매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
EC-Council Digital Forensics Essentials (DFE) 온라인 연습
최종 업데이트 시간: 2026년03월09일
당신은 온라인 연습 문제를 통해 EC-Council 112-57 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 112-57 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 75개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
In a standard Tor circuit, a client typically builds a three-hop path: Entry/Guard → Middle → Exit. Tor uses onion routing, where the client wraps the payload in multiple encryption layers―one for each hop. Each relay removes (decrypts) only its own layer to learn the next hop, but not the complete route or the original payload in the clear. The middle relay is specifically positioned to forward traffic between the entry/guard and the exit while it remains onion-encrypted end-to-end within the Tor network. Because it neither connects to the user’s local network (like the entry/guard) nor to the public destination (like the exit), its primary role is encrypted transit/forwarding, helping break the linkage between source and destination. By contrast, the exit relay is where traffic leaves Tor; unless the application layer uses TLS/HTTPS, the exit may deliver data to the destination in unencrypted form on the open Internet. The entry/guard protects against certain traffic-correlation risks by being stable, but it is not uniquely “the” encrypted-transfer node. Therefore, the best single answer is Middle relay (D).
정답:
Explanation:
On Windows systems, ipconfig is the standard command-line utility used to display and troubleshoot TCP/IP configuration and the operational status of network interfaces. From a forensic and incident-response perspective, it helps investigators quickly identify whether a NIC is enabled and configured, and it reveals key network parameters tied to “network status,” such as the assigned IPv4/IPv6 addresses, subnet mask, default gateway, and DNS servers. Using variants like ipconfig /all, responders can also capture adapter-specific metadata including MAC address (physical address), DHCP enablement, DHCP server, lease timestamps, and interface descriptions―useful for correlating an endpoint to switch-port logs, DHCP logs, and network monitoring data. This is often part of live
triage because it documents the system’s current connectivity and routing context at the time of seizure or investigation.
The other options are not appropriate for NIC status: PsLoggedOn reports logged-on users, and PsList enumerates running processes―both are Sysinternals tools focused on user/process state rather than network interface configuration. ifconfig is a UNIX/Linux command (and not the primary Windows utility), so it would not be the correct choice for Windows-based systems. Therefore, ipconfig (A) is correct.
정답:
Explanation:
The technique described―taking a snapshot of the baseline state of the forensic workstation before executing malware―aligns with Monitoring host integrity. In malware forensics, investigators often perform controlled execution (dynamic analysis) and need a reliable way to identify what changed on the system as a direct result of the malware run. Host integrity monitoring is a structured approach where the examiner first captures a known-good baseline of critical system elements such as file system state (key directories, system binaries), registry/configuration state, running services, installed drivers, scheduled tasks, and sometimes hash inventories of important files. After malware execution, the investigator captures a second snapshot and performs differential comparison to determine newly created/modified files, persistence mechanisms, configuration changes, dropped payloads, and tampering attempts.
This baseline-before/after comparison is fundamental for attributing changes to the sample, supporting repeatability, and documenting evidence in a defensible manner. The other options do not require a workstation baseline snapshot in this sense: online malware scanning checks a file against signatures/reputation services; string search extracts readable strings from binaries; and file fingerprinting typically refers to hashing to uniquely identify a file, not system-wide state comparison. Therefore, the correct answer is Monitoring host integrity (B).
정답:
Explanation:
HKEY_CLASSES_ROOT (HKCR) is the Windows Registry location that stores file-association and COM registration data, including mappings for file extensions (e.g., .docx) to ProgIDs, and COM object identifiers such as CLSID and interface-related identifiers like IID. In forensic examinations, HKCR is frequently consulted to determine which application is registered to open a specific file type, to identify COM objects that may enable persistence or abuse (e.g., through COM hijacking), and to correlate suspicious registry-based execution mechanisms with installed software.
HKCR is often described as volatile in nature because it is not a single standalone hive file stored independently in the same way as SAM or SYSTEM; instead, it is a merged, runtime view created by the OS primarily from HKLM\Software\Classes (machine-wide registrations) and HKCU\Software\Classes (per-user overrides). This means what you see under HKCR can vary depending on the current user context and system state, and the effective associations/registrations may change when software is installed, updated, or when per-user settings override machine defaults.
