1Which of the following best describes a 'bit-stream' image in digital forensics?
A.A bit-by-bit copy of the source drive, including unallocated space and slack space
B.A compressed folder of the user's documents
C.A file containing only the active files from a hard drive
D.A logical backup of the Windows Registry
Correct Answer: A bit-by-bit copy of the source drive, including unallocated space and slack space
Explanation:
A bit-stream image (or physical image) captures every bit on the source media, ensuring deleted data in unallocated space is preserved.
Incorrect! Try again.
2In the context of the Order of Volatility, which data should be collected first?
A.Temporary file systems
B.Disk data (Hard Drive)
C.CPU cache, registers, and RAM
D.Archival media (CDs/DVDs)
Correct Answer: CPU cache, registers, and RAM
Explanation:
According to RFC 3227, the order of volatility dictates collecting the most fleeting data first, which is the CPU cache, registers, and system RAM.
Incorrect! Try again.
3Which hardware device is essential during static data acquisition to prevent data alteration on the source drive?
A.Network Tap
B.Packet Sniffer
C.Write Blocker
D.Hex Editor
Correct Answer: Write Blocker
Explanation:
A Write Blocker ensures that read commands are allowed but write commands are blocked, preventing the forensic tool from altering the evidence.
Incorrect! Try again.
4Which file format is considered a 'raw' forensic image format?
A..vmdk
B..E01
C..dd
D..ad1
Correct Answer: .dd
Explanation:
The .dd format is a raw, bit-for-bit copy of the data without added metadata or compression headers, unlike .E01 which is proprietary.
Incorrect! Try again.
5What is the primary purpose of generating a hash value (MD5 or SHA) immediately after data acquisition?
A.To index the files for searching
B.To verify the integrity of the evidence
C.To compress the image size
D.To encrypt the image for security
Correct Answer: To verify the integrity of the evidence
Explanation:
Hashing creates a unique digital fingerprint. If the hash of the image matches the hash of the source, it proves the data was not altered during acquisition.
Incorrect! Try again.
6Which acquisition method is necessary when a computer cannot be shut down due to encryption or critical service availability?
A.Dead Acquisition
B.Static Acquisition
C.Sparse Acquisition
D.Live Acquisition
Correct Answer: Live Acquisition
Explanation:
Live acquisition is performed on a running system to capture volatile data (RAM) and encrypted volumes that would lock if the system were powered down.
Incorrect! Try again.
7Where is the 'SAM' (Security Account Manager) hive located in a Windows system?
A.C:\Windows\System32\config
B.C:\Windows\System
C.C:\Program Files\Windows
D.C:\Users\Default
Correct Answer: C:\Windows\System32\config
Explanation:
The SAM hive, which stores user passwords and account information, is located in the System32\config directory.
Incorrect! Try again.
8Which Windows artifact is essentially a snapshot of the contents of RAM saved to the hard drive when a computer is put into hibernation?
A.config.sys
B.hiberfil.sys
C.pagefile.sys
D.swapfile.sys
Correct Answer: hiberfil.sys
Explanation:
hiberfil.sys is created when Windows hibernates, storing the full contents of RAM, making it a critical source for memory analysis.
Incorrect! Try again.
9Which Registry hive contains settings specific to the currently logged-in user?
A.HKEY_USERS
B.HKEY_CLASSES_ROOT
C.HKEY_LOCAL_MACHINE
D.HKEY_CURRENT_USER
Correct Answer: HKEY_CURRENT_USER
Explanation:
HKEY_CURRENT_USER (HKCU) contains configuration data for the user currently logged on. It is mapped from the user's NTUSER.DAT file.
Incorrect! Try again.
10Which Windows artifact allows an investigator to see which applications were recently executed and the frequency of execution?
A.Hosts file
B.Prefetch files
C.SAM hive
D.Cookies
Correct Answer: Prefetch files
Explanation:
Prefetch files (.pf) are designed to speed up application startup, but forensically they show run count, last run time, and file path of executed programs.
Incorrect! Try again.
11In Windows 10/11, where are Windows Event Logs typically stored?
A.C:\ProgramData\Logs
B.C:\Windows\Events
C.C:\Windows\System32\winevt\Logs
D.C:\Windows\Logs
Correct Answer: C:\Windows\System32\winevt\Logs
Explanation:
Modern Windows systems store event logs in the .evtx format located in C:\Windows\System32\winevt\Logs.
Incorrect! Try again.
12Which browser artifact stores a small piece of data sent from a website to remember stateful information (like login status)?
A.Cache
B.Bookmark
C.Cookie
D.History
Correct Answer: Cookie
Explanation:
Cookies are text files used to store user-specific data, such as session IDs, preferences, and authentication tokens.
Incorrect! Try again.
13What is the function of the Windows 'Pagefile.sys'?
