ECCouncil 112-57 - EC-Council Digital Forensics Essentials (DFE)

The scenario describes a targeted social-engineering attack aimed specifically athigh-profile individuals(CEOs, CFOs, politicians, celebrities) and usesemail or website spoofingto deceive them into disclosing sensitive information. In digital forensics and incident response documentation, this is most accurately categorized aswhaling, a specialized form of phishing that focuses on “big targets” (often called “high-value targets” or “VIPs”). Whaling campaigns typically use highly tailored pretexts (e.g., legal subpoenas, board communications, invoice/payment requests, HR or executive directives) and may include spoofed sender domains, look-alike websites, or fraudulent login pages to harvest credentials and confidential corporate data. Because executives often have access to financial systems, strategic documents, and privileged communications, attackers concentrate effort on realism and personalization, making whaling distinct from broad, generic phishing.

By contrast,smishingis phishing conducted via SMS/text messages,spimmingis spam over instant messaging platforms, andidentity fraudis a broader category involving impersonation/misuse of personal data but does not specifically denote the executive-targeted spoofing technique described. Therefore, the attack type in the question isWhaling (A).

The listed actions describe theexamination and interpretation of acquired evidence, which aligns withdata analysisin the digital forensics investigation process. After collection and acquisition, examiners analyze evidence by validating what the data contains (file content and usage), interpretingMAC times(creation/modification and related timestamps), attributing actions tousers and accounts(who created, accessed, or modified the file), and determiningwhere the file resides physically/logicallyon storage (path, volume, clusters/blocks, and whether it appears in allocated/unallocated areas). Generating atimelineis a core analytical task used to correlate file events with system activity and other artifacts to reconstruct sequence and intent. Finally, “identify the root cause of the incident” represents the analytical conclusion derived from correlating artifacts and timeline events.

The other choices do not match the described work.Search and seizureis the legal/field activity of locating and securing evidence sources, not interpreting artifacts.Reportingis the documentation phase after analysis, where findings and methods are written up.Case analysisis broader and can include overall strategy and interpretation, but the question’s focus is explicitly on analyzing acquired data and producing forensic conclusions, which isdata analysis.

The key detail is that Sarah’simaging softwarecould not acquire the device because the drive wasvery old and incompatiblewith the software-based approach. In such situations, forensic practice recommends switching to an acquisition method that isless dependent on the operating system or specific imaging application compatibility, while still producing a forensic-accurate duplicate.Bit-stream disk-to-diskacquisition (also called forensic cloning) creates asector-by-sectorcopy of the entire source drive directly onto another physical drive. This method is commonly performed using dedicated duplicators or hardware-assisted workflows that can interface with legacy media more reliably than certain disk-to-image software utilities.

Sparse acquisition would intentionally capture only selected portions of a disk (used to reduce time/storage), which does not fit the goal of “succeeded in imaging the data” after a failure due to incompatibility. Logical acquisition captures only active files/folders through the file system and is not the preferred alternative when full forensic imaging is required, especially in criminal cases. Bit-stream disk-to-image-file is still software/container dependent and is essentially what failed initially. Therefore, the most appropriate alternative that explains success with an older incompatible drive isBit-stream disk-to-disk (D).

In forensic readiness planning, the goal is to ensure that when an incident occurs, the organization can collect, preserve, and present digital evidence in a manner that remainsreliable, repeatable, and legally defensible. A key requirement for courtroom acceptance is cleardocumentation—often referred to as proper documentation and chain-of-custody support—showing what actions were taken, by whom, when, using which tools, and under what conditions. Creating a defined process for documenting procedures ensures investigators consistently record acquisition steps, handling methods, hashing/verification results, storage locations, access history, and any changes in evidence possession. This documentation becomes a “backup” in the sense that it preserves institutional memory of the investigation steps, allowing future reviewers (auditors, opposing experts, courts) to reconstruct and validate what occurred even long after the incident.

While identifying potential evidence (B) and determining evidence sources (C) are important readiness tasks, they do not themselves create the structured record needed to defend evidence integrity. Keeping an incident response team ready (D) supports operational response, but does not directly ensure admissibility. Therefore, the step that provides future reference and supports court presentation isCreating a process for documenting the procedure (A).

Under the Electronic Communications Privacy Act (ECPA),Title IIis commonly known as theStored Communications Act (SCA). Digital forensics and e-discovery references treat the SCA as the key legal framework governing access tostored electronic communications and associated subscriber/account recordsheld by service providers. The question specifically mentions (1) “contents of files stored by service providers” and (2) “records held about the subscriber … such as subscriber name, billing records, and IP addresses.” These map directly to the SCA’s two broad categories:content(what a communication or stored file contains) andnon-content records(subscriber identity, connection logs, billing information, IP assignment/history, and related transactional metadata).