The other options represent different scopes: HKLM is system configuration, HKCU is user profile configuration, and HKCC reflects the current hardware profile―not the primary COM/file association repository.
정답:
Explanation:
The activity described―collecting network topology details and compiling a list of live hosts― matches the reconnaissance phase commonly referred to as enumeration. In digital forensics and incident response documentation, enumeration is the systematic process of discovering and extracting information about a target environment to support later exploitation. It typically follows (or overlaps with) scanning and includes identifying active IP addresses, reachable systems, open ports/services, device roles, OS fingerprints, domain information, shared resources, user/group details, and routing or segmentation clues that reveal how the network is structured.
This information is then used to plan “further attacks,” such as targeting exposed services, choosing exploit paths, locating high-value systems, and selecting lateral movement routes. From a forensic standpoint, enumeration attempts often leave traces in firewall logs, IDS alerts, and endpoint artifacts (e.g., bursts of connection attempts across many hosts/ports, ICMP echo sweeps, ARP discovery on local segments, and repeated DNS queries).
The other options do not fit: data modification involves altering data integrity; session hijacking targets active sessions/tokens; and buffer overflow is an exploitation technique against vulnerable software, not the information-gathering step described. Therefore, the correct answer is Enumeration (B)
정답:
Explanation:
Seek time is the specific performance measure that describes how long a hard disk drive’s actuator takes to move the read/write heads across the platters from the current track (cylinder) to the target track where the requested data resides. In traditional magnetic HDDs, the heads must be physically repositioned before any sector can be read or written, making seek time a core component of mechanical latency.
Digital forensics materials emphasize understanding this distinction because HDD mechanical behavior affects acquisition duration, the feasibility of repeated scans, and why imaging or carving operations can take longer on fragmented media. It also helps explain why solid-state drives (SSDs), which have no moving heads, do not have seek time in the same sense and therefore behave differently during large-scale reads.
The other choices are broader or unrelated: access time typically refers to the total time to retrieve data, commonly combining seek time + rotational latency + transfer time. Delay time is not the standard term for head movement in disk performance definitions. Mean time is incomplete as written and is usually part of reliability metrics like mean time between failures, not head positioning. Therefore, the correct measure for head movement time is Seek time (C).
정답:
Explanation:
To understand a malware sample’s purpose at the instruction level, investigators use reverse-engineering tools that can disassemble compiled binaries into assembly code and often allow interactive debugging to observe runtime behavior (API calls, unpacking routines, decryption loops, process injection, and control-flow decisions). OllyDbg is a classic Windows user-mode debugger widely referenced in malware analysis workflows because it provides an integrated view of disassembly, CPU registers, memory, breakpoints, and execution tracing. This makes it suitable for extracting behavioral insight from the actual assembly instructions, especially when malware uses obfuscation or packers that require stepping through execution to reach the real payload.
The other options do not primarily perform assembly-level analysis. VirtualBox and VMware vSphere are virtualization platforms; they help safely run malware in isolated environments, but they are not disassemblers/debuggers for examining assembly instructions. QualNet is a network simulation tool used for modeling network behavior, not binary reverse engineering. Because the question specifically emphasizes analyzing assembly code instructions to understand malware purpose, the correct tool among the choices is OllyDbg (C).
정답:
Explanation:
The Subject field is the primary email header element used to communicate the purpose and urgency of a message at a glance. Digital forensics training emphasizes that email messages consist of headers (routing and descriptive metadata) and a body (content). Among user-visible header fields, the Subject line is specifically intended to summarize what the email is about, helping recipients prioritize and correctly interpret the message without opening it. In the scenario, John routinely receives casual emails from Alice (often with pictures). When Alice sent a project-related email “without specifying the actual purpose,” John treated it like routine mail and overlooked its significance. A clear, descriptive subject such as “Final Year Project Seminar C Attendance Required” would have flagged the message as time-sensitive and different from her usual emails, reducing the chance it would be missed.
