Unit 1 - Practice Quiz

INT250 50 Questions
0 Correct 0 Wrong 50 Left
0/50

1 What is the primary definition of computer forensics?

A. The repair of damaged computer hardware to recover lost data
B. The application of computer investigation and analysis techniques in the interest of determining potential legal evidence
C. The process of hacking into computer systems to test security
D. The monitoring of network traffic for marketing purposes

2 Which legal principle states that evidence must be gathered in a way that allows the court to verify its origin and integrity?

A. Double Jeopardy
B. Miranda Rights
C. Hearsay Rule
D. Chain of Custody

3 In the context of cybercrimes, what distinguishes a 'computer as a target' crime from a 'computer as a tool' crime?

A. Target crimes involve theft of hardware; tool crimes involve software piracy
B. Target crimes are civil; tool crimes are criminal
C. Target crimes attack the system's integrity (e.g., DDoS); tool crimes use the computer to commit other offenses (e.g., fraud)
D. There is no difference; they are legal synonyms

4 Which of the following best describes 'Forensic Readiness'?

A. The ability of an organization to maximize its potential to use digital evidence while minimizing the costs of an investigation
B. Keeping all servers offline to prevent attacks
C. The process of training all employees to be forensic investigators
D. Buying the most expensive forensic software available

5 What is the primary role of a Security Operations Center (SOC) in relation to computer forensics?

A. To write legislation regarding cybercrime
B. To monitor, detect, and respond to security incidents, often providing the initial data for forensic analysis
C. To conduct full legal prosecutions
D. To repair broken hardware in the office

6 According to the Order of Volatility, which data should be collected first?

A. Archival media (Backup tapes)
B. Hard disk drive data
C. CPU registers and cache
D. Temporary file systems

7 What is the primary purpose of a hardware Write Blocker?

A. To speed up the data transfer process
B. To compress the evidence files
C. To encrypt the data being copied
D. To prevent the forensic workstation from modifying data on the suspect drive

8 What does Locard's Exchange Principle state in the context of digital forensics?

A. All evidence must be printed on paper
B. Encryption is impossible to break without a key
C. Anyone entering a digital scene leaves a trace, and takes something with them
D. Data can never be fully deleted

9 Which phase of the investigation involves obtaining a search warrant?

A. Reporting Phase
B. Post-investigation Phase
C. Analysis Phase
D. Pre-investigation Phase

10 What is a 'Bit-stream image'?

A. A compressed zip folder of the My Documents folder
B. A copy of only the active files on a disk
C. A sector-by-sector copy of the hard drive, including hidden and deleted data
D. A screenshot of the desktop

11 Who is typically the 'First Responder' in a computer forensic scenario?

A. The lead judge on the case
B. The suspect
C. The CEO of the company
D. The first person to arrive at the crime scene and assess the situation

12 What is the cardinal rule of computer forensics regarding original evidence?

A. Modify the original evidence to fix security holes
B. Never work on the original evidence; always work on a forensic copy
C. Always work on the original evidence to save time
D. Send the original evidence to the suspect for verification

13 What is the function of a cryptographic hash (like MD5 or SHA-256) in forensics?

A. To organize files alphabetically
B. To act as a digital fingerprint to verify data integrity
C. To encrypt the drive so no one can read it
D. To formatting the drive for reuse

14 Which of the following is a characteristic of 'Civil' investigations compared to 'Criminal' ones?

A. They result in jail time for the offender
B. The standard of proof is 'Beyond a reasonable doubt'
C. They typically involve disputes between individuals or companies regarding contracts or intellectual property
D. They are always conducted by law enforcement

15 What is 'Slack Space'?

A. The space taken up by the operating system
B. The RAM memory used by the web browser
C. The space on a desk where the computer sits
D. The unused space in a disk cluster when a file does not fill the entire cluster

16 In the context of First Response, what should be done if a computer is found powered OFF?

A. Turn it on to see what is on the screen
B. Leave it off and secure it
C. Turn it on to install forensic software
D. Turn it on and immediately copy the My Documents folder

17 What is the primary responsibility of a Forensic Investigator regarding bias?

A. To remain objective and report facts regardless of whom they help or hurt
B. To support the client who is paying them
C. To prove the suspect is innocent
D. To prove the suspect is guilty at all costs

18 What defines 'Digital Evidence'?

A. Any printed document found near a computer
B. Information of probative value that is stored or transmitted in binary form
C. Verbal testimony given by a computer user
D. The physical hardware of a laptop only

19 Which of the following is considered 'Volatile Memory'?

A. Hard Disk Drive
B. USB Flash Drive
C. RAM (Random Access Memory)
D. CD-ROM

20 What is the purpose of 'Bag and Tag'?

A. To identifying, seizing, and securing evidence in appropriate containers to preserve integrity
B. To organize cables neatly
C. To sell the computer equipment
D. To throw away useless hardware

21 What is the difference between Incident Response (IR) and Computer Forensics?

A. IR is for hardware; Forensics is for software
B. There is no difference
C. IR focuses on containment and recovery; Forensics focuses on analysis and legal evidence
D. IR happens in court; Forensics happens in the lab

22 Which tool is used to block radio signals from reaching a mobile device after seizure?

A. Write Blocker
B. Hashing Algorithm
C. Faraday Bag
D. Anti-static wrist strap

23 What is 'Steganography'?

A. A type of computer virus
B. The practice of hiding data within other files (like images or audio)
C. The process of deleting files permanently
D. The study of dinosaur bones

