ECCouncil 112-57 - EC-Council Digital Forensics Essentials (DFE)

Steganographyis the technique of concealing a messagewithin another seemingly harmless carrier(such as an image, audio file, video, or document) so that theexistence of the hidden message is not apparentto an observer. Digital forensics references distinguish steganography from encryption: encryption scrambles content but usually leaves visible indicators that protected data exists (ciphertext), while steganography aims to make the communication look ordinary, reducing suspicion. In practice, steganographic methods often embed data into redundant or less perceptible parts of the carrier, such as modifying least significant bits in pixel values, altering frequency components in audio, or inserting data into metadata or unused file structures.

The other options do not match the definition.Password crackingis an access technique to recover authentication secrets, not a concealment method.Artifact wipingis an anti-forensics method intended to remove traces (logs, files, slack space remnants), but it does not “hide behind” other data—it destroys or overwrites evidence.Program packerscompress/obfuscate executables to hinder static analysis and detection, but they still produce an executable whose presence is evident; they do not primarily hide messages inside benign files. Therefore, the described “hiding the existence of the message itself” corresponds toSteganography (C).

The scenario describes a victim beingredirected from a legitimate banking URL to a fraudulent websitewithout intending to visit it, after malware is installed on the system. This behavior is characteristic ofpharming, an attack in which an adversarycauses redirectionto a malicious destination even when the user types the correct address or clicks a legitimate bookmark. In digital forensics references, pharming is commonly achieved by manipulatingname resolution or routing mechanisms, such as altering the localhosts file, changingDNS server settings, poisoning DNS responses, modifying browser proxy settings, or installing malware that intercepts and rewrites web requests. The key forensic indicator is that the victim’s request for the real domain is transparently diverted to attacker-controlled infrastructure, where credentials are harvested through a convincing spoofed login page.

The other options do not match the redirection-and-fake-site mechanism.Tailgatingis physical access abuse (following someone into a secure area).Dumpster divinginvolves retrieving sensitive information from discarded materials.Shoulder surfingis observing credentials by watching the victim type. Because the essential action here ismalicious redirection to a fake site to steal credentials, the correct answer isPharming (A).

InFAT (File Allocation Table)file systems (FAT12/16/32), directory entries are fixed-size records that include an8.3 filename field. When a file is deleted, FAT typically does not immediately erase the file’s content; instead, it marks the directory entry as deleted by replacing thefirst character of the filenamewith the special marker byte0xE5(often written asE5h). This is a key forensic behavior because it means the file’s metadata entry may still be present in the directory table, and the data clusters may remain recoverable until they are reused and overwritten. Examiners can often reconstruct the original filename’s first character only through context or by correlating other artifacts, but the remainder of the directory entry (timestamps, size, starting cluster) can still assist recovery.

The other options do not match this mechanism.NTFSuses Master File Table records and marks deletions differently (file record flags and index changes), not by overwriting the first filename byte with E5h.EFSis an encryption feature layered on NTFS, not a distinct file system deletion marker.FHSis a UNIX/Linux directory layout standard, unrelated to Windows disk structures. Therefore, the correct answer isFAT (A).

The scenario describes the investigator collectingvolatileartifacts—specifically information inRAM, activeDLLs, system and network state, and transient data held incacheand similar runtime locations—through the device’s normal interface while the system is running. In digital forensics documentation, this is the defining characteristic oflive acquisition(also called live response). Live acquisition is performed when the system remains powered on so that investigators can capture evidence that would be lost on shutdown, such as running processes, open network connections, logged-on sessions, loaded modules/DLLs, encryption keys, and portions of registry data that exist in memory or are actively changing.

By contrast,static acquisitionanddead acquisitionare conducted when the system is powered off (or the evidence drive is imaged outside the running OS), focusing primarily on persistent storage such as disk sectors and file system structures.Non-volatile data acquisitionrefers to collecting persistent data stored on media (e.g., files on disk), which does not match the emphasis on RAM and other volatile components in the question. Because the investigator is explicitly collecting volatile data from a running system via its normal interface, the correct method isLive acquisition (B).

SSH (Secure Shell)is specifically designed to provide anencrypted channelover an untrusted network. In digital forensics and incident response, SSH is well known for supportingtunneling/port forwarding, where traffic for another protocol (for example, HTTP, database connections, or remote desktop) is encapsulated inside an SSH session. Because the SSH session encrypts payload data (and can also protect authentication and command content), the tunneled traffic becomesobfuscated to network monitoring toolsthat can only see metadata such as source/destination IPs, port numbers (often TCP/22), timing, and byte counts. This capability is frequently discussed in forensic references as a mechanism that can hinder content inspection and complicate attribution of user actions purely from packet payload analysis.

By contrast,SNMPis primarily for network management and monitoring, not secure tunneling.ARPresolves IP-to-MAC addresses on local networks and does not provide encryption or tunneling.UDPis a transport protocol that can carry data for many applications but provides no built-in security or tunneling features by itself. Therefore, the protocol that creates secure tunneling enabling content obfuscation isSSH (C).

event logs) to establish user intent and sequence of actions. Therefore, the correct option isBrowsingHistoryView (B).