The other options do not serve this purpose. Date is automatically assigned and mainly supports ordering and timeline reconstruction rather than highlighting importance. Cc and Bcc control who receives copies and can affect visibility or secrecy, but they do not summarize intent for the recipient. Therefore, the field best suited to highlight importance is Subject (A).
정답:
Explanation:
The technique described―keyword stuffing, doorway pages, page swapping, and inserting unrelated high-traffic keywords―matches black-hat search-engine optimization (SEO), often called SEO poisoning in digital forensics and threat intelligence materials. In this distribution method, attackers manipulate search engine ranking algorithms so that malicious or malware-hosting pages appear near the top of search results for popular queries (breaking news, software downloads, trending events, adult content, etc.). Doorway pages are created to rank well for specific terms and then funnel victims to malicious landing pages. Page swapping (or “bait-and-switch”) occurs when a page is optimized and indexed as benign content, but later replaced or dynamically served as malicious content once it has gained ranking and trust signals. Keyword stuffing and unrelated keyword injection further exploit ranking heuristics by artificially increasing perceived relevance.
From a forensic perspective, black-hat SEO campaigns often leave artifacts such as compromised websites with injected spam links, abnormal redirect chains, cloaking behavior (different content for crawlers vs. users), and malicious scripts or exploit kit references. The other options do not primarily rely on search ranking manipulation: drive-by downloads are about silent exploitation on visit, spearphishing relies on targeted messaging, and clickjacking tricks users into unintended clicks. Hence, Black-hat search-engine optimization (C) is correct.
정답:
Explanation:
In FAT (File Allocation Table) file systems (FAT12/16/32), directory entries are fixed-size records that include an 8.3 filename field. When a file is deleted, FAT typically does not immediately erase the file’s content; instead, it marks the directory entry as deleted by replacing the first character of the filename with the special marker byte 0xE5 (often written as E5h). This is a key forensic behavior because it means the file’s metadata entry may still be present in the directory table, and the data clusters may remain recoverable until they are reused and overwritten. Examiners can often reconstruct the original filename’s first character only through context or by correlating other artifacts, but the remainder of the directory entry (timestamps, size, starting cluster) can still assist recovery.
The other options do not match this mechanism. NTFS uses Master File Table records and marks deletions differently (file record flags and index changes), not by overwriting the first filename byte with E5h. EFS is an encryption feature layered on NTFS, not a distinct file system deletion marker. FHS is a UNIX/Linux directory layout standard, unrelated to Windows disk structures. Therefore, the correct answer is FAT (A).
정답:
Explanation:
In Windows forensics, the Registry is organized into logical root keys (“hives”) that aggregate configuration and security data. The items named in the question―SAM, SECURITY, and SOFTWARE―are system-wide registry hives stored on disk (typically under the system’s configuration directory) and loaded at runtime under HKEY_LOCAL_MACHINE (HKLM). Investigators rely on these hives because they contain high-value evidence: the SAM hive stores local account database information (including user and group identifiers and credential-related material), the SECURITY hive holds system security policy and LSA-related settings, and the SOFTWARE hive contains installed software, application configuration, and many operating system settings relevant for program execution and persistence analysis.
Tools like FTK Imager can extract these hives (or their live-memory representations) during triage to preserve volatile context and enable offline parsing while maintaining evidentiary integrity. The other root keys do not match these specific hives: HKEY_CURRENT_USER is per-user profile data, HKEY_CURRENT_CONFIG reflects current hardware profile, and HKEY_CLASSES_ROOT is primarily file association/COM class mapping (largely derived from HKLM\Software\Classes and HKCU\Software\Classes). Therefore, the correct hive root that provides SAM, SECURITY, and SOFTWARE subkeys is HKEY_LOCAL_MACHINE (B).
