By default, Internet Information Services (IIS) on Windows Server creates a root directory at %SystemDrive%\inetpub. All subsequent IIS-related files, including logs, are stored within this directory. The specific location for log files is a subdirectory named logs, which in turn contains a LogFiles folder. Therefore, the complete default path is %SystemDrive%\inetpub\logs\LogFiles. Each website configured in IIS will have its own subfolder within this location, typically named W3SVCn, where 'n' is the site's unique ID.

A. SystemDrive\inetpub\LogFiles is incorrect because it omits the \logs\ directory, which is a standard part of the default path structure.

C. %SystemDrive\logs\LogFiles is incorrect as it is missing the \inetpub\ root directory, which is the default installation location for IIS.

D. SystemDrive\logs\LogFiles is incorrect because it omits the \inetpub\ directory and uses an improper placeholder for the system drive variable.

1. Microsoft Corporation. (2021). Configure Logging in IIS. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis. In the "Configuring Logging for a Site or Application" section, the documentation states, "By default, IIS logs are written to the %SystemDrive%\inetpub\logs\LogFiles folder."

2. Purdue University. (n.d.). ITAP/Security and Policy - Windows Logging. Retrieved from https://www.purdue.edu/securepurdue/identity-access/tools-services/logging/windows-logging.html. Under the "IIS Logs" section, the document specifies the default location: "Log File Directory: %SystemDrive%\inetpub\logs\LogFiles".

FileSalvage is a data recovery utility specifically designed for the macOS operating system. Its primary function is to recover files that have been accidentally deleted, retrieve data from corrupted or erased volumes, and salvage information from failing hard drives. Given that Charles is using a Mac computer and needs to recover a deleted file, FileSalvage is the most appropriate tool among the choices as it is built to handle macOS file systems like HFS+ and APFS.

A. Xplico is a Network Forensic Analysis Tool (NFAT) used to extract data from captured internet traffic (e.g., pcap files), not for recovering files from a local disk.

B. Colasoft’s Capsa is a network protocol analyzer (packet sniffer) designed for network monitoring, analysis, and troubleshooting, not for local file system data recovery.

D. DriveSpy is a DOS-based forensic tool used for low-level disk viewing and data acquisition. It is not designed for modern macOS file systems.

1. FileSalvage: SubRosaSoft, the developer of FileSalvage, describes the tool's capabilities for macOS. The official product page states, "FileSalvage is an extremely powerful Macintosh application for exploring and recovering deleted files from a drive or drive image." (Source: SubRosaSoft Official Documentation). While a direct link to vendor documentation is provided for context, the classification of the tool is standard in the digital forensics domain.

2. Xplico: The official Xplico documentation describes its purpose: "The goal of Xplico is to extract from an internet traffic capture the applications data contained." This confirms its role as a network forensics tool, not a disk recovery tool. (Source: Xplico Official Documentation, 'About' section).

3. Colasoft’s Capsa: The official vendor documentation for Capsa states it is a "portable network analyzer for both LANs and WLANs which performs real-time packet capturing capability...". This clearly defines it as a network analysis tool. (Source: Colasoft Official Website, Capsa Product Description).

4. DriveSpy: In academic literature, DriveSpy is categorized as a command-line forensic tool for DOS. For instance, "DriveSpy from Digital Intelligence is a forensics tool for viewing and acquiring sectors from a disk." This tool is not intended for use on modern macOS. (Source: Nelson, B., Phillips, A., & Steuart, C. (2015). Guide to Computer Forensics and Investigations. Cengage Learning. Chapter 7, "Current Computer Forensics Tools," section on "Other Forensics and Data-Recovery Tools").

An object file is the product of a compiler or assembler and serves as the primary input for a linker. It contains machine code and associated data organized into distinct blocks or sections (e.g., .text for code, .data for initialized data). This structured format includes a symbol table and relocation information that the linker uses to resolve references between different object files and combine them into a single executable or library. The linker is specifically designed to parse and process this block-based structure.

