts such as chat logs, message timestamps, sender identifiers, embedded URLs, and sometimes downloaded payload traces on the endpoint.
These artifacts help establish attacker infrastructure (domains, IPs), victim interaction (click events, file creation), and timeline correlation with network logs.
The other options do not match the "IM as a tool to spread spam" description.Whalingtargets high-profile individuals via highly tailored phishing, typically email-based.Pharmingredirects users to fraudulent websites (often via DNS or host-file manipulation) without relying on bulk IM spam.Spear phishingis targeted phishing toward specific individuals or groups, not necessarily IM spam. Therefore, the phishing/spam attack that exploits instant messaging platforms isSpimming (C).


NEW QUESTION # 31
Which of the following hives in the Windows Registry hierarchical database is volatile in nature and contains file-extension association information and programmatic identifier (ProgID), Class ID (CLSID), and Interface ID (IID) data?

  • A. HKEY_CURRENT_USER
  • B. HKEY_CLASSES_ROOT
  • C. HKEY_CURRENT_CONFIG
  • D. HKEY_LOCAL_MACHINE

Answer: B

Explanation:
HKEY_CLASSES_ROOT (HKCR)is the Windows Registry location that storesfile-association and COM registration data, including mappings forfile extensions(e.g.,.docx) toProgIDs, and COM object identifiers such asCLSIDand interface-related identifiers likeIID. In forensic examinations, HKCR is frequently consulted to determine which application is registered to open a specific file type, to identify COM objects that may enable persistence or abuse (e.g., through COM hijacking), and to correlate suspicious registry-based execution mechanisms with installed software.
HKCR is often described asvolatile in naturebecause it is not a single standalone hive file stored independently in the same way as SAM or SYSTEM; instead, it is amerged, runtime viewcreated by the OS primarily fromHKLM\Software\Classes(machine-wide registrations) andHKCU\Software\Classes(per-user overrides). This means what you see under HKCR can vary depending on the current user context and system state, and the effective associations/registrations may change when software is installed, updated, or when per- user settings override machine defaults.
The other options represent different scopes: HKLM is system configuration, HKCU is user profile configuration, and HKCC reflects the current hardware profile-not the primary COM/file association repository.


NEW QUESTION # 32
Below are the elements included in the order of volatility for a typical computing system as per the RFC 3227 guidelines for evidence collection and archiving.
Archival media
Remote logging and monitoring data related to the target system
Routing table, process table, kernel statistics, and memory
Registers and processor cache
Physical configuration and network topology
Disk or other storage media
Temporary system files
Identify the correct sequence of order of volatility from the most to least volatile for a typical system.

  • A. 4-->3-->7-->6-->2-->5-->1
  • B. 4-->3-->7-->1-->2-->5-->6
  • C. 2-->1-->4-->3-->6-->5-->7
  • D. 7-->5-->4-->3-->2-->6-->1

Answer: A

Explanation:
RFC 3227's "order of volatility" principle guides responders to collect themost perishableevidence first because some data can disappear immediately when power is lost, processes terminate, or the system state changes during response actions. The most volatile items areCPU registers and processor cache (4)because they change continuously at instruction speed and are lost instantly on shutdown or context switching. Next arerouting table, process table, kernel statistics, and memory (3)because live RAM contents and active system tables can change within seconds and are lost if the machine is powered off or rebooted.
After volatile memory,temporary system files (7)are collected because they are frequently overwritten or cleaned by the OS, users, or malware. Then comesdisk or other storage media (6)which is more persistent but still subject to modification, log rotation, and overwriting through normal activity; hence imaging should occur before extensive interaction.
Less volatile still areremote logging and monitoring data (2)since they may persist off-host, but can be rotated or altered by retention policies.Physical configuration and network topology (5)generally changes less frequently and can often be re-documented later. Finally,archival media (1)is the least volatile because it is typically write-once or preserved storage. Thus the correct sequence is4#3#7#6#2#5#1 (Option B).


NEW QUESTION # 33
A government organization decided to establish a computer forensics lab to perform transparent investigation processes on highly sensitive cases. The organization also decided to establish strong physical security around the premises of the forensics lab.
Which of the following security measures helps the organization in providing strong physical security to the forensics lab?

