1Which of the following best describes a 'bit-stream' image in digital forensics?
A.A bit-by-bit copy of the source drive, including unallocated space and slack space
B.A file containing only the active files from a hard drive
C.A compressed folder of the user's documents
D.A logical backup of the Windows Registry
Correct Answer: A bit-by-bit copy of the source drive, including unallocated space and slack space
Explanation:
A bit-stream image (or physical image) captures every bit on the source media, ensuring deleted data in unallocated space is preserved.
Incorrect! Try again.
2In the context of the Order of Volatility, which data should be collected first?
A.Archival media (CDs/DVDs)
B.CPU cache, registers, and RAM
C.Disk data (Hard Drive)
D.Temporary file systems
Correct Answer: CPU cache, registers, and RAM
Explanation:
According to RFC 3227, the order of volatility dictates collecting the most fleeting data first, which is the CPU cache, registers, and system RAM.
Incorrect! Try again.
3Which hardware device is essential during static data acquisition to prevent data alteration on the source drive?
A.Write Blocker
B.Network Tap
C.Hex Editor
D.Packet Sniffer
Correct Answer: Write Blocker
Explanation:
A Write Blocker ensures that read commands are allowed but write commands are blocked, preventing the forensic tool from altering the evidence.
Incorrect! Try again.
4Which file format is considered a 'raw' forensic image format?
A..E01
B..ad1
C..vmdk
D..dd
Correct Answer: .dd
Explanation:
The .dd format is a raw, bit-for-bit copy of the data without added metadata or compression headers, unlike .E01 which is proprietary.
Incorrect! Try again.
5What is the primary purpose of generating a hash value (MD5 or SHA) immediately after data acquisition?
A.To verify the integrity of the evidence
B.To encrypt the image for security
C.To index the files for searching
D.To compress the image size
Correct Answer: To verify the integrity of the evidence
Explanation:
Hashing creates a unique digital fingerprint. If the hash of the image matches the hash of the source, it proves the data was not altered during acquisition.
Incorrect! Try again.
6Which acquisition method is necessary when a computer cannot be shut down due to encryption or critical service availability?
A.Dead Acquisition
B.Static Acquisition
C.Live Acquisition
D.Sparse Acquisition
Correct Answer: Live Acquisition
Explanation:
Live acquisition is performed on a running system to capture volatile data (RAM) and encrypted volumes that would lock if the system were powered down.
Incorrect! Try again.
7Where is the 'SAM' (Security Account Manager) hive located in a Windows system?
A.C:\Users\Default
B.C:\Program Files\Windows
C.C:\Windows\System
D.C:\Windows\System32\config
Correct Answer: C:\Windows\System32\config
Explanation:
The SAM hive, which stores user passwords and account information, is located in the System32\config directory.
Incorrect! Try again.
8Which Windows artifact is essentially a snapshot of the contents of RAM saved to the hard drive when a computer is put into hibernation?
A.config.sys
B.hiberfil.sys
C.swapfile.sys
D.pagefile.sys
Correct Answer: hiberfil.sys
Explanation:
hiberfil.sys is created when Windows hibernates, storing the full contents of RAM, making it a critical source for memory analysis.
Incorrect! Try again.
9Which Registry hive contains settings specific to the currently logged-in user?
A.HKEY_CLASSES_ROOT
B.HKEY_LOCAL_MACHINE
C.HKEY_USERS
D.HKEY_CURRENT_USER
Correct Answer: HKEY_CURRENT_USER
Explanation:
HKEY_CURRENT_USER (HKCU) contains configuration data for the user currently logged on. It is mapped from the user's NTUSER.DAT file.
Incorrect! Try again.
10Which Windows artifact allows an investigator to see which applications were recently executed and the frequency of execution?
A.Prefetch files
B.Hosts file
C.SAM hive
D.Cookies
Correct Answer: Prefetch files
Explanation:
Prefetch files (.pf) are designed to speed up application startup, but forensically they show run count, last run time, and file path of executed programs.
Incorrect! Try again.
11In Windows 10/11, where are Windows Event Logs typically stored?
A.C:\ProgramData\Logs
B.C:\Windows\Events
C.C:\Windows\System32\winevt\Logs
D.C:\Windows\Logs
Correct Answer: C:\Windows\System32\winevt\Logs
Explanation:
Modern Windows systems store event logs in the .evtx format located in C:\Windows\System32\winevt\Logs.
Incorrect! Try again.
12Which browser artifact stores a small piece of data sent from a website to remember stateful information (like login status)?
A.History
B.Cookie
C.Bookmark
D.Cache
Correct Answer: Cookie
Explanation:
Cookies are text files used to store user-specific data, such as session IDs, preferences, and authentication tokens.
Incorrect! Try again.
13What is the function of the Windows 'Pagefile.sys'?