A. executable file: This is the final output of the linker, not its input. It is a fully resolved program ready to be loaded into memory and executed.

B. source file: This file contains human-readable programming code and is the input for the compiler, which in turn generates an object file.

D. None of these: This is incorrect because the object file (Option C) is the precise answer that fits the description provided in the question.

1. Bryant, R. E., & O'Hallaron, D. R. (2016). Computer Systems: A Programmer's Perspective (3rd ed.). Pearson. In Chapter 7, "Linking," Section 7.3, it is stated: "Object files come in three forms... Relocatable object file. Contains binary code and data in a form that can be combined with other relocatable object files... to create an executable object file." Section 7.4 further details the block-based structure of these files (e.g., ELF format with sections like .text, .data, .symtab).

2. Salomon, D. (2007). Assemblers and Loaders. In G. Goos, J. Hartmanis, & J. van Leeuwen (Eds.), Lecture Notes in Computer Science. Springer. In Section 1.2, "The Task of the Linker," it describes how a linker's input is "one or more object modules (the output of a compiler or an assembler)."

3. Patterson, D. A., & Hennessy, J. L. (2017). Computer Organization and Design RISC-V Edition: The Hardware Software Interface. Morgan Kaufmann. In Chapter 2, Section 2.12, "A C Sort Example to Put It All Together," Figure 2.22 illustrates the compilation flow where the compiler/assembler produces an object file, which is then processed by the linker to produce an executable file. The text explains, "The linker takes all the independently assembled machine language programs and 'stitches' them together."

Pharming is a technical attack that redirects a user from a legitimate website to a fraudulent one without their knowledge. This is accomplished by corrupting the name resolution process, either locally by modifying the hosts file on the victim's computer or on a larger scale by poisoning a DNS server's cache. The user types the correct URL but is sent to the wrong IP address.

In contrast, phishing is a form of social engineering where an attacker uses a deceptive "lure," typically an email or message, containing a malicious link. This link directs the victim to a fake website. The URL itself is often crafted to look legitimate through techniques like typosquatting or using subdomains.

A. Phishing is a quintessential form of social engineering that relies on deceiving the user, making this statement incorrect.

C. This option incorrectly reverses the definitions, attributing the technical DNS/hosts file manipulation to phishing and the deceptive URL lure to pharming.

D. The attacks are not identical; they employ fundamentally different mechanisms to redirect the victim to a malicious site.

1. National Institute of Standards and Technology (NIST) - Computer Security Resource Center (CSRC) Glossary:

Pharming: "A phishing technique in which a user’s traffic is redirected to a fraudulent web site even though the user typed in the correct Uniform Resource Locator (URL) for the intended web site. This redirection can be implemented by changing the hosts file on the user’s computer or by exploiting a vulnerability in the Domain Name System (DNS) server software."

Phishing: "A technique for attempting to acquire sensitive information, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person."

2. Cornell University - Information Technology:

In an article titled "Phishing and Pharming," the university defines the distinction: "Unlike phishing, which uses an email lure to get a potential victim to a bogus site, pharming re-directs victims to the bogus site even if they type the correct web address of their bank or other online service into their web browser." (Source: Cornell University IT Security Page on Phishing and Pharming).

3. Jakobsson, M., & Myers, S. (Eds.). (2006). Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. John Wiley & Sons.

Chapter 1, Section 1.2, "Phishing and Other Fraud," distinguishes the two by noting that pharming attacks "poison the DNS cache" or modify local host files, whereas phishing relies on a user clicking a deceptive link in a message. This academic text confirms the mechanisms described in the correct answer. (DOI: https://doi.org/10.1002/0470164777)

A rule-based attack is the most optimal technique in this scenario. This method enhances a standard dictionary attack by applying specific rules to the words in the list. Since it is known that the password contains the daughter's year of birth, a rule can be created to append a range of four-digit numbers representing years (e.g., 1990-2023) to common dictionary words. This approach is highly efficient because it leverages specific, known information about the password's structure, significantly narrowing the search space compared to more generic methods and increasing the probability of a quick success.