24 During the Pre-investigation phase, what is the importance of risk assessment?

A. To guess who the suspect is
B. To determine how much to charge the client
C. To identify potential hazards (biological, electrical, chemical) at the crime scene
D. To check the weather forecast

25 What is 'Live Acquisition'?

A. Acquiring data from a dead drive
B. Acquiring data from a computer that is powered on and running
C. Interviewing a suspect live
D. Streaming the investigation on social media

26 Which file system artifact allows an investigator to see which programs were recently executed?

A. The Printer Spool
B. Prefetch Files
C. The Recycle Bin
D. The Hosts file

27 What is the 'Best Evidence Rule'?

A. Evidence found on a server is better than a laptop
B. Evidence found by the police is always best
C. Courts prefer the original evidence (or an accurate duplicate) rather than a copy or oral testimony
D. The most expensive evidence is the best

28 What is the final phase of the Computer Forensics Investigation Process?

A. Reporting
B. Analysis
C. Acquisition
D. Identification

29 Why is 'documentation' critical throughout the investigation process?

A. To increase the billable hours
B. To improve typing speed
C. To share with the press
D. To ensure the investigation can be repeated and validated by a third party

30 What does a SIEM (Security Information and Event Management) system do in a SOC?

A. It is used to physically lock doors
B. It aggregates and analyzes log data from various sources to detect security threats
C. It is an email client
D. It acts as a backup generator

31 Which of the following is an example of 'Metadata'?

A. The pixels in an image
B. The sound waves in an MP3
C. The text content of a Word document
D. The date created, date modified, and author of a file

32 When photographing a crime scene, what is the best practice?

A. Photograph the computer screen only
B. Take photos of the entire scene, including connections, cable positions, and serial numbers
C. Take one photo of the room and leave
D. Selfies with the evidence

33 What is 'Anti-forensics'?

A. Tools or techniques used to frustrate or prevent forensic analysis (e.g., data wiping, encryption)
B. Old school investigation methods
C. A group of people against technology
D. The study of law

34 In a criminal investigation, who carries the 'Burden of Proof'?

A. The Defense
B. The Jury
C. The Prosecution
D. The Suspect

35 What is the definition of 'Unallocated Space'?

A. Space on the hard drive that has never been used
B. Disk space that is currently not flagged as in use by the file system, but may contain deleted data
C. Broken sectors on a hard drive
D. The space occupied by the Operating System

36 Which organization typically creates the 'Search Warrant'?

A. The Internet Service Provider
B. Law Enforcement / The Court
C. The Forensic Investigator
D. The Victim

37 What is the primary risk of pulling the plug (abrupt shutdown) on a server?

A. It saves too much data
B. It alerts the hacker
C. It uses too much electricity
D. It might corrupt the file system and result in loss of volatile data (RAM)

38 What role does an 'Expert Witness' play in court?

A. They defend the accused
B. They decide the verdict
C. They prosecute the accused
D. They assist the judge/jury in understanding complex technical evidence through their specialized knowledge

39 Which of the following is a key component of a Forensic Report?

A. A list of the investigator's favorite software
B. Personal opinions about the suspect's character
C. Marketing material for the forensic firm
D. Executive Summary, Methodology, Findings, and Conclusion

40 What is 'Data Wiping'?

A. Cleaning the computer screen with a cloth
B. Overwriting data multiple times to make it unrecoverable
C. Formatting a disk
D. Deleting a file to the Recycle Bin

41 What is the role of the 'Evidence Custodian'?

A. To manage the secure storage and log the entry/exit of evidence in the storage facility
B. To repair the evidence
C. To analyze the evidence
D. To arrest the suspect

42 Why is 'Timeline Analysis' important?

A. It predicts future crimes
B. It reconstructs events in chronological order to understand the sequence of the attack
C. It tells the investigator when to take a lunch break
D. It sorts files by file size

43 What is the difference between 'Static' and 'Dynamic' analysis?

A. Static analyzes the system at rest (off); Dynamic analyzes the system while running (behavior)
B. Static is fast; Dynamic is slow
C. Static is for Windows; Dynamic is for Linux
D. Static uses electricity; Dynamic does not

44 Which of the following describes an 'Internal Threat'?

A. A disgruntled employee misusing their access privileges
B. A hacker from another country
C. A lightning strike
D. A virus from a website

45 What is 'Logical Acquisition'?

A. Extracting specific files and objects (like photos or chats) accessible by the file system
B. Copying the entire physical drive bit-by-bit
C. Guessing the password logically
D. Drawing a picture of the drive

46 In the context of SOC, what is 'Triage'?

A. Fixing the computer completely
B. Deleting all infected files immediately
C. The initial assessment to prioritize incidents based on severity and potential impact
D. Calling the police

47 What should an investigator do if they accidentally alter the evidence?

A. Quit the investigation
B. Document the alteration and explain how and why it happened
C. Hide the mistake
D. Blame the software

48 What does the term 'Admissibility' refer to?

A. Whether the evidence meets legal standards to be presented in court
B. The cost of the investigation
C. The speed of the computer
D. Whether the investigator is hired

49 Which is a common challenge in Cloud Forensics compared to traditional Computer Forensics?

A. There is no difference
B. Cloud computers are too slow
C. Cloud data is always unencrypted
D. Physical access to the storage hardware is often impossible or restricted

50 What is the purpose of 'Keyword Searching' in the Analysis phase?

A. To locate specific terms (e.g., names, credit card numbers) within the massive amount of data
B. To rename files
C. To unlock encrypted files
D. To find the investigator's keys