A.It stores the boot configuration
B.It records all keystrokes
C.It stores printer spooling data
D.It acts as virtual memory, extending physical RAM
Correct Answer: It acts as virtual memory, extending physical RAM
Explanation:
Pagefile.sys is used as an extension of RAM (Virtual Memory). It contains data moved out of RAM when physical memory is full, often holding evidence.
Incorrect! Try again.
14Which proprietary file format, developed by Guidance Software, is standard for forensic images and supports compression and encryption?
A.ISO
B.AFF
C.E01
D.DD
Correct Answer: E01
Explanation:
The EnCase Evidence File format (.E01) is a widely used industry standard that wraps the bit-stream data with metadata, checksums, and optional compression.
Incorrect! Try again.
15When analyzing the Recycle Bin on Windows 10, which file contains the original filename and deletion date?
A.$R file
B.Desktop.ini
C.$I file
D.INFO2
Correct Answer: $I file
Explanation:
When a file is deleted, two files are created: I (index info). The $I file contains metadata like the original path and deletion timestamp.
Incorrect! Try again.
16Which Windows Event Log ID is commonly associated with a successful user logon?
A.6005
B.1102
C.4624
D.4625
Correct Answer: 4624
Explanation:
Event ID 4624 in the Security Log indicates that an account was successfully logged on.
Incorrect! Try again.
17What is 'Slack Space'?
A.The space on a hard drive reserved for the OS
B.The unused space between the end of a file and the end of the cluster
C.The space used by the Recycle Bin
D.The RAM allocated to the GPU
Correct Answer: The unused space between the end of a file and the end of the cluster
Explanation:
File systems allocate data in fixed clusters. If a file doesn't fill the last cluster, the remaining space (slack) may contain data from previously deleted files.
Incorrect! Try again.
18Which registry key is typically analyzed to determine which USB devices have been connected to the system?
The USBSTOR key contains subkeys for every USB storage device that has been connected to the computer, including vendor, product, and serial number.
Incorrect! Try again.
19What does the term 'Logical Acquisition' refer to?
A.Copying only the files and folders visible to the operating system
B.Copying data via a logic analyzer
C.Copying the physical drive bit-by-bit
D.Copying only the RAM
Correct Answer: Copying only the files and folders visible to the operating system
Explanation:
Logical acquisition captures files as seen by the OS. It is faster but misses unallocated space and deleted files that are not in the file system table.
Incorrect! Try again.
20Which artifact typically stores the user's browsing history in Google Chrome?
A.index.dat
B.History (SQLite database)
C.places.sqlite
D.WebCache.dat
Correct Answer: History (SQLite database)
Explanation:
Chrome stores history, downloads, and search terms in an SQLite database file simply named 'History' within the user's profile.
Incorrect! Try again.
21What is the purpose of 'Web Cache' or 'Temporary Internet Files'?
A.To block malicious pop-ups
B.To store user passwords encrypted
C.To record a log of all visited websites
D.To speed up browsing by storing static web content like images locally
Correct Answer: To speed up browsing by storing static web content like images locally
Explanation:
Browsers cache images, scripts, and HTML to load pages faster on subsequent visits. Investigators analyze this to see what content a user viewed.
Incorrect! Try again.
22Which Windows Registry key is known as a 'Run key' used for persistence (starting programs automatically)?
The 'Run' and 'RunOnce' keys are standard locations where malware or legitimate software add entries to start automatically when Windows boots or a user logs in.
Incorrect! Try again.
23What is the difference between 'Volatile' and 'Non-volatile' memory?
A.Volatile memory loses data when power is cut; Non-volatile retains it
B.Volatile memory is slower
C.Non-volatile memory cannot be imaged
D.Volatile memory is stored on the hard drive
Correct Answer: Volatile memory loses data when power is cut; Non-volatile retains it
Explanation:
Volatile memory (RAM) requires power to maintain data. Non-volatile memory (HDD, SSD, USB) retains data even when powered off.
Incorrect! Try again.
24Which file system artifact tracks the date and time a user last accessed a specific folder structure or window preference?
A.Jump Lists
B.Thumbcache
C.Shellbags
D.Amcache
Correct Answer: Shellbags
Explanation:
Shellbags store preferences for folder display (size, position, view mode) in the Registry. They persist even after the folder is deleted, proving the folder existed.
Incorrect! Try again.
25What is an LNK file?
A.A locked file in the registry
B.A system link file for network drivers
C.A log file for kernel errors
D.A Windows shortcut file that links to an application or file
Correct Answer: A Windows shortcut file that links to an application or file
Explanation:
LNK files are shortcuts. Forensically, they provide metadata about the target file (path, timestamps, volume serial) even if the target is on a removed external drive.
Incorrect! Try again.
26Which command line tool is built into Windows and can be used to query the registry?