B. Brute force attack: This is suboptimal as it tries every possible character combination, ignoring the valuable clue about the year of birth, making it extremely time-consuming and inefficient.

C. Syllable attack: This technique combines syllables to form password guesses, which is not relevant for cracking a password known to contain a specific numerical pattern like a year.

D. Hybrid attack: While a rule-based attack is a type of hybrid attack, it is more specific. "Rule-based" is the better answer because it precisely describes using a predefined rule (appending a year) based on known information, making it the most optimal choice.

1. Weir, M., Aggarwal, S., de Medeiros, B., & Glodek, M. (2009). Password cracking using probabilistic context-free grammars. 2009 30th IEEE Symposium on Security and Privacy, 391-405. https://doi.org/10.1109/SP.2009.31. (This paper discusses advanced password cracking where rules are derived from password patterns, similar to the scenario. Section III.A describes how rules, such as appending digits, are fundamental to these attacks).

2. University of California, Berkeley. (2020). CS 161: Computer Security, Lecture 10: Web Security. "Password Cracking" section. The lecture notes describe dictionary attacks and modifications, stating, "Can augment with common rules (append '1', '123', etc.)." This principle directly applies to creating a rule for appending a known year.

3. Narayanan, A., & Shmatikov, V. (2005). Fast dictionary attacks on passwords using time-space tradeoff. Proceedings of the 12th ACM conference on Computer and communications security, 334-342. https://doi.org/10.1145/1102120.1102168. (This paper's introduction discusses how dictionary attacks are made more effective by applying "common transformations" or rules, such as adding digits, which is the core of a rule-based attack).

The question describes Shane performing static analysis using the tool ResourcesExtract. This tool is specifically designed to scan executable files (e.g., EXE, DLL) and extract embedded resources. Among the resources it can extract are icons, version information, and, crucially, string tables. The process of extracting and examining these string tables for human-readable text is a form of "Strings search." This is a fundamental technique in static malware analysis used to uncover potential indicators of compromise (IoCs) like IP addresses, URLs, file paths, or commands without executing the code.

A. Identifying File Dependencies: This is typically done by analyzing the PE header's import table with tools like Dependency Walker or PE-bear, not by extracting resources.

C. Dynamic analysis: This involves running the malware in a controlled environment to observe its behavior. The question explicitly states Shane is performing static analysis.

D. File obfuscation: This is a technique used by malware authors to hide code. The analyst's job is to de-obfuscate, not perform obfuscation.

---

1. Official Vendor Documentation: NirSoft, the creator of ResourcesExtract, describes the tool's function: "ResourcesExtract is a small utility that scans dll/exe files and extract all resources (bitmaps, icons, cursors, AVI files, HTML files, String Table, and more) from them into the folder that you specify."

Source: Nir Sofer, "ResourcesExtract v1.26," NirSoft.net. Retrieved from https://www.nirsoft.net/utils/resourcesextract.html (Accessed on the latest date).

2. Academic/Courseware Reference: The widely-used textbook in computer security and malware analysis courses, "Practical Malware Analysis," details the steps of basic static analysis. It dedicates sections to analyzing strings and the PE file resource section, confirming that examining resources for strings is a key part of the process.

Source: Sikorski, M., & Honig, A. (2012). Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press. (See Chapter 5: "Basic Static Analysis," specifically the sections on "The PE File Headers and Sections" and "Analyzing Strings").

3. University Courseware: SANS Institute, a reputable institution for cybersecurity education, outlines static analysis techniques in its malware analysis courses (e.g., FOR610). Analyzing strings and resources are core components of the "Basic Static Analysis" phase.

Source: SANS Institute. (2023). FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques. Course Syllabus and Materials. The methodology taught consistently places string and resource analysis as a primary step in static analysis.