정답:
Explanation:
Under the Electronic Communications Privacy Act (ECPA), Title II is commonly known as the Stored Communications Act (SCA). Digital forensics and e-discovery references treat the SCA as the key legal framework governing access to stored electronic communications and associated subscriber/account records held by service providers. The question specifically mentions (1) “contents of files stored by service providers” and (2) “records held about the subscriber … such as subscriber name, billing records, and IP addresses.” These map directly to the SCA’s two broad categories: content (what a communication or stored file contains) and non-content records (subscriber identity, connection logs, billing information, IP assignment/history, and related transactional metadata).
From an investigative perspective, Title II matters because it sets the legal process and restrictions for compelled disclosure―typically requiring different forms of legal process depending on whether the investigator seeks content versus subscriber/transactional records, and depending on factors like how the data is stored and retention timeframes. In contrast, Title I focuses on real-time interception (wiretap-style capture), and Title III addresses pen register/trap-and-trace style dialing/routing information rather than stored content. Therefore, the correct title is Title II (Option A).
정답:
Explanation:
A honeypot is a deliberately deployed decoy system or service designed to attract attackers by appearing valuable or vulnerable, thereby enabling defenders to observe malicious behavior in a controlled manner. Digital forensics and incident response references describe honeypots as tools for threat intelligence and evidence collection, because they can record interaction details such as connection sources, exploited services, commands executed, malware dropped, and attempted privilege escalation. This directly matches the scenario: Steven deployed something that “appears to contain very useful information” to lure attackers and help identify their locations and techniques. Honeypots are typically instrumented with extensive logging and monitoring, making them especially useful for building timelines, extracting indicators of compromise, and understanding adversary tactics, techniques, and procedures.
The other options do not align with the “bait attackers” goal. An IDS primarily detects and alerts on suspicious activity but is not intended to impersonate a valuable target. A firewall enforces access control rules to block/allow traffic, not entice attackers. A router forwards packets and provides network connectivity; it is not a deception platform. Therefore, the device type described is a Honeypot (C).
정답:
Explanation:
A common requirement in macOS-focused forensic labs is the ability to run multiple operating systems on a single Mac for controlled testing, malware detonation in a sandbox, reproduction of user activity, and validation of artifacts across platforms. This is typically achieved through desktop virtualization, where a hypervisor hosts guest operating systems (such as Windows and various Linux distributions) inside virtual machines. Parallels Desktop 16 is a Mac virtualization solution built specifically to run Windows on macOS with strong integration features (such as shared clipboard, folder sharing, and “coherence” modes that allow Windows applications to appear alongside Mac applications). This capability aligns with the question’s description: developing and testing across multiple OSs in VMs on a Mac and enabling use of Microsoft Office for Windows within that Windows guest environment.
The other tools do not fit. Riverbed Modeler and NetSim are primarily network modeling/simulation tools used for network design and training, not desktop virtualization. Camtasia is used for screen recording and video editing, which can support documentation but does not provide a VM environment. Therefore, the only option that directly provides cross-OS virtual machines on macOS and supports running Windows applications like Microsoft Office is Parallels Desktop 16 (B).
정답:
Explanation:
In forensic examinations, investigators must correctly interpret a disk’s partitioning scheme because it determines where volumes begin, where file systems reside, and how to validate acquisition completeness. Modern systems may use GPT (commonly associated with UEFI) while legacy systems often use MBR. A practical forensic command therefore needs to detect and parse partition information regardless of whether the disk uses MBR or GPT, and present the results in a consistent, investigator-friendly output for verification and downstream analysis (e.g., selecting the correct partition offsets for imaging or mounting).
Get-ForensicPartitionTable is designed for exactly this role in forensic PowerShell tooling: it parses partition table structures in a forensically oriented manner and supports disks partitioned using either MBR or GPT. That “forensic” emphasis typically means it reads raw structures directly, reports partition entries and offsets, and helps avoid ambiguity when the protective MBR (present on GPT disks) could confuse simplistic parsers.
By contrast, Get-BootSector targets boot sector/VBR data rather than the full partition layout; Get-GPT is GPT-specific and does not cover MBR-only disks; and Get-PartitionTable is a more generic label that may not guarantee dual-scheme forensic parsing. Therefore, the correct option is C.