  • A. Never keep the lab under surveillance
  • B. Shield workstations from transmitting electromagnetic signals
  • C. Do not maintain a log register at the entrance of the lab
  • D. Never place fire extinguishers in and outside the lab

Answer: B

Explanation:
Forensics labs handling highly sensitive investigations must protect evidence confidentiality and prevent unauthorized disclosure. Strong physical security includes not only access control and surveillance, but also protections againstelectromagnetic (EM) emanationrisks. Computers and displays can unintentionally emit electromagnetic signals that, under certain conditions, may be intercepted and reconstructed to reveal sensitive information (for example, case notes, recovered evidence content, or credentials). Digital forensics lab design guidance recognizes this as a real threat in high-sensitivity environments and recommendsEM shielding / TEMPEST-style controlswhere appropriate. Shielding workstations reduces the chance of data leakage through side-channel interception and helps ensure that confidential investigative activities cannot be monitored from outside controlled areas.
The other options directly weaken physical security and safety. Fire extinguishers are required for facility safety and risk management, so "never place" them is unsafe and contrary to secure lab standards. Not maintaining an entrance log register undermines chain-of-custody support and accountability by removing a basic access auditing mechanism. "Never keep the lab under surveillance" removes a core deterrent and detection control for unauthorized entry, evidence tampering, and theft. Therefore, shielding workstations from transmitting electromagnetic signals is the only option thatstrengthensphysical security for a sensitive forensics lab.


NEW QUESTION # 34
Which of the following Tor relay nodes in the Tor circuit is designed to transfer data in an encrypted format?

  • A. Entry relay
  • B. Middle relay
  • C. Guard relay
  • D. Exit relay

Answer: B

Explanation:
In a standard Tor circuit, a client typically builds a three-hop path:Entry/Guard # Middle # Exit. Tor uses onion routing, where the client wraps the payload in multiple encryption layers-one for each hop. Each relay removes (decrypts) only its own layer to learn thenext hop, but not the complete route or the original payload in the clear. Themiddle relayis specifically positioned toforward traffic between the entry/guard and the exit while it remains onion-encrypted end-to-end within the Tor network. Because it neither connects to the user's local network (like the entry/guard) nor to the public destination (like the exit), its primary role isencrypted transit/forwarding, helping break the linkage between source and destination. By contrast, theexit relayis where traffic leaves Tor; unless the application layer uses TLS/HTTPS, the exit may deliver data to the destination inunencryptedform on the open Internet. Theentry/guardprotects against certain traffic-correlation risks by being stable, but it is not uniquely "the" encrypted-transfer node. Therefore, the best single answer isMiddle relay (D).


NEW QUESTION # 35
Andrew, a system administrator, is performing a UEFI boot process. The current phase of the UEFI boot process consists of the initialization code that the system executes after powering on the EFI system. This phase also manages platform reset events and sets up the system so that it can find, validate, install, and run the PEI.
Which of the following UEFI boot phases is the process currently in?

  • A. Boot device selection phase
  • B. Driver execution environment phase
  • C. Security phase
  • D. Pre-EFI initialization phase

Answer: C

Explanation:
In the UEFI/PI boot architecture, the phase that runsimmediately after power-on or resetis theSEC (Security) phase. Digital forensics references include UEFI phases because firmware-level activity can affect the trustworthiness of the platform (e.g., bootkits, persistence, and measured boot artifacts). The SEC phase is responsible for executing the earliest initialization instructions, handlingplatform reset events, and establishing a minimal, controlled execution environment. Critically, SEC prepares the system so it canlocate, verify, and hand off controlto the next stage-PEI (Pre-EFI Initialization)-by setting up temporary memory and foundational CPU/chipset state required for PEI modules to execute.
The wording in the question precisely matches SEC responsibilities: "initialization code executed after powering on," "manages platform reset events," and "sets up the system so it can find, validate, install, and run the PEI." By contrast,PEIfocuses on discovering and initializing permanent memory and producing the Hand-Off Blocks for DXE;DXEloads drivers and boot services; andBDSselects and launches the boot option.
Therefore, the phase described is theSecurity phase (SEC), which corresponds to optionD.


NEW QUESTION # 36
Sandra, a hacker, targeted Johana, a software professional, to steal her banking details. She started sending frequent, random pop-up messages with malicious links to her social media page. Johana accidentally clicked on a link, causing a malicious program to get installed in her system. Subsequently, when Johana attempted to access her banking website, the URL redirected her to a malicious website controlled by Sandra. Johana entered her banking credentials on the fake website, which Sandra then captured.
Identify the type of attack performed by Sandra on Johana.