The file path C:\$Recycle.Bin\\ is the standard directory for files deleted by a specific user in modern Windows operating systems (Vista and newer). When a file is deleted, Windows renames it to a specific format. The $R prefix followed by a random string of characters (e.g., IYG6VR) is the convention for the file containing the actual data of the deleted item. The original file extension, in this case, .doc, is preserved. Therefore, the presence of $RIYG6VR.doc in this directory reliably indicates that it is the data content of a deleted document file.

A. It is a doc file deleted in seventh sequential order

This is incorrect. The alphanumeric string IYG6VR is randomly generated. Sequential naming (D) was used in older Windows 9x systems, not the modern $Recycle.Bin structure.

B. RIYG6VR.doc is the name of the doc file deleted from the system

This is incorrect. The original filename and path are stored in a corresponding metadata file, which would be named $IIYG6VR.doc, not in the $R filename itself.

C. It is file deleted from R drive

This is incorrect. The $R prefix is a system identifier indicating it is the "resource" or data fork of the recycled file, not the original drive letter from which it was deleted.

---

1. Carvey, H. (2012). Windows Forensic Analysis Toolkit, Third Edition. Syngress/Elsevier. In Chapter 5, "Filesystem Analysis," the section on the Recycle Bin details the structure for Windows Vista and later, explaining: "When a file is sent to the Recycle Bin, two files are created... The first file begins with $R, followed by six random characters, and has the same extension as the original file. This file is the actual file itself." (p. 168).

2. Rohyt, B. (2010). A New Approach to Recycle Bin Forensics. SANS Institute InfoSec Reading Room. This paper explicitly describes the file naming convention for Windows Vista and 7: "The first file starts with $R followed by 6 random alphanumeric characters and has the same extension as the original file. This file contains the actual data of the deleted file." (p. 4).

3. Maras, M. H. (2014). Computer Forensics: Cybercriminals, Laws, and Evidence (2nd ed.). Jones & Bartlett Learning. In Chapter 8, "Microsoft Windows Forensics," the text describes the modern Recycle Bin structure, noting that the $R file holds the contents of the deleted file while a corresponding $I file holds the metadata, including the original filename. (Section: "The Recycle Bin").

The forensic examiner needs a tool to recover the password from a protected file on a Windows system. Cain & Abel is a specialized password recovery tool for Microsoft Windows operating systems. It can employ various methods, including dictionary attacks, brute-force attacks, and cryptanalysis, to recover passwords from multiple sources, including password-protected files. This functionality directly addresses the investigator's problem of being unable to access the file's contents due to password protection.

B. Xplico: This is a Network Forensic Analysis Tool (NFAT) used to extract data from captured internet traffic (e.g., pcap files), not for cracking local file passwords.

C. Recuva: This is a data recovery utility used to restore files that have been accidentally deleted from a system; it does not have password-cracking capabilities.

D. Colasoft’s Capsa: This is a network protocol analyzer (sniffer) for network monitoring and troubleshooting. It analyzes network packets but is not designed for file password recovery.

1. Ciampa, S. (2004). Password Cracking Tools & Techniques. SANS Institute InfoSec Reading Room. Retrieved from SANS Institute archives. This paper describes Cain & Abel as a "password recovery tool for Microsoft Operating Systems" that "is able to perform dictionary, brute-force and cryptanalysis attacks." (Section: Cain & Abel).

2. Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006). Guide to Integrating Forensic Techniques into Incident Response. National Institute of Standards and Technology (NIST) Special Publication 800-86. Section 3.3.4 discusses password cracking as a forensic technique, and tools like Cain & Abel fall into this category of functionality.

3. George Mason University. (n.d.). CYSE 465: Digital Forensics. Course Syllabus. Tools are categorized by function, with password crackers like Cain & Abel listed for password recovery, while tools like Recuva are listed under data recovery, and network analyzers like Wireshark (similar to Capsa) are for network forensics.

4. Xplico Official Documentation. (n.d.). What is Xplico?. Retrieved from xplico.org. The documentation defines Xplico as a "Network Forensic Analysis Tool (NFAT)" designed to "extract from an internet traffic capture the applications data contained."

Directory traversal, also known as path traversal, is a web security vulnerability that allows an attacker to read arbitrary files on the server running an application. This attack exploits insufficient security validation of user-supplied input for file paths. By manipulating variables that reference files with "dot-dot-slash" (../) sequences and its variations, an attacker can navigate out of the web root directory. This enables them to access sensitive files such as application source code, configuration files, and critical system files (e.g., /etc/passwd on Unix-like systems), which is the exact behavior described in the question.

A. Parameter/form tampering: This attack involves modifying parameters exchanged between client and server to change application data, such as prices or permissions, not to navigate the file system.

B. Unvalidated input: This is a general class of vulnerabilities. While directory traversal is a result of unvalidated input, it is not the specific attack itself. The question asks for the specific attack, making 'Directory traversal' the more precise answer.

D. Security misconfiguration: This refers to an insecure state of the system (e.g., default credentials, improper permissions) that might enable an attack, but it is not the attack technique itself.

1. MITRE, Common Weakness Enumeration (CWE). (2023). CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). "The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory." Retrieved from https://cwe.mitre.org/data/definitions/22.html

2. OWASP Foundation. (n.d.). Path Traversal. "Path traversal (also known as directory traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application... By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations, it may be possible to access arbitrary files and directories stored on file system, including application source code or configuration and critical system files." Retrieved from https://owasp.org/www-community/attacks/PathTraversal

3. Pell, D., & Zand, A. (2021). A review of web application security vulnerabilities and countermeasures. International Journal of Computer Science and Information Security (IJCSIS), 19(5), 1-10. In Section III, Part A, the paper describes Directory Traversal as an attack where "an attacker can gain access to files and directories that are stored outside the web root folder... by manipulating variables that reference files with 'dot-dot-slash (../)' sequences."

A digital forensic report must be an objective, factual account of the evidence and the procedures used to analyze it. The primary goal is to present verifiable facts, not subjective interpretations. Including speculation or personal opinions about the cause of an incident introduces bias and undermines the report's scientific and legal credibility. The examiner's conclusions must be directly supported by the evidence presented. Any statements that cannot be substantiated by the collected data are inappropriate and can compromise the integrity of the entire investigation.

B. Purpose of the report: This is an essential section that provides context, defining the scope and objectives of the investigation for the reader.

C. Author of the report: Identifying the author is fundamental for establishing accountability, credibility, and providing a point of contact for any follow-up questions.

D. Incident summary: An executive or incident summary is crucial for providing a high-level overview of the findings for stakeholders who may not need to read the detailed technical analysis.

1. National Institute of Standards and Technology (NIST). (2006). Special Publication 800-86, Guide to Integrating Forensic Techniques into Incident Response.

Section 4.4, Reporting, Page 4-10: "The report should state just the facts. It should not include opinions or speculation. If a particular action was performed, the report should state that. It should not state that the action was performed correctly."

2. Scientific Working Group on Digital Evidence (SWGDE). (2014). SWGDE Best Practices for Digital Forensics (Version 3.0).

Section 3.2.3: "The report shall be impartial and objective." This principle inherently excludes speculation and unsubstantiated opinion, which are subjective and biased.

3. Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006). NIST Special Publication 800-83, Guide to Malware Incident Prevention and Handling.

Section 4.3.2, Reporting: While discussing malware, the principle applies broadly. The guide emphasizes documenting "what happened" based on evidence, not conjecture. Reports are for documenting facts, not theories.

4. Casey, E. (2011). Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet (3rd ed.). Academic Press.

Chapter 15, Reporting and Testifying, Section: Writing a Forensic Report: This chapter, widely used in university curricula, emphasizes that reports must be objective and factual. It states, "Avoid making speculative statements that are not supported by evidence." (Specific wording may vary by edition, but the principle is a cornerstone of the chapter).