112-57 Certification Exam Guide + Practice Questions

Explanation:
In Tor Browser deployments, Tor typically runs a local client (“tor” process) that exposes a SOCKS proxy for applications (the browser) to send traffic into the Tor network and, optionally, a control interface for managing circuits and obtaining runtime status. In many forensic lab guides and Tor Browser bundle configurations, the default local SOCKS listening port is 9150, and the associated Tor control port is commonly 9151. This pairing is frequently referenced in investigations because endpoint triage (e.g., netstat outputs, firewall logs, EDR socket telemetry) may show local loopback connections from the browser to 127.0.0.1:9150 (SOCKS) and management communications involving 9151 (control).
From a network-forensics viewpoint, these ports help distinguish Tor Browser activity from other proxy tools: the browser does not directly connect to Tor relays; instead, it hands traffic to the local SOCKS proxy, which then establishes encrypted circuits to Tor nodes. While Tor can be configured to use different ports, the question asks about the specific ports used for establishing Tor connections in typical Tor Browser setups, which aligns with 9150/9151. Therefore, the correct option is D.

Explanation:
The role described―being responsible for evidence gathered at the crime scene and maintaining a record that makes the evidence admissible in court―matches the duties of an Evidence manager. In digital forensics practice, admissibility depends heavily on proving integrity, authenticity, and continuity of possession. The evidence manager ensures these requirements by implementing and documenting the chain of custody, which is the formal, chronological record of who collected the evidence, when and where it was collected, how it was packaged and labeled, how it was transported, where it was stored, and every time it was accessed or transferred. This role also enforces evidence handling procedures such as tamper-evident sealing, secure storage controls, access logging, and verification steps (for example, ensuring hashes are recorded and preserved for forensic images).
An incident responder focuses on containment and immediate actions during an incident; an incident analyzer performs technical analysis and correlation of artifacts; and an evidence examiner conducts detailed forensic examinations on acquired data. While these roles interact with evidence, the specific responsibility for maintaining custody documentation and evidence records to support legal admissibility belongs to the Evidence manager, making D the correct answer.

Explanation:
The requirement is to list devices connected to a local Windows machine, specifically to identify external storage devices that may be attached and potentially used for data theft or malware introduction. In Windows forensic practice, investigators often start by enumerating currently mounted volumes and recently connected removable media so they can correlate device presence with suspicious activity timelines and user actions. DriveLetterView is a utility designed to display the complete mapping of drive letters to storage devices/volumes, including removable drives (USB flash drives, external HDDs), optical media, network-mapped drives, and local partitions. It helps quickly identify what storage devices are present and accessible on the system at the time of inspection, which fits the scenario where James captures a list of connected devices and removes suspicious ones.
The other tools do not match this purpose. ESEDatabaseView is used to inspect Extensible Storage Engine databases, not enumerate attached storage. ProcDump is used for creating process memory dumps for debugging/forensic analysis of processes, not for listing connected drives. PromiscDetect relates to detecting network interfaces in promiscuous mode (packet sniffing), not external storage enumeration. Therefore, the correct tool for identifying connected storage devices is DriveLetterView (C).

Explanation:
In Windows forensics, the Registry is organized into logical root keys (“hives”) that aggregate configuration and security data. The items named in the question―SAM, SECURITY, and SOFTWARE―are system-wide registry hives stored on disk (typically under the system’s configuration directory) and loaded at runtime under HKEY_LOCAL_MACHINE (HKLM). Investigators rely on these hives because they contain high-value evidence: the SAM hive stores local account database information (including user and group identifiers and credential-related material), the SECURITY hive holds system security policy and LSA-related settings, and the SOFTWARE hive contains installed software, application configuration, and many operating system settings relevant for program execution and persistence analysis.
Tools like FTK Imager can extract these hives (or their live-memory representations) during triage to preserve volatile context and enable offline parsing while maintaining evidentiary integrity. The other root keys do not match these specific hives: HKEY_CURRENT_USER is per-user profile data, HKEY_CURRENT_CONFIG reflects current hardware profile, and HKEY_CLASSES_ROOT is primarily file association/COM class mapping (largely derived from HKLM\Software\Classes and HKCU\Software\Classes). Therefore, the correct hive root that provides SAM, SECURITY, and SOFTWARE subkeys is HKEY_LOCAL_MACHINE (B).

Explanation:
In Windows network forensics, netstat -ano is commonly used to correlate TCP connection states with process identifiers (PIDs) to understand which application created or used a connection. When Tor Browser is actively communicating, outbound circuits typically appear as ESTABLISHED connections to Tor relays (entry/guard nodes) or local loopback endpoints used by Tor components. After the browser is closed and the application tears down connections, Windows TCP/IP behavior often leaves recently closed sockets in TIME_WAIT.
TIME_WAIT is a normal TCP state that appears after a connection has been actively closed. It exists to ensure delayed packets from the old session are not misinterpreted as belonging to a new session and to allow proper retransmission of the final ACK if needed. From an investigative standpoint, seeing Tor-related endpoints transition from ESTABLISHED to TIME_WAIT strongly indicates the sessions were terminated and the application is no longer maintaining live network traffic.
By contrast, CLOSE_WAIT usually means the remote side has closed but the local application has not fully closed its socket yet, LISTENING indicates a service waiting for inbound connections, and ESTABLISHED means the session is still active. Therefore, TIME_WAIT (B) best indicates Tor Browser connections have been closed.