Unit 3 - Practice Quiz

INT250 50 Questions
0 Correct 0 Wrong 50 Left
0/50

1 Which of the following best describes a 'bit-stream' image in digital forensics?

A. A bit-by-bit copy of the source drive, including unallocated space and slack space
B. A compressed folder of the user's documents
C. A file containing only the active files from a hard drive
D. A logical backup of the Windows Registry

2 In the context of the Order of Volatility, which data should be collected first?

A. Temporary file systems
B. Disk data (Hard Drive)
C. CPU cache, registers, and RAM
D. Archival media (CDs/DVDs)

3 Which hardware device is essential during static data acquisition to prevent data alteration on the source drive?

A. Network Tap
B. Packet Sniffer
C. Write Blocker
D. Hex Editor

4 Which file format is considered a 'raw' forensic image format?

A. .vmdk
B. .E01
C. .dd
D. .ad1

5 What is the primary purpose of generating a hash value (MD5 or SHA) immediately after data acquisition?

A. To index the files for searching
B. To verify the integrity of the evidence
C. To compress the image size
D. To encrypt the image for security

6 Which acquisition method is necessary when a computer cannot be shut down due to encryption or critical service availability?

A. Dead Acquisition
B. Static Acquisition
C. Sparse Acquisition
D. Live Acquisition

7 Where is the 'SAM' (Security Account Manager) hive located in a Windows system?

A. C:\Windows\System32\config
B. C:\Windows\System
C. C:\Program Files\Windows
D. C:\Users\Default

8 Which Windows artifact is essentially a snapshot of the contents of RAM saved to the hard drive when a computer is put into hibernation?

A. config.sys
B. hiberfil.sys
C. pagefile.sys
D. swapfile.sys

9 Which Registry hive contains settings specific to the currently logged-in user?

A. HKEY_USERS
B. HKEY_CLASSES_ROOT
C. HKEY_LOCAL_MACHINE
D. HKEY_CURRENT_USER

10 Which Windows artifact allows an investigator to see which applications were recently executed and the frequency of execution?

A. Hosts file
B. Prefetch files
C. SAM hive
D. Cookies

11 In Windows 10/11, where are Windows Event Logs typically stored?

A. C:\ProgramData\Logs
B. C:\Windows\Events
C. C:\Windows\System32\winevt\Logs
D. C:\Windows\Logs

12 Which browser artifact stores a small piece of data sent from a website to remember stateful information (like login status)?

A. Cache
B. Bookmark
C. Cookie
D. History

13 What is the function of the Windows 'Pagefile.sys'?

A. It stores printer spooling data
B. It acts as virtual memory, extending physical RAM
C. It stores the boot configuration
D. It records all keystrokes

14 Which proprietary file format, developed by Guidance Software, is standard for forensic images and supports compression and encryption?

A. E01
B. ISO
C. AFF
D. DD

15 When analyzing the Recycle Bin on Windows 10, which file contains the original filename and deletion date?

A. Desktop.ini
B. $I file
C. INFO2
D. $R file

16 Which Windows Event Log ID is commonly associated with a successful user logon?

A. 6005
B. 4625
C. 1102
D. 4624

17 What is 'Slack Space'?

A. The unused space between the end of a file and the end of the cluster
B. The RAM allocated to the GPU
C. The space used by the Recycle Bin
D. The space on a hard drive reserved for the OS

18 Which registry key is typically analyzed to determine which USB devices have been connected to the system?

A. HKLM\SAM\Domains
B. HKLM\SOFTWARE\Microsoft\Windows\Run
C. HKCU\Software\Microsoft\Internet Explorer
D. HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

19 What does the term 'Logical Acquisition' refer to?

A. Copying the physical drive bit-by-bit
B. Copying only the RAM
C. Copying only the files and folders visible to the operating system
D. Copying data via a logic analyzer

20 Which artifact typically stores the user's browsing history in Google Chrome?

A. History (SQLite database)
B. index.dat
C. WebCache.dat
D. places.sqlite

21 What is the purpose of 'Web Cache' or 'Temporary Internet Files'?

A. To record a log of all visited websites
B. To speed up browsing by storing static web content like images locally
C. To block malicious pop-ups
D. To store user passwords encrypted

22 Which Windows Registry key is known as a 'Run key' used for persistence (starting programs automatically)?

A. Software\Policies\Microsoft\Windows
B. Software\Microsoft\Windows\CurrentVersion\Run
C. System\CurrentControlSet\Control\Lsa
D. System\Setup\Status

23 What is the difference between 'Volatile' and 'Non-volatile' memory?

A. Volatile memory is stored on the hard drive
B. Volatile memory loses data when power is cut; Non-volatile retains it
C. Volatile memory is slower
D. Non-volatile memory cannot be imaged

24 Which file system artifact tracks the date and time a user last accessed a specific folder structure or window preference?

