Pass4Future also provide interactive practice exam software for preparing Eccouncil EC-Council Digital Forensics Essentials (112-57) Exam effectively. You are welcome to explore sample free Eccouncil 112-57 Exam questions below and also try Eccouncil 112-57 Exam practice test software.
Do you know that you can access more real Eccouncil 112-57 exam questions via Premium Access? ()
Steve, a professional hacker, attempted to hack Alice's banking account. To accomplish his goal, Steve used an automated tool to guess Alice's login credentials. The tool uses a trial-and-error method by attempting all possible combinations of usernames and passwords to determine the valid credentials.
Identify the type of attack initiated by Steve in the above scenario.
Answer : A
The scenario describes an automated, trial-and-error attempt that tries all possible combinations of usernames and passwords until a correct credential pair is found. This is the defining characteristic of a brute-force attack. In digital forensics terminology, brute force is a direct password-guessing method that relies on exhaustive attempts (or systematically generated candidates) rather than tricking the user or exploiting a software flaw. Investigators commonly recognize brute-force activity through artifacts such as repeated authentication failures in security logs, high-frequency login attempts from a single IP or distributed sources, account lockout events, and abnormal spikes in authentication traffic. In banking and web environments, it may also appear as repeated POST requests to login endpoints with varying credential pairs and consistent user-agent patterns, sometimes accompanied by throttling or CAPTCHA triggers.
The other options do not match the described ''attempting all possible combinations'' behavior. Phishing obtains credentials by deception (fake emails/sites). A Trojan horse steals data by running malicious code on the victim's system. Data manipulation focuses on altering data integrity rather than credential guessing. Therefore, the correct attack type is Brute-force attack (A).
Identify the malware analysis technique in which the investigators must take a snapshot of the baseline state of the forensic workstation before malware execution.
Answer : B
The technique described---taking a snapshot of the baseline state of the forensic workstation before executing malware---aligns with Monitoring host integrity. In malware forensics, investigators often perform controlled execution (dynamic analysis) and need a reliable way to identify what changed on the system as a direct result of the malware run. Host integrity monitoring is a structured approach where the examiner first captures a known-good baseline of critical system elements such as file system state (key directories, system binaries), registry/configuration state, running services, installed drivers, scheduled tasks, and sometimes hash inventories of important files. After malware execution, the investigator captures a second snapshot and performs differential comparison to determine newly created/modified files, persistence mechanisms, configuration changes, dropped payloads, and tampering attempts.
This baseline-before/after comparison is fundamental for attributing changes to the sample, supporting repeatability, and documenting evidence in a defensible manner. The other options do not require a workstation baseline snapshot in this sense: online malware scanning checks a file against signatures/reputation services; string search extracts readable strings from binaries; and file fingerprinting typically refers to hashing to uniquely identify a file, not system-wide state comparison. Therefore, the correct answer is Monitoring host integrity (B).
Which of the following acts was passed by the U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations?
Answer : C
The Sarbanes--Oxley Act (SOX) was enacted by the U.S. Congress in 2002 in response to major corporate accounting scandals and was specifically designed to protect investors by improving the accuracy, reliability, and integrity of corporate disclosures and financial reporting. SOX strengthens governance and accountability by requiring executive management (notably the CEO and CFO) to certify the correctness of financial statements and by mandating stronger internal controls over financial reporting. From a digital forensics and compliance perspective, SOX is closely tied to the need for reliable audit trails, proper records retention, and demonstrable control over systems that store or process financial data. Investigators frequently rely on SOX-driven logging, access controls, and change management records to determine who accessed financial systems, what changes were made, and whether those actions align with authorized procedures.
The other options do not match the question's purpose or jurisdiction: the Electronic Communications Privacy Act addresses interception and access to electronic communications, GDPR is an EU data protection regulation (not a 2002 U.S. act focused on investor protection), and ''Information Privacy Act 2014'' is not the 2002 U.S. corporate anti-fraud legislation. Therefore, the correct answer is Sarbanes--Oxley Act (SOX) (C).
Below is the syntax of a command-line utility that displays active TCP connections and ports on which the computer is listening.
netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval]
Identify the netstat parameter that displays active TCP connections and includes the process ID (PID) for each connection.
Answer : C
In Windows forensics and incident response, investigators often need to link network activity (remote IPs, ports, connection states) to the responsible process to determine whether traffic is legitimate or associated with malware, unauthorized tools, or data exfiltration. The Windows netstat utility can enumerate current TCP connections and listening ports, but the key flag that enables attribution to a running program is -o. The -o parameter instructs netstat to include the Owning Process ID (PID) with each connection or listening socket. Once the PID is known, examiners can correlate it with process listings (e.g., Task Manager, tasklist, memory forensics output) to identify the executable name, path, user context, and parent process---critical steps in reconstructing attacker behavior and persistence.
The other options do not provide PID mapping: -n shows addresses and ports in numeric form (useful for speed and to avoid DNS lookups), -a displays all connections and listening ports but without PID attribution by itself, and -s shows protocol statistics rather than per-connection ownership. Therefore, the parameter that shows active connections and includes the PID for each is [-o] (Option C).
Given below is a regex signature used by security professionals for detecting an XSS attack:
/((%3C)|<)[^\n]+((%3E)|>)/i
Which of the following types of XSS attack does the above regex expression detect?
Answer : A
The regex /((%3C)|<)[^\n]+((%3E)|>)/i is designed to detect HTML tag injection patterns, which are a common indicator of XSS payloads. It matches either a literal ''<'' character or its URL-encoded form ''%3C'' (case-insensitive due to the i flag), followed by one or more characters that are not a newline ([^\n]+), and then either a literal ''>'' or its encoded form ''%3E''. This pattern essentially looks for anything that resembles an HTML tag, such as <script>, , <svg ...>, or other element constructs that attackers frequently use to execute JavaScript via attributes like onerror, onload, etc.
In web-attack investigations, this kind of signature is used during log review and input validation checks to flag requests containing tag delimiters, because many reflected/stored XSS attempts rely on injecting markup into an HTML context. It does not specifically target CSS-only payloads, nor inline comments, and ''simple XSS'' is too vague; the expression is explicitly focused on angle-bracket (or encoded) tag structures, which correspond most directly to HTML tags-based XSS attempts.