  • A. Tailgating
  • B. Shoulder surfing
  • C. Dumpster diving
  • D. Pharming

Answer: D

Explanation:
The scenario describes a victim beingredirected from a legitimate banking URL to a fraudulent websitewithout intending to visit it, after malware is installed on the system. This behavior is characteristic ofpharming, an attack in which an adversarycauses redirectionto a malicious destination even when the user types the correct address or clicks a legitimate bookmark. In digital forensics references, pharming is commonly achieved by manipulatingname resolution or routing mechanisms, such as altering the localhosts file, changingDNS server settings, poisoning DNS responses, modifying browser proxy settings, or installing malware that intercepts and rewrites web requests. The key forensic indicator is that the victim's request for the real domain is transparently diverted to attacker-controlled infrastructure, where credentials are harvested through a convincing spoofed login page.
The other options do not match the redirection-and-fake-site mechanism.Tailgatingis physical access abuse (following someone into a secure area).Dumpster divinginvolves retrieving sensitive information from discarded materials.Shoulder surfingis observing credentials by watching the victim type. Because the essential action here ismalicious redirection to a fake site to steal credentials, the correct answer isPharming (A).


NEW QUESTION # 37
Which of the following data acquisition formats supports the Lempel-Ziv-Markov chain (LZMA) algorithm for compression?

  • A. Raw Format
  • B. Proprietary Format
  • C. Advanced ForensicFramework 4
  • D. Advanced Forensics Format

Answer: C

Explanation:
In digital forensics, acquisition formats differ mainly in how they store evidence data, metadata, and whether they support features like compression, segmentation, and integrity verification. ARaw formatis a sector-by- sector bitstream image (often called "dd" style) and typically doesnotdefine built-in compression or structured metadata; any compression would be external to the format. "Proprietary format" is not a single defined standard-some proprietary images may compress data, but the option is too generic and not tied to a specific, documented compression method.
The format known in forensic documentation for explicitly supporting modern compression such asLZMAisAFF4 (Advanced Forensic Format 4), which is designed as a next-generation container supporting rich metadata, hashing, chunked storage, and pluggable compression options. AFF4's architecture stores evidence in compressed chunks/streams and commonly associates LZMA with efficient, high-ratio compression while preserving forensic requirements such as repeatable verification through cryptographic hashes.
The option "Advanced ForensicFramework 4" corresponds toAFF4in many exam question banks and training materials. Therefore, the correct choice isC, because AFF4 is the acquisition format recognized for supportingLZMA compressionas part of its standardized capabilities.


NEW QUESTION # 38
John, a forensic officer, was working on a criminal case. He employed imaging software to create a copy of data from the suspect device on a storage medium for further investigation. For developing an image of the original data, John used a software application that does not allow an unauthorized user to alter the image content on storage media, thereby retaining an unaltered image copy.
Identify the data acquisition step performed by John in the above scenario.

  • A. Enabled write protection on the evidence media
  • B. Validated data acquisition
  • C. Sanitized the target media
  • D. Planned for contingency

Answer: A

Explanation:
The scenario emphasizes that John used an application (or mechanism) thatprevents alteration of the acquired image content, ensuring the image remainsunalteredand protected from unauthorized modification. In forensic acquisition standards, this corresponds toenabling write protectionduring imaging-commonly implemented using awrite blocker(hardware or controlled software write-protection) to prevent any writes to the source evidence and, where applicable, to protect the integrity of the evidence copy from accidental or unauthorized changes. The purpose is to preserve evidential integrity by ensuring that neither the original media nor the forensic image is modified during handling, analysis preparation, or transfer.
"Validated data acquisition" refers to confirming the image is an exact duplicate, typically by computing and comparing cryptographic hashes (e.g., MD5/SHA) of the source and the acquired image. While validation is essential, the question specifically highlightspreventing alteration, not verifying equality. "Sanitized the target media" is the step of wiping/clearing the destination drive before acquisition to avoid contamination, which is not what is described. "Planned for contingency" relates to operational planning for unexpected issues (equipment failure, encryption, power loss), not integrity protection. Therefore, the best match isEnabled write protection on the evidence media (A).


NEW QUESTION # 39
......

New 2026 Realistic Free EC-COUNCIL 112-57 Exam Dump Questions and Answer: https://www.braindumpsvce.com/112-57_exam-dumps-torrent.html

EC-COUNCIL 112-57 Exam: Basic Questions With Answers: https://drive.google.com/open?id=1Se1DV-A7hnvFzcKiDq7BvpWETdVQqwTE