A. Amcache
B. Shellbags
C. Thumbcache
D. Jump Lists

25 What is an LNK file?

A. A locked file in the registry
B. A Windows shortcut file that links to an application or file
C. A log file for kernel errors
D. A system link file for network drivers

26 Which command line tool is built into Windows and can be used to query the registry?

A. netstat
B. ipconfig
C. grep
D. reg query

27 Which of the following is considered 'metadata' of a file?

A. The text inside a text file
B. The creation, modification, and access timestamps
C. The actual content of a Word document
D. The pixel data of an image

28 Why is 'Incognito' or 'Private' browsing mode a challenge for forensics?

A. It encrypts the internet connection
B. It prevents the ISP from seeing traffic
C. It routes traffic through the Dark Web
D. It does not save history, cookies, or cache to the hard drive upon closing

29 What is the 'Master File Table' (MFT)?

A. A database in NTFS that stores information about every file and directory
B. A log of all master users
C. A backup of the BIOS
D. A partition table for the hard drive

30 Which registry hive corresponds to the file 'NTUSER.DAT'?

A. HKEY_USERS
B. HKEY_CURRENT_USER
C. HKEY_CURRENT_CONFIG
D. HKEY_LOCAL_MACHINE

31 In a live acquisition, which tool is commonly used to capture RAM?

A. FTK Imager
B. RegEdit
C. Photoshop
D. Wireshark

32 What is a 'Sparse Copy'?

A. A copy containing only allocated data and ignoring unallocated space
B. A copy of data spread across multiple disks
C. A copy made using a write blocker
D. A copy of only the registry

33 Which text-based log file is generated by the IIS (Internet Information Services) web server?

A. Kernel Log
B. W3C Extended Log
C. Syslog
D. Event Viewer Log

34 The 'UserAssist' registry key provides information about:

A. GUI-based programs run by the user
B. Installed USB devices
C. Network connections
D. User passwords

35 What is 'Alternate Data Stream' (ADS) in Windows NTFS?

A. A feature allowing data to be hidden behind a file without changing the file size
B. A backup stream for internet data
C. A method for streaming video
D. A corrupt file segment

36 Which artifact lists files that were present on the system before a reboot or shutdown, often used to identify malware execution upon boot?

A. Recycle Bin
B. Thumb.db
C. ShimCache (AppCompatCache)
D. Jump Lists

37 What does Event ID 4625 represent in the Windows Security Log?

A. System shutdown
B. An account failed to log on
C. An account was locked out
D. Successful Logon

38 In the context of browser forensics, what is 'Form Data'?

A. The digital signature of the browser
B. Information entered by the user into web fields (names, addresses, search terms)
C. The encryption key for SSL
D. The structure of the HTML page

39 Which system file contains the mapping of IP addresses to hostnames, often modified by malware to redirect users?

A. protocol
B. networks
C. services.exe
D. hosts

40 What is the primary difference between Copy and Bit-stream Image?

A. Copy is faster; Image is slower
B. There is no difference
C. Copy is compressed; Image is not
D. Copy captures only active file content; Image captures the exact state of the drive

41 Which tool is commonly used to analyze Windows Registry hives?

A. Wireshark
B. Paint
C. Registry Viewer
D. Notepad

42 What is the function of the 'SYSTEM' hive?

A. Stores file extensions
B. Stores system configuration, driver settings, and hardware profiles
C. Stores internet history
D. Stores user settings

43 Which metadata standard is commonly found in image files (JPEG) containing camera model and GPS coordinates?

A. FAT
B. EXIF
C. NTFS
D. ASCII

44 When preparing a drive for an image, what should be done to the destination drive?

A. It should be defragmented
B. It should be smaller than the source drive
C. It should be forensically wiped (sterilized)
D. It should contain the operating system

45 What is 'Unallocated Space'?

A. Space on the drive not currently assigned to any active file by the file system
B. Space reserved for the system
C. Space used by hidden files
D. Space that is damaged

46 Which artifact is created when a user right-clicks the taskbar icon of an application to see recent files?

A. Logfile
B. Jumplist
C. Prefetch
D. Shortcut

47 In Windows Event Logs, what does the 'System' log record?

A. Security audits like logins
B. Events logged by applications
C. Internet history
D. Events logged by Windows system components (drivers, boot errors)

48 Why is 'Time Zone' information critical during analysis?

A. To determine the language of the OS
B. To decrypt files
C. To convert UTC timestamps in artifacts to the local time of the suspect
D. To calculate the internet speed

49 Which registry value controls the time zone information of the system?

A. HardwareProfiles
B. ControlSet
C. CurrentVersion
D. TimeZoneInformation

50 Which of the following describes a 'Static Acquisition'?

A. Acquisition via a network connection
B. Acquisition performed while the user is typing
C. Acquisition performed on a system that is powered off
D. Acquisition of RAM only