Pass the ECCouncil DEF 112-57 Questions and answers with ExamsMirror

Promiscuous mode is a network interface configuration in which the NIC passesall observed framesto the operating system, not only frames addressed to that host’s MAC address. In investigations, this matters because promiscuous mode is commonly enabled bypacket sniffers, certain intrusion tools, or misconfigured monitoring software, and it can indicate covert traffic capture on a host.

On UNIX/Linux systems, the traditional command used to view interface flags and status isifconfig <interface name>. When an interface is set to promiscuous mode,ifconfigdisplays aPROMISCflag in the interface’s status line, allowing an investigator to confirm whether the NIC is accepting all frames. This directly matches Kane’s goal of checking if the interface is running in promiscuous mode.

The other commands do not provide this specific interface flag.nmap -sT localhostscans for open TCP ports, not interface modes.ipconfigis a Windows command (and does not take an interface name in that form to show PROMISC status), and it primarily reports IP configuration.netstat -ishows network interface statistics (packets, errors, drops) but typically does not explicitly indicate promiscuous mode. Therefore, the correct command isifconfig (C).

HKEY_CLASSES_ROOT (HKCR)is the Windows Registry location that storesfile-association and COM registration data, including mappings forfile extensions(e.g.,.docx) toProgIDs, and COM object identifiers such asCLSIDand interface-related identifiers likeIID. In forensic examinations, HKCR is frequently consulted to determine which application is registered to open a specific file type, to identify COM objects that may enable persistence or abuse (e.g., through COM hijacking), and to correlate suspicious registry-based execution mechanisms with installed software.

HKCR is often described asvolatile in naturebecause it is not a single standalone hive file stored independently in the same way as SAM or SYSTEM; instead, it is amerged, runtime viewcreated by the OS primarily fromHKLM\Software\Classes(machine-wide registrations) andHKCU\Software\Classes(per-user overrides). This means what you see under HKCR can vary depending on the current user context and system state, and the effective associations/registrations may change when software is installed, updated, or when per-user settings override machine defaults.

The other options represent different scopes: HKLM is system configuration, HKCU is user profile configuration, and HKCC reflects the current hardware profile—not the primary COM/file association repository.

In an email crime investigation, the workflow should begin withseizing the computer and email accounts (5)to preserve evidence and prevent alteration, deletion, or continued misuse. This includes securing endpoints and ensuring account access is maintained under proper authority. Next, investigators proceed withacquiring the email data (1)using forensic methods (logical export, mailbox acquisition, or forensic imaging of local mail stores) to maintain integrity and chain of custody.

Once the data is preserved, investigatorsexamine email messages (3)to identify relevant communications, context, attachments, and indicators of fraud, harassment, data leakage, or impersonation. After identifying emails of interest, investigatorsretrieve email headers (6)(full headers, not just what the mail client displays) because headers contain routing metadata required for attribution and timeline reconstruction. They thenanalyze email headers (2)to interpret fields such as Received lines, Message-ID, originating IP clues (where applicable), sending infrastructure, and authentication results, which helps determine spoofing, relay paths, and sender legitimacy. Finally, theyrecover deleted email messages (4)from mail stores, server-side retention, or unallocated space to restore missing evidence. This sequence matches optionA.

In digital forensics, acquisition formats differ mainly in how they store evidence data, metadata, and whether they support features like compression, segmentation, and integrity verification. ARaw formatis a sector-by-sector bitstream image (often called “dd” style) and typically doesnotdefine built-in compression or structured metadata; any compression would be external to the format. “Proprietary format” is not a single defined standard—some proprietary images may compress data, but the option is too generic and not tied to a specific, documented compression method.

The format known in forensic documentation for explicitly supporting modern compression such asLZMAisAFF4 (Advanced Forensic Format 4), which is designed as a next-generation container supporting rich metadata, hashing, chunked storage, and pluggable compression options. AFF4’s architecture stores evidence in compressed chunks/streams and commonly associates LZMA with efficient, high-ratio compression while preserving forensic requirements such as repeatable verification through cryptographic hashes.

The option “Advanced ForensicFramework 4” corresponds toAFF4in many exam question banks and training materials. Therefore, the correct choice isC, because AFF4 is the acquisition format recognized for supportingLZMA compressionas part of its standardized capabilities.

On macOS, theBasic Security Module (BSM)provides the system’saudit framework, which records security-relevant activity such asfile access, process execution, authentication events, privilege changes, and other system calls. A key forensic characteristic of BSM auditing is that events are written asbinary audit records composed of “tokens.”Each token represents a structured piece of the event (for example: subject/user identity, process ID, command arguments, path, return value, timestamps), and tokens are assembled into complete audit records. Because these audit logs arebinary and tokenized, they are compact, consistent, and designed for reliable parsing and evidentiary reconstruction—important when building timelines of file-related actions and attributing them to specific users and processes.

The other options do not match the “binary token” description.Command-line inputsmay be stored in shell history files but are plain text and not tokenized binary audit records.User accountartifacts (e.g., directory services, plist files) describe identities and settings, not tokenized event logs.Kexts(kernel extensions) are drivers/modules; while they can affect system behavior, they are not the macOS component that stores file/event records in a binary token format. Therefore, the correct answer isBasic Security Module (C).