From an investigative perspective, Title II matters because it sets the legal process and restrictions for compelled disclosure—typically requiring different forms of legal process depending on whether the investigator seekscontentversussubscriber/transactional records, and depending on factors like how the data is stored and retention timeframes. In contrast,Title Ifocuses on real-time interception (wiretap-style capture), andTitle IIIaddresses pen register/trap-and-trace style dialing/routing information rather than stored content. Therefore, the correct title isTitle II (Option A).

Jennifer’s actions match the responsibilities of anincident responder, whose job spans immediatecontainment, preservation, and stabilizationactivities during an active or recently active security incident. In standard digital forensics and incident response (DFIR) procedures, responders first take steps topreserve evidence(e.g., documenting the scene, capturing volatile data when appropriate, and collecting relevant system artifacts) and then executecontainment measuresto prevent further harm. Disconnecting a compromised host from the network is a classic containment control used to stop malware propagation, block command-and-control communications, and prevent lateral movement to other systems.

Anincident analyzertypically focuses on deeper technical analysis—timeline reconstruction, root cause determination, and correlating artifacts across hosts and logs—rather than performing immediate containment. Anevidence manageris primarily responsible for maintaining evidence integrity, chain of custody, storage, labeling, and access control, not operational containment. Anexpert witnessprovides formal testimony and interpretation in legal or disciplinary proceedings and is not usually involved in live containment actions. Since Jennifer bothgathered evidenceand thenisolated the system to stop spread, the role most consistent with documented DFIR responsibilities isIncident responder (A).

On macOS, theBasic Security Module (BSM)provides the system’saudit framework, which records security-relevant activity such asfile access, process execution, authentication events, privilege changes, and other system calls. A key forensic characteristic of BSM auditing is that events are written asbinary audit records composed of “tokens.”Each token represents a structured piece of the event (for example: subject/user identity, process ID, command arguments, path, return value, timestamps), and tokens are assembled into complete audit records. Because these audit logs arebinary and tokenized, they are compact, consistent, and designed for reliable parsing and evidentiary reconstruction—important when building timelines of file-related actions and attributing them to specific users and processes.

The other options do not match the “binary token” description.Command-line inputsmay be stored in shell history files but are plain text and not tokenized binary audit records.User accountartifacts (e.g., directory services, plist files) describe identities and settings, not tokenized event logs.Kexts(kernel extensions) are drivers/modules; while they can affect system behavior, they are not the macOS component that stores file/event records in a binary token format. Therefore, the correct answer isBasic Security Module (C).

In Tor Browser deployments, Tor typically runs a local client (“tor” process) that exposes aSOCKS proxyfor applications (the browser) to send traffic into the Tor network and, optionally, acontrol interfacefor managing circuits and obtaining runtime status. In many forensic lab guides and Tor Browser bundle configurations, the default local SOCKS listening port is9150, and the associated Tor control port is commonly9151. This pairing is frequently referenced in investigations because endpoint triage (e.g., netstat outputs, firewall logs, EDR socket telemetry) may show local loopback connections from the browser to127.0.0.1:9150(SOCKS) and management communications involving9151(control).

From a network-forensics viewpoint, these ports help distinguish Tor Browser activity from other proxy tools: the browser does not directly connect to Tor relays; instead, it hands traffic to the local SOCKS proxy, which then establishes encrypted circuits to Tor nodes. While Tor can be configured to use different ports, the question asks about the specific ports used for establishing Tor connections in typical Tor Browser setups, which aligns with9150/9151. Therefore, the correct option isD.

In a standard Tor circuit, a client typically builds a three-hop path:Entry/Guard → Middle → Exit. Tor usesonion routing, where the client wraps the payload in multiple encryption layers—one for each hop. Each relay removes (decrypts) only its own layer to learn thenext hop, but not the complete route or the original payload in the clear. Themiddle relayis specifically positioned toforward traffic between the entry/guard and the exit while it remains onion-encrypted end-to-end within the Tor network. Because it neither connects to the user’s local network (like the entry/guard) nor to the public destination (like the exit), its primary role isencrypted transit/forwarding, helping break the linkage between source and destination. By contrast, theexit relayis where traffic leaves Tor; unless the application layer uses TLS/HTTPS, the exit may deliver data to the destination inunencryptedform on the open Internet. Theentry/guardprotects against certain traffic-correlation risks by being stable, but it is not uniquely “the” encrypted-transfer node. Therefore, the best single answer isMiddle relay (D).