A.ipconfig
B.grep
C.netstat
D.reg query
Correct Answer: reg query
Explanation:
The 'reg' command allows users to add, delete, and query keys and values in the Windows Registry.
Incorrect! Try again.
27Which of the following is considered 'metadata' of a file?
A.The pixel data of an image
B.The actual content of a Word document
C.The text inside a text file
D.The creation, modification, and access timestamps
Correct Answer: The creation, modification, and access timestamps
Explanation:
Metadata is 'data about data.' Timestamps, file owner, permissions, and file size are metadata, distinct from the file's actual content.
Incorrect! Try again.
28Why is 'Incognito' or 'Private' browsing mode a challenge for forensics?
A.It routes traffic through the Dark Web
B.It does not save history, cookies, or cache to the hard drive upon closing
C.It prevents the ISP from seeing traffic
D.It encrypts the internet connection
Correct Answer: It does not save history, cookies, or cache to the hard drive upon closing
Explanation:
Private modes prevent the browser from storing permanent artifacts on the local disk, meaning evidence is usually only available in RAM during the active session.
Incorrect! Try again.
29What is the 'Master File Table' (MFT)?
A.A partition table for the hard drive
B.A log of all master users
C.A backup of the BIOS
D.A database in NTFS that stores information about every file and directory
Correct Answer: A database in NTFS that stores information about every file and directory
Explanation:
In NTFS, the MFT contains a record for every file, including the file's attributes, location, and metadata. It is the core structure of the file system.
Incorrect! Try again.
30Which registry hive corresponds to the file 'NTUSER.DAT'?
A.HKEY_USERS
B.HKEY_LOCAL_MACHINE
C.HKEY_CURRENT_USER
D.HKEY_CURRENT_CONFIG
Correct Answer: HKEY_CURRENT_USER
Explanation:
When a user logs in, their profile's NTUSER.DAT file is loaded into the registry as HKEY_CURRENT_USER.
Incorrect! Try again.
31In a live acquisition, which tool is commonly used to capture RAM?
A.RegEdit
B.FTK Imager
C.Wireshark
D.Photoshop
Correct Answer: FTK Imager
Explanation:
FTK Imager is a widely used free tool that can capture the contents of physical memory (RAM) to a file on a running system.
Incorrect! Try again.
32What is a 'Sparse Copy'?
A.A copy of only the registry
B.A copy containing only allocated data and ignoring unallocated space
C.A copy made using a write blocker
D.A copy of data spread across multiple disks
Correct Answer: A copy containing only allocated data and ignoring unallocated space
Explanation:
A sparse acquisition copies allocated blocks but skips unallocated blocks (empty space), making the image smaller but potentially missing deleted data.
Incorrect! Try again.
33Which text-based log file is generated by the IIS (Internet Information Services) web server?
A.Event Viewer Log
B.Kernel Log
C.W3C Extended Log
D.Syslog
Correct Answer: W3C Extended Log
Explanation:
IIS typically uses the W3C Extended Log File Format (text-based) to record details about web requests, such as IP address, URI, and status codes.
Incorrect! Try again.
34The 'UserAssist' registry key provides information about:
A.Installed USB devices
B.GUI-based programs run by the user
C.User passwords
D.Network connections
Correct Answer: GUI-based programs run by the user
Explanation:
UserAssist keys (in NTUSER.DAT) track the execution of GUI programs, including run count and last execution time, often used to profile user activity.
Incorrect! Try again.
35What is 'Alternate Data Stream' (ADS) in Windows NTFS?
A.A method for streaming video
B.A backup stream for internet data
C.A corrupt file segment
D.A feature allowing data to be hidden behind a file without changing the file size
Correct Answer: A feature allowing data to be hidden behind a file without changing the file size
Explanation:
ADS is an NTFS feature allowing more than one data stream to be associated with a filename. Malware often uses ADS to hide code.
Incorrect! Try again.
36Which artifact lists files that were present on the system before a reboot or shutdown, often used to identify malware execution upon boot?
A.Thumb.db
B.Recycle Bin
C.ShimCache (AppCompatCache)
D.Jump Lists
Correct Answer: ShimCache (AppCompatCache)
Explanation:
ShimCache tracks executable file compatibility. It stores file paths, modification times, and execution flags, valuable for proving a file existed even if deleted.
Incorrect! Try again.
37What does Event ID 4625 represent in the Windows Security Log?
A.An account was locked out
B.Successful Logon
C.An account failed to log on
D.System shutdown
Correct Answer: An account failed to log on
Explanation:
Event ID 4625 records failed login attempts, which is critical for investigating brute-force attacks or unauthorized access attempts.
Incorrect! Try again.
38In the context of browser forensics, what is 'Form Data'?