In forensic examinations, investigators must correctly interpret a disk’spartitioning schemebecause it determines where volumes begin, where file systems reside, and how to validate acquisition completeness. Modern systems may useGPT(commonly associated with UEFI) while legacy systems often useMBR. A practical forensic command therefore needs to detect and parse partition informationregardless of whether the disk uses MBR or GPT, and present the results in a consistent, investigator-friendly output for verification and downstream analysis (e.g., selecting the correct partition offsets for imaging or mounting).

Get-ForensicPartitionTableis designed for exactly this role in forensic PowerShell tooling: it parses partition table structures in a forensically oriented manner and supports disks partitioned usingeither MBR or GPT. That “forensic” emphasis typically means it reads raw structures directly, reports partition entries and offsets, and helps avoid ambiguity when the protective MBR (present on GPT disks) could confuse simplistic parsers.

By contrast,Get-BootSectortargets boot sector/VBR data rather than the full partition layout;Get-GPTis GPT-specific and does not cover MBR-only disks; andGet-PartitionTableis a more generic label that may not guarantee dual-scheme forensic parsing. Therefore, the correct option isC.

The technique described—taking a snapshot of the baseline state of the forensic workstation before executing malware—aligns withMonitoring host integrity. In malware forensics, investigators often perform controlled execution (dynamic analysis) and need a reliable way to identifywhat changed on the systemas a direct result of the malware run. Host integrity monitoring is a structured approach where the examiner first captures aknown-good baselineof critical system elements such as file system state (key directories, system binaries), registry/configuration state, running services, installed drivers, scheduled tasks, and sometimes hash inventories of important files. After malware execution, the investigator captures a second snapshot and performsdifferential comparisonto determine newly created/modified files, persistence mechanisms, configuration changes, dropped payloads, and tampering attempts.

This baseline-before/after comparison is fundamental for attributing changes to the sample, supporting repeatability, and documenting evidence in a defensible manner. The other options do not require a workstation baseline snapshot in this sense:online malware scanningchecks a file against signatures/reputation services;string searchextracts readable strings from binaries; andfile fingerprintingtypically refers to hashing to uniquely identify a file, not system-wide state comparison. Therefore, the correct answer isMonitoring host integrity (B).

Ahoneypotis a deliberately deployed decoy system or service designed toattract attackersby appearing valuable or vulnerable, thereby enabling defenders to observe malicious behavior in a controlled manner. Digital forensics and incident response references describe honeypots as tools forthreat intelligence and evidence collection, because they can record interaction details such as connection sources, exploited services, commands executed, malware dropped, and attempted privilege escalation. This directly matches the scenario: Steven deployed something that “appears to contain very useful information” tolure attackersand help identify theirlocations and techniques. Honeypots are typically instrumented with extensive logging and monitoring, making them especially useful for building timelines, extracting indicators of compromise, and understanding adversary tactics, techniques, and procedures.

The other options do not align with the “bait attackers” goal. AnIDSprimarily detects and alerts on suspicious activity but is not intended to impersonate a valuable target. Afirewallenforces access control rules to block/allow traffic, not entice attackers. Arouterforwards packets and provides network connectivity; it is not a deception platform. Therefore, the device type described is aHoneypot (C).

The requirement is tolist devices connected to a local Windows machine, specifically to identifyexternal storage devicesthat may be attached and potentially used for data theft or malware introduction. In Windows forensic practice, investigators often start by enumerating currently mounted volumes and recently connected removable media so they can correlate device presence with suspicious activity timelines and user actions.DriveLetterViewis a utility designed to display the complete mapping ofdrive letters to storage devices/volumes, includingremovable drives(USB flash drives, external HDDs), optical media, network-mapped drives, and local partitions. It helps quickly identify what storage devices are present and accessible on the system at the time of inspection, which fits the scenario where James captures a list of connected devices and removes suspicious ones.

The other tools do not match this purpose.ESEDatabaseViewis used to inspect Extensible Storage Engine databases, not enumerate attached storage.ProcDumpis used for creating process memory dumps for debugging/forensic analysis of processes, not for listing connected drives.PromiscDetectrelates to detecting network interfaces in promiscuous mode (packet sniffing), not external storage enumeration. Therefore, the correct tool for identifying connected storage devices isDriveLetterView (C).

In classic hard-disk geometry, total capacity is computed fromCHS parameters(Cylinders × Heads × Sectors per track) multiplied bybytes per sector. Forensic examiners learn this because it helps validate whether an image acquisition size is consistent with the physical disk geometry and to spot anomalies caused by misreported device geometry or capture errors.

First compute total addressable sectors:

16,384 cylinders × 80 heads = 1,310,720 tracks(because each head provides a track per cylinder).

Then multiply by sectors per track:

1,310,720 × 63 = 82,575,360 sectors.

Convert sectors to bytes using the sector size:

82,575,360 sectors × 512 bytes/sector = 42,278,584,320 bytes.

This matches optionAexactly. In practice, modern drives often use LBA and may report different logical geometries, but the forensic principle remains the same: capacity equals the number of logical blocks times the logical block size, and CHS-style values are a structured way to perform that verification.