ECCouncil 112-57 Questions Answers

In memory forensics, “hidden or injected” malicious code typically refers toprocess injection,code caves,unbacked executable mappings, or regions of memory that aremarked executablebut do not align with normal, file-backed program segments. The Volatility Framework provides specialized plugins to locate these suspicious patterns.linux_malfindis the plugin designed to detectpotentially injected codeby scanning a process’s memory mappings for characteristics that commonly indicate malicious presence—such asexecutable anonymous mappings, unusual permissions (e.g., RWX), and memory regions that contain shellcode-like byte patterns. This is highly relevant when malware attempts to avoid disk artifacts by living in memory or by injecting payloads into legitimate processes.

By contrast,linux_netstatis used to enumerate network connections and sockets from memory (useful for C2 analysis), but it does not focus on injected code regions.ip addr showandnmap -sU localhostare live-system networking commands, not Volatility plugins, and they are not suitable for analyzing a captured RAM image. Therefore, to detect hidden/injected malicious code in a Linux RAM dump using Volatility, the correct plugin islinux_malfind (A).

The scenario describes an email-retrieval configuration in which messages aredownloaded to a client deviceandnot retained on the server. This behavior aligns withPOP3 (Post Office Protocol v3), a legacy but widely referenced mail access protocol that retrieves email from a server mailbox to a local client. In standard POP3 operation, the client authenticates to the mail server, issues retrieval commands (e.g., to list and download messages), and may then issue a delete command so that downloaded messages are removed from the server mailbox. Digital forensics references commonly contrast POP3 with IMAP:IMAP is designed for server-side mailbox synchronization and typically leaves mail stored on the server, whereas POP3 is oriented towardclient-side storageand supports workflows where server copies are not preserved after download. The other options are unrelated to email retrieval:SHA-1is a cryptographic hash function used for integrity checks,ICMPsupports network diagnostics and control messaging, andSNMPis used for network device management and monitoring. From an investigative standpoint, POP3 usage can reduce server-resident evidence and shift evidentiary value tolocal artifacts(mail client databases, cache, OS traces, backups), which is consistent with the intent described in the question.

In Tor Browser deployments, Tor typically runs a local client (“tor” process) that exposes aSOCKS proxyfor applications (the browser) to send traffic into the Tor network and, optionally, acontrol interfacefor managing circuits and obtaining runtime status. In many forensic lab guides and Tor Browser bundle configurations, the default local SOCKS listening port is9150, and the associated Tor control port is commonly9151. This pairing is frequently referenced in investigations because endpoint triage (e.g., netstat outputs, firewall logs, EDR socket telemetry) may show local loopback connections from the browser to127.0.0.1:9150(SOCKS) and management communications involving9151(control).

From a network-forensics viewpoint, these ports help distinguish Tor Browser activity from other proxy tools: the browser does not directly connect to Tor relays; instead, it hands traffic to the local SOCKS proxy, which then establishes encrypted circuits to Tor nodes. While Tor can be configured to use different ports, the question asks about the specific ports used for establishing Tor connections in typical Tor Browser setups, which aligns with9150/9151. Therefore, the correct option isD.

The scenario describes a targeted social-engineering attack aimed specifically athigh-profile individuals(CEOs, CFOs, politicians, celebrities) and usesemail or website spoofingto deceive them into disclosing sensitive information. In digital forensics and incident response documentation, this is most accurately categorized aswhaling, a specialized form of phishing that focuses on “big targets” (often called “high-value targets” or “VIPs”). Whaling campaigns typically use highly tailored pretexts (e.g., legal subpoenas, board communications, invoice/payment requests, HR or executive directives) and may include spoofed sender domains, look-alike websites, or fraudulent login pages to harvest credentials and confidential corporate data. Because executives often have access to financial systems, strategic documents, and privileged communications, attackers concentrate effort on realism and personalization, making whaling distinct from broad, generic phishing.

By contrast,smishingis phishing conducted via SMS/text messages,spimmingis spam over instant messaging platforms, andidentity fraudis a broader category involving impersonation/misuse of personal data but does not specifically denote the executive-targeted spoofing technique described. Therefore, the attack type in the question isWhaling (A).