Promiscuous mode is a network interface configuration in which the NIC passesall observed framesto the operating system, not only frames addressed to that host’s MAC address. In investigations, this matters because promiscuous mode is commonly enabled bypacket sniffers, certain intrusion tools, or misconfigured monitoring software, and it can indicate covert traffic capture on a host.

On UNIX/Linux systems, the traditional command used to view interface flags and status isifconfig <interface name>. When an interface is set to promiscuous mode,ifconfigdisplays aPROMISCflag in the interface’s status line, allowing an investigator to confirm whether the NIC is accepting all frames. This directly matches Kane’s goal of checking if the interface is running in promiscuous mode.

The other commands do not provide this specific interface flag.nmap -sT localhostscans for open TCP ports, not interface modes.ipconfigis a Windows command (and does not take an interface name in that form to show PROMISC status), and it primarily reports IP configuration.netstat -ishows network interface statistics (packets, errors, drops) but typically does not explicitly indicate promiscuous mode. Therefore, the correct command isifconfig (C).

The description matchessession data, often calledflow records(for example, NetFlow/IPFIX-style evidence). In network forensics, session/flow evidence summarizes a communication “conversation” between two endpoints using the5-tuple(source IP, source port, destination IP, destination port, and protocol) and typically addsstart/end time or duration,bytes/packets sent, and sometimes directionality. This allows an investigator to reconstructwho talked to whom, when, and for how long, even when packet payloads are unavailable (because of encryption, storage limits, or privacy constraints).

“Full content data” refers to complete packet captures (PCAP) containing payload bytes; that is far more detailed and would include the actual transmitted content, not just a summary. “Statistical data” is broader aggregate metrics (overall bandwidth trends, interface counters) and generally lacks per-conversation attribution. “Alert data” comes from IDS/IPS/SIEM detections and represents triggered events or signatures, not a neutral conversation summary.

Because Bob’s evidence contains per-connection identifiers (IPs/ports) and conversation duration—typical of flow/session summaries—the correct evidence type isSession data (C).

In Windows forensics, analyzingMicrosoft Edgeuser activity commonly involves extracting and correlating browser artifacts such asvisited URLs, visit counts, timestamps, download references, and cached content indicators. A practical forensic approach is to use a tool that canparse and normalize history artifacts across multiple browsers, because investigations often require comparing activity between Edge and other installed browsers on the same workstation.BrowsingHistoryViewis designed specifically for that purpose: it aggregates browsing history from different browsers and presents it in a unified timeline-style view, which supports rapid triage and cross-validation of user activity.

By contrast,MZHistoryViewandMZCacheVieware associated withMozilla-family artifacts(history and cache), making them appropriate for Firefox-related examinations rather than Edge.ChromeHistoryViewis specialized forGoogle Chromehistory databases and does not target Edge artifacts as its primary source. In forensic workflow terms, a multi-browser history tool is valuable because it helps identify patterns such as repeated access to specific domains, time windows of browsing activity, and correlation with other Windows artifacts (prefetch, jump lists,

In classic hard-disk geometry, total capacity is computed fromCHS parameters(Cylinders × Heads × Sectors per track) multiplied bybytes per sector. Forensic examiners learn this because it helps validate whether an image acquisition size is consistent with the physical disk geometry and to spot anomalies caused by misreported device geometry or capture errors.

First compute total addressable sectors:

16,384 cylinders × 80 heads = 1,310,720 tracks(because each head provides a track per cylinder).

Then multiply by sectors per track:

1,310,720 × 63 = 82,575,360 sectors.

Convert sectors to bytes using the sector size:

82,575,360 sectors × 512 bytes/sector = 42,278,584,320 bytes.

This matches optionAexactly. In practice, modern drives often use LBA and may report different logical geometries, but the forensic principle remains the same: capacity equals the number of logical blocks times the logical block size, and CHS-style values are a structured way to perform that verification.

In the NTFS file system, theMaster File Table (MFT)is the core metadata structure that tracksevery file and directoryon the volume. NTFS implements this as a special system file named$MFT(shown here as$mft). Each file or folder on an NTFS partition is represented by at least oneMFT record entry, which stores essential metadata such as file name(s), timestamps, security identifiers/ACL references, file size, attributes, and pointers to the file’s data runs (or, for very small files, the content can be stored resident inside the record). Because it is the authoritative “index” of file objects, forensic examiners rely heavily on $MFT to reconstruct user activity and file history, including evidence of deleted files (when records are marked unused but remnants of attributes may remain) and timeline building from timestamp attributes.

The other options are different NTFS metadata files with narrower purposes:$LogFilerecords NTFS transaction logs to support recovery,$Volumestores volume-level information (like version/label), and$Quotamanages disk quota tracking. None of these contain a record for every file on the system. Therefore, the NTFS system file that contains a record of every file present is$mft (B).