A.It stores printer spooling data
B.It acts as virtual memory, extending physical RAM
C.It stores the boot configuration
D.It records all keystrokes
Correct Answer: It acts as virtual memory, extending physical RAM
Explanation:
Pagefile.sys is used as an extension of RAM (Virtual Memory). It contains data moved out of RAM when physical memory is full, often holding evidence.
Incorrect! Try again.
14Which proprietary file format, developed by Guidance Software, is standard for forensic images and supports compression and encryption?
A.E01
B.ISO
C.AFF
D.DD
Correct Answer: E01
Explanation:
The EnCase Evidence File format (.E01) is a widely used industry standard that wraps the bit-stream data with metadata, checksums, and optional compression.
Incorrect! Try again.
15When analyzing the Recycle Bin on Windows 10, which file contains the original filename and deletion date?
A.Desktop.ini
B.$I file
C.INFO2
D.$R file
Correct Answer: $I file
Explanation:
When a file is deleted, two files are created: I (index info). The $I file contains metadata like the original path and deletion timestamp.
Incorrect! Try again.
16Which Windows Event Log ID is commonly associated with a successful user logon?
A.6005
B.4625
C.1102
D.4624
Correct Answer: 4624
Explanation:
Event ID 4624 in the Security Log indicates that an account was successfully logged on.
Incorrect! Try again.
17What is 'Slack Space'?
A.The unused space between the end of a file and the end of the cluster
B.The RAM allocated to the GPU
C.The space used by the Recycle Bin
D.The space on a hard drive reserved for the OS
Correct Answer: The unused space between the end of a file and the end of the cluster
Explanation:
File systems allocate data in fixed clusters. If a file doesn't fill the last cluster, the remaining space (slack) may contain data from previously deleted files.
Incorrect! Try again.
18Which registry key is typically analyzed to determine which USB devices have been connected to the system?
The USBSTOR key contains subkeys for every USB storage device that has been connected to the computer, including vendor, product, and serial number.
Incorrect! Try again.
19What does the term 'Logical Acquisition' refer to?
A.Copying the physical drive bit-by-bit
B.Copying only the RAM
C.Copying only the files and folders visible to the operating system
D.Copying data via a logic analyzer
Correct Answer: Copying only the files and folders visible to the operating system
Explanation:
Logical acquisition captures files as seen by the OS. It is faster but misses unallocated space and deleted files that are not in the file system table.
Incorrect! Try again.
20Which artifact typically stores the user's browsing history in Google Chrome?
A.History (SQLite database)
B.index.dat
C.WebCache.dat
D.places.sqlite
Correct Answer: History (SQLite database)
Explanation:
Chrome stores history, downloads, and search terms in an SQLite database file simply named 'History' within the user's profile.
Incorrect! Try again.
21What is the purpose of 'Web Cache' or 'Temporary Internet Files'?
A.To record a log of all visited websites
B.To speed up browsing by storing static web content like images locally
C.To block malicious pop-ups
D.To store user passwords encrypted
Correct Answer: To speed up browsing by storing static web content like images locally
Explanation:
Browsers cache images, scripts, and HTML to load pages faster on subsequent visits. Investigators analyze this to see what content a user viewed.
Incorrect! Try again.
22Which Windows Registry key is known as a 'Run key' used for persistence (starting programs automatically)?
The 'Run' and 'RunOnce' keys are standard locations where malware or legitimate software add entries to start automatically when Windows boots or a user logs in.
Incorrect! Try again.
23What is the difference between 'Volatile' and 'Non-volatile' memory?
A.Volatile memory is stored on the hard drive
B.Volatile memory loses data when power is cut; Non-volatile retains it
C.Volatile memory is slower
D.Non-volatile memory cannot be imaged
Correct Answer: Volatile memory loses data when power is cut; Non-volatile retains it
Explanation:
Volatile memory (RAM) requires power to maintain data. Non-volatile memory (HDD, SSD, USB) retains data even when powered off.
Incorrect! Try again.
24Which file system artifact tracks the date and time a user last accessed a specific folder structure or window preference?
A.Amcache
B.Shellbags
C.Thumbcache
D.Jump Lists
Correct Answer: Shellbags
Explanation:
Shellbags store preferences for folder display (size, position, view mode) in the Registry. They persist even after the folder is deleted, proving the folder existed.
Incorrect! Try again.
25What is an LNK file?
A.A locked file in the registry
B.A Windows shortcut file that links to an application or file
C.A log file for kernel errors
D.A system link file for network drivers
Correct Answer: A Windows shortcut file that links to an application or file
Explanation:
LNK files are shortcuts. Forensically, they provide metadata about the target file (path, timestamps, volume serial) even if the target is on a removed external drive.
Incorrect! Try again.
26Which command line tool is built into Windows and can be used to query the registry?
