1Which of the following best describes a 'bit-stream' image in digital forensics?
A.A logical backup of the Windows Registry
B.A file containing only the active files from a hard drive
C.A compressed folder of the user's documents
D.A bit-by-bit copy of the source drive, including unallocated space and slack space
Correct Answer: A bit-by-bit copy of the source drive, including unallocated space and slack space
Explanation:
A bit-stream image (or physical image) captures every bit on the source media, ensuring deleted data in unallocated space is preserved.
Incorrect! Try again.
2In the context of the Order of Volatility, which data should be collected first?
A.Archival media (CDs/DVDs)
B.CPU cache, registers, and RAM
C.Disk data (Hard Drive)
D.Temporary file systems
Correct Answer: CPU cache, registers, and RAM
Explanation:
According to RFC 3227, the order of volatility dictates collecting the most fleeting data first, which is the CPU cache, registers, and system RAM.
Incorrect! Try again.
3Which hