Unit 3 - Practice Quiz

INT250 50 Questions
0 Correct 0 Wrong 50 Left
0/50

1 Which of the following best describes a 'bit-stream' image in digital forensics?

A. A compressed folder of the user's documents
B. A file containing only the active files from a hard drive
C. A logical backup of the Windows Registry
D. A bit-by-bit copy of the source drive, including unallocated space and slack space

2 In the context of the Order of Volatility, which data should be collected first?

A. Temporary file systems
B. Disk data (Hard Drive)
C. Archival media (CDs/DVDs)
D. CPU cache, registers, and RAM

3 Which hardware device is essential during static data acquisition to prevent data alteration on the source drive?

A. Write Blocker
B. Network Tap
C. Packet Sniffer
D. Hex Editor

4 Which file format is considered a 'raw' forensic image format?

A. .E01
B. .vmdk
C. .ad1
D. .dd

5 What is the primary purpose of generating a hash value (MD5 or SHA) immediately after data acquisition?

A. To verify the integrity of the evidence
B. To compress the image size
C. To index the files for searching
D. To encrypt the image for security

6 Which acquisition method is necessary when a computer cannot be shut down due to encryption or critical service availability?

A. Sparse Acquisition
B. Live Acquisition
C. Static Acquisition
D. Dead Acquisition

7 Where is the 'SAM' (Security Account Manager) hive located in a Windows system?

A. C:\Windows\System32\config
B. C:\Program Files\Windows
C. C:\Windows\System
D. C:\Users\Default

8 Which Windows artifact is essentially a snapshot of the contents of RAM saved to the hard drive when a computer is put into hibernation?

A. config.sys
B. swapfile.sys
C. pagefile.sys
D. hiberfil.sys

9 Which Registry hive contains settings specific to the currently logged-in user?

A. HKEY_CLASSES_ROOT
B. HKEY_USERS
C. HKEY_LOCAL_MACHINE
D. HKEY_CURRENT_USER

10 Which Windows artifact allows an investigator to see which applications were recently executed and the frequency of execution?

A. Cookies
B. SAM hive
C. Hosts file
D. Prefetch files

11 In Windows 10/11, where are Windows Event Logs typically stored?

A. C:\Windows\Events
B. C:\Windows\Logs
C. C:\Windows\System32\winevt\Logs
D. C:\ProgramData\Logs

12 Which browser artifact stores a small piece of data sent from a website to remember stateful information (like login status)?

A. Bookmark
B. Cookie
C. History
D. Cache

13 What is the function of the Windows 'Pagefile.sys'?

A. It stores printer spooling data
B. It stores the boot configuration
C. It acts as virtual memory, extending physical RAM
D. It records all keystrokes

14 Which proprietary file format, developed by Guidance Software, is standard for forensic images and supports compression and encryption?

A. DD
B. AFF
C. ISO
D. E01

15 When analyzing the Recycle Bin on Windows 10, which file contains the original filename and deletion date?

A. INFO2
B. $I file
C. Desktop.ini
D. $R file

16 Which Windows Event Log ID is commonly associated with a successful user logon?

A. 1102
B. 4625
C. 6005
D. 4624

17 What is 'Slack Space'?

A. The space on a hard drive reserved for the OS
B. The unused space between the end of a file and the end of the cluster
C. The space used by the Recycle Bin
D. The RAM allocated to the GPU

18 Which registry key is typically analyzed to determine which USB devices have been connected to the system?

A. HKCU\Software\Microsoft\Internet Explorer
B. HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
C. HKLM\SAM\Domains
D. HKLM\SOFTWARE\Microsoft\Windows\Run

19 What does the term 'Logical Acquisition' refer to?

A. Copying data via a logic analyzer
B. Copying only the RAM
C. Copying only the files and folders visible to the operating system
D. Copying the physical drive bit-by-bit

20 Which artifact typically stores the user's browsing history in Google Chrome?

A. places.sqlite
B. WebCache.dat
C. index.dat
D. History (SQLite database)

21 What is the purpose of 'Web Cache' or 'Temporary Internet Files'?

A. To speed up browsing by storing static web content like images locally
B. To block malicious pop-ups
C. To record a log of all visited websites
D. To store user passwords encrypted

22 Which Windows Registry key is known as a 'Run key' used for persistence (starting programs automatically)?

A. Software\Policies\Microsoft\Windows
B. System\CurrentControlSet\Control\Lsa
C. System\Setup\Status
D. Software\Microsoft\Windows\CurrentVersion\Run

23 What is the difference between 'Volatile' and 'Non-volatile' memory?

A. Volatile memory is slower
B. Volatile memory loses data when power is cut; Non-volatile retains it
C. Non-volatile memory cannot be imaged
D. Volatile memory is stored on the hard drive

24 Which file system artifact tracks the date and time a user last accessed a specific folder structure or window preference?

A. Shellbags
B. Thumbcache
C. Jump Lists
D. Amcache

25 What is an LNK file?

A. A log file for kernel errors
B. A Windows shortcut file that links to an application or file
C. A locked file in the registry
D. A system link file for network drivers

26 Which command line tool is built into Windows and can be used to query the registry?

A. grep
B. reg query
C. netstat
D. ipconfig

27 Which of the following is considered 'metadata' of a file?

A. The text inside a text file
B. The pixel data of an image
C. The creation, modification, and access timestamps
D. The actual content of a Word document

28 Why is 'Incognito' or 'Private' browsing mode a challenge for forensics?

A. It routes traffic through the Dark Web
B. It does not save history, cookies, or cache to the hard drive upon closing
C. It encrypts the internet connection
D. It prevents the ISP from seeing traffic

29 What is the 'Master File Table' (MFT)?

A. A partition table for the hard drive
B. A log of all master users
C. A backup of the BIOS
D. A database in NTFS that stores information about every file and directory

30 Which registry hive corresponds to the file 'NTUSER.DAT'?

A. HKEY_USERS
B. HKEY_CURRENT_USER
C. HKEY_LOCAL_MACHINE
D. HKEY_CURRENT_CONFIG

31 In a live acquisition, which tool is commonly used to capture RAM?

A. Wireshark
B. RegEdit
C. FTK Imager
D. Photoshop

32 What is a 'Sparse Copy'?

A. A copy of only the registry
B. A copy containing only allocated data and ignoring unallocated space
C. A copy made using a write blocker
D. A copy of data spread across multiple disks

33 Which text-based log file is generated by the IIS (Internet Information Services) web server?

A. W3C Extended Log
B. Event Viewer Log
C. Kernel Log
D. Syslog

34 The 'UserAssist' registry key provides information about:

A. Installed USB devices
B. GUI-based programs run by the user
C. User passwords
D. Network connections

35 What is 'Alternate Data Stream' (ADS) in Windows NTFS?

A. A method for streaming video
B. A corrupt file segment
C. A feature allowing data to be hidden behind a file without changing the file size
D. A backup stream for internet data

36 Which artifact lists files that were present on the system before a reboot or shutdown, often used to identify malware execution upon boot?

A. Jump Lists
B. Thumb.db
C. Recycle Bin
D. ShimCache (AppCompatCache)

37 What does Event ID 4625 represent in the Windows Security Log?

A. Successful Logon
B. An account failed to log on
C. An account was locked out
D. System shutdown

38 In the context of browser forensics, what is 'Form Data'?

A. The structure of the HTML page
B. Information entered by the user into web fields (names, addresses, search terms)
C. The encryption key for SSL
D. The digital signature of the browser

39 Which system file contains the mapping of IP addresses to hostnames, often modified by malware to redirect users?

A. services.exe
B. hosts
C. protocol
D. networks

40 What is the primary difference between Copy and Bit-stream Image?

A. Copy captures only active file content; Image captures the exact state of the drive
B. There is no difference
C. Copy is faster; Image is slower
D. Copy is compressed; Image is not

41 Which tool is commonly used to analyze Windows Registry hives?

A. Notepad
B. Registry Viewer
C. Paint
D. Wireshark

42 What is the function of the 'SYSTEM' hive?

A. Stores file extensions
B. Stores internet history
C. Stores user settings
D. Stores system configuration, driver settings, and hardware profiles

43 Which metadata standard is commonly found in image files (JPEG) containing camera model and GPS coordinates?

A. NTFS
B. ASCII
C. FAT
D. EXIF

44 When preparing a drive for an image, what should be done to the destination drive?

A. It should be smaller than the source drive
B. It should be defragmented
C. It should be forensically wiped (sterilized)
D. It should contain the operating system

45 What is 'Unallocated Space'?

A. Space used by hidden files
B. Space that is damaged
C. Space reserved for the system
D. Space on the drive not currently assigned to any active file by the file system

46 Which artifact is created when a user right-clicks the taskbar icon of an application to see recent files?

A. Prefetch
B. Logfile
C. Jumplist
D. Shortcut

47 In Windows Event Logs, what does the 'System' log record?

A. Events logged by applications
B. Security audits like logins
C. Internet history
D. Events logged by Windows system components (drivers, boot errors)

48 Why is 'Time Zone' information critical during analysis?

A. To calculate the internet speed
B. To convert UTC timestamps in artifacts to the local time of the suspect
C. To determine the language of the OS
D. To decrypt files

49 Which registry value controls the time zone information of the system?

A. HardwareProfiles
B. CurrentVersion
C. TimeZoneInformation
D. ControlSet

50 Which of the following describes a 'Static Acquisition'?

A. Acquisition performed while the user is typing
B. Acquisition via a network connection
C. Acquisition of RAM only
D. Acquisition performed on a system that is powered off