A.netstat
B.ipconfig
C.grep
D.reg query
Correct Answer: reg query
Explanation:
The 'reg' command allows users to add, delete, and query keys and values in the Windows Registry.
Incorrect! Try again.
27Which of the following is considered 'metadata' of a file?
A.The text inside a text file
B.The creation, modification, and access timestamps
C.The actual content of a Word document
D.The pixel data of an image
Correct Answer: The creation, modification, and access timestamps
Explanation:
Metadata is 'data about data.' Timestamps, file owner, permissions, and file size are metadata, distinct from the file's actual content.
Incorrect! Try again.
28Why is 'Incognito' or 'Private' browsing mode a challenge for forensics?
A.It encrypts the internet connection
B.It prevents the ISP from seeing traffic
C.It routes traffic through the Dark Web
D.It does not save history, cookies, or cache to the hard drive upon closing
Correct Answer: It does not save history, cookies, or cache to the hard drive upon closing
Explanation:
Private modes prevent the browser from storing permanent artifacts on the local disk, meaning evidence is usually only available in RAM during the active session.
Incorrect! Try again.
29What is the 'Master File Table' (MFT)?
A.A database in NTFS that stores information about every file and directory
B.A log of all master users
C.A backup of the BIOS
D.A partition table for the hard drive
Correct Answer: A database in NTFS that stores information about every file and directory
Explanation:
In NTFS, the MFT contains a record for every file, including the file's attributes, location, and metadata. It is the core structure of the file system.
Incorrect! Try again.
30Which registry hive corresponds to the file 'NTUSER.DAT'?
A.HKEY_USERS
B.HKEY_CURRENT_USER
C.HKEY_CURRENT_CONFIG
D.HKEY_LOCAL_MACHINE
Correct Answer: HKEY_CURRENT_USER
Explanation:
When a user logs in, their profile's NTUSER.DAT file is loaded into the registry as HKEY_CURRENT_USER.
Incorrect! Try again.
31In a live acquisition, which tool is commonly used to capture RAM?
A.FTK Imager
B.RegEdit
C.Photoshop
D.Wireshark
Correct Answer: FTK Imager
Explanation:
FTK Imager is a widely used free tool that can capture the contents of physical memory (RAM) to a file on a running system.
Incorrect! Try again.
32What is a 'Sparse Copy'?
A.A copy containing only allocated data and ignoring unallocated space
B.A copy of data spread across multiple disks
C.A copy made using a write blocker
D.A copy of only the registry
Correct Answer: A copy containing only allocated data and ignoring unallocated space
Explanation:
A sparse acquisition copies allocated blocks but skips unallocated blocks (empty space), making the image smaller but potentially missing deleted data.
Incorrect! Try again.
33Which text-based log file is generated by the IIS (Internet Information Services) web server?
A.Kernel Log
B.W3C Extended Log
C.Syslog
D.Event Viewer Log
Correct Answer: W3C Extended Log
Explanation:
IIS typically uses the W3C Extended Log File Format (text-based) to record details about web requests, such as IP address, URI, and status codes.
Incorrect! Try again.
34The 'UserAssist' registry key provides information about:
A.GUI-based programs run by the user
B.Installed USB devices
C.Network connections
D.User passwords
Correct Answer: GUI-based programs run by the user
Explanation:
UserAssist keys (in NTUSER.DAT) track the execution of GUI programs, including run count and last execution time, often used to profile user activity.
Incorrect! Try again.
35What is 'Alternate Data Stream' (ADS) in Windows NTFS?
A.A feature allowing data to be hidden behind a file without changing the file size
B.A backup stream for internet data
C.A method for streaming video
D.A corrupt file segment
Correct Answer: A feature allowing data to be hidden behind a file without changing the file size
Explanation:
ADS is an NTFS feature allowing more than one data stream to be associated with a filename. Malware often uses ADS to hide code.
Incorrect! Try again.
36Which artifact lists files that were present on the system before a reboot or shutdown, often used to identify malware execution upon boot?
A.Recycle Bin
B.Thumb.db
C.ShimCache (AppCompatCache)
D.Jump Lists
Correct Answer: ShimCache (AppCompatCache)
Explanation:
ShimCache tracks executable file compatibility. It stores file paths, modification times, and execution flags, valuable for proving a file existed even if deleted.
Incorrect! Try again.
37What does Event ID 4625 represent in the Windows Security Log?
A.System shutdown
B.An account failed to log on
C.An account was locked out
D.Successful Logon
Correct Answer: An account failed to log on
Explanation:
Event ID 4625 records failed login attempts, which is critical for investigating brute-force attacks or unauthorized access attempts.
Incorrect! Try again.
38In the context of browser forensics, what is 'Form Data'?