A.The structure of the HTML page
B.The encryption key for SSL
C.The digital signature of the browser
D.Information entered by the user into web fields (names, addresses, search terms)
Correct Answer: Information entered by the user into web fields (names, addresses, search terms)
Explanation:
Form data allows browsers to autocomplete fields. Forensically, it can reveal personal info, search queries, or shipping addresses entered by the user.
Incorrect! Try again.
39Which system file contains the mapping of IP addresses to hostnames, often modified by malware to redirect users?
A.protocol
B.services.exe
C.hosts
D.networks
Correct Answer: hosts
Explanation:
The 'hosts' file (C:\Windows\System32\drivers\etc\hosts) is a text file used for local DNS overrides. Malware modifies it to block security sites or redirect to phishing sites.
Incorrect! Try again.
40What is the primary difference between Copy and Bit-stream Image?
A.Copy captures only active file content; Image captures the exact state of the drive
B.Copy is compressed; Image is not
C.Copy is faster; Image is slower
D.There is no difference
Correct Answer: Copy captures only active file content; Image captures the exact state of the drive
Explanation:
A standard copy (logical) transfers files. A bit-stream image (physical) transfers the entire structure of the disk, including empty and deleted space.
Incorrect! Try again.
41Which tool is commonly used to analyze Windows Registry hives?
A.Paint
B.Notepad
C.Registry Viewer
D.Wireshark
Correct Answer: Registry Viewer
Explanation:
Registry Viewer (like AccessData Registry Viewer or similar forensic tools) allows investigators to decode and view hive files that are otherwise unreadable binaries.
Incorrect! Try again.
42What is the function of the 'SYSTEM' hive?
A.Stores user settings
B.Stores internet history
C.Stores file extensions
D.Stores system configuration, driver settings, and hardware profiles
Correct Answer: Stores system configuration, driver settings, and hardware profiles
Explanation:
The SYSTEM hive contains critical configuration data for the OS start-up, drivers, and services.
Incorrect! Try again.
43Which metadata standard is commonly found in image files (JPEG) containing camera model and GPS coordinates?
A.ASCII
B.EXIF
C.FAT
D.NTFS
Correct Answer: EXIF
Explanation:
Exchangeable Image File Format (EXIF) stores metadata within image files, such as timestamp, camera settings, and sometimes GPS location.
Incorrect! Try again.
44When preparing a drive for an image, what should be done to the destination drive?
A.It should contain the operating system
B.It should be defragmented
C.It should be forensically wiped (sterilized)
D.It should be smaller than the source drive
Correct Answer: It should be forensically wiped (sterilized)
Explanation:
The destination drive should be wiped (all zeros) before use to ensure no residual data from previous use contaminates the new forensic image.
Incorrect! Try again.
45What is 'Unallocated Space'?
A.Space that is damaged
B.Space reserved for the system
C.Space on the drive not currently assigned to any active file by the file system
D.Space used by hidden files
Correct Answer: Space on the drive not currently assigned to any active file by the file system
Explanation:
Unallocated space is available for the OS to write new data. It often contains deleted files that have not yet been overwritten.
Incorrect! Try again.
46Which artifact is created when a user right-clicks the taskbar icon of an application to see recent files?
A.Jumplist
B.Logfile
C.Prefetch
D.Shortcut
Correct Answer: Jumplist
Explanation:
Jumplists (Automatic and CustomDestinations) show recently or frequently accessed files for specific applications, providing insight into user activity.
Incorrect! Try again.
47In Windows Event Logs, what does the 'System' log record?
A.Events logged by Windows system components (drivers, boot errors)
B.Security audits like logins
C.Events logged by applications
D.Internet history
Correct Answer: Events logged by Windows system components (drivers, boot errors)
Explanation:
The System log contains messages generated by the Windows operating system itself, such as driver failures, service starts/stops, and hardware issues.
Incorrect! Try again.
48Why is 'Time Zone' information critical during analysis?
A.To decrypt files
B.To convert UTC timestamps in artifacts to the local time of the suspect
C.To determine the language of the OS
D.To calculate the internet speed
Correct Answer: To convert UTC timestamps in artifacts to the local time of the suspect
Explanation:
Computers store times in UTC or local time depending on the artifact. Correctly interpreting the sequence of events requires accurate timezone conversion.
Incorrect! Try again.
49Which registry value controls the time zone information of the system?
A.ControlSet
B.TimeZoneInformation
C.HardwareProfiles
D.CurrentVersion
Correct Answer: TimeZoneInformation
Explanation:
Located in HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation, this key defines the system's offset from UTC.
Incorrect! Try again.
50Which of the following describes a 'Static Acquisition'?
A.Acquisition of RAM only
B.Acquisition performed on a system that is powered off
C.Acquisition performed while the user is typing
D.Acquisition via a network connection
Correct Answer: Acquisition performed on a system that is powered off
Explanation:
Static acquisition involves connecting the suspect drive to a forensic workstation (via write blocker) while the suspect system is off.