A.The digital signature of the browser
B.Information entered by the user into web fields (names, addresses, search terms)
C.The encryption key for SSL
D.The structure of the HTML page
Correct Answer: Information entered by the user into web fields (names, addresses, search terms)
Explanation:
Form data allows browsers to autocomplete fields. Forensically, it can reveal personal info, search queries, or shipping addresses entered by the user.
Incorrect! Try again.
39Which system file contains the mapping of IP addresses to hostnames, often modified by malware to redirect users?
A.protocol
B.networks
C.services.exe
D.hosts
Correct Answer: hosts
Explanation:
The 'hosts' file (C:\Windows\System32\drivers\etc\hosts) is a text file used for local DNS overrides. Malware modifies it to block security sites or redirect to phishing sites.
Incorrect! Try again.
40What is the primary difference between Copy and Bit-stream Image?
A.Copy is faster; Image is slower
B.There is no difference
C.Copy is compressed; Image is not
D.Copy captures only active file content; Image captures the exact state of the drive
Correct Answer: Copy captures only active file content; Image captures the exact state of the drive
Explanation:
A standard copy (logical) transfers files. A bit-stream image (physical) transfers the entire structure of the disk, including empty and deleted space.
Incorrect! Try again.
41Which tool is commonly used to analyze Windows Registry hives?
A.Wireshark
B.Paint
C.Registry Viewer
D.Notepad
Correct Answer: Registry Viewer
Explanation:
Registry Viewer (like AccessData Registry Viewer or similar forensic tools) allows investigators to decode and view hive files that are otherwise unreadable binaries.
Incorrect! Try again.
42What is the function of the 'SYSTEM' hive?
A.Stores file extensions
B.Stores system configuration, driver settings, and hardware profiles
C.Stores internet history
D.Stores user settings
Correct Answer: Stores system configuration, driver settings, and hardware profiles
Explanation:
The SYSTEM hive contains critical configuration data for the OS start-up, drivers, and services.
Incorrect! Try again.
43Which metadata standard is commonly found in image files (JPEG) containing camera model and GPS coordinates?
A.FAT
B.EXIF
C.NTFS
D.ASCII
Correct Answer: EXIF
Explanation:
Exchangeable Image File Format (EXIF) stores metadata within image files, such as timestamp, camera settings, and sometimes GPS location.
Incorrect! Try again.
44When preparing a drive for an image, what should be done to the destination drive?
A.It should be defragmented
B.It should be smaller than the source drive
C.It should be forensically wiped (sterilized)
D.It should contain the operating system
Correct Answer: It should be forensically wiped (sterilized)
Explanation:
The destination drive should be wiped (all zeros) before use to ensure no residual data from previous use contaminates the new forensic image.
Incorrect! Try again.
45What is 'Unallocated Space'?
A.Space on the drive not currently assigned to any active file by the file system
B.Space reserved for the system
C.Space used by hidden files
D.Space that is damaged
Correct Answer: Space on the drive not currently assigned to any active file by the file system
Explanation:
Unallocated space is available for the OS to write new data. It often contains deleted files that have not yet been overwritten.
Incorrect! Try again.
46Which artifact is created when a user right-clicks the taskbar icon of an application to see recent files?
A.Logfile
B.Jumplist
C.Prefetch
D.Shortcut
Correct Answer: Jumplist
Explanation:
Jumplists (Automatic and CustomDestinations) show recently or frequently accessed files for specific applications, providing insight into user activity.
Incorrect! Try again.
47In Windows Event Logs, what does the 'System' log record?
A.Security audits like logins
B.Events logged by applications
C.Internet history
D.Events logged by Windows system components (drivers, boot errors)
Correct Answer: Events logged by Windows system components (drivers, boot errors)
Explanation:
The System log contains messages generated by the Windows operating system itself, such as driver failures, service starts/stops, and hardware issues.
Incorrect! Try again.
48Why is 'Time Zone' information critical during analysis?
A.To determine the language of the OS
B.To decrypt files
C.To convert UTC timestamps in artifacts to the local time of the suspect
D.To calculate the internet speed
Correct Answer: To convert UTC timestamps in artifacts to the local time of the suspect
Explanation:
Computers store times in UTC or local time depending on the artifact. Correctly interpreting the sequence of events requires accurate timezone conversion.
Incorrect! Try again.
49Which registry value controls the time zone information of the system?
A.HardwareProfiles
B.ControlSet
C.CurrentVersion
D.TimeZoneInformation
Correct Answer: TimeZoneInformation
Explanation:
Located in HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation, this key defines the system's offset from UTC.
Incorrect! Try again.
50Which of the following describes a 'Static Acquisition'?
A.Acquisition via a network connection
B.Acquisition performed while the user is typing
C.Acquisition performed on a system that is powered off
D.Acquisition of RAM only
Correct Answer: Acquisition performed on a system that is powered off
Explanation:
Static acquisition involves connecting the suspect drive to a forensic workstation (via write blocker) while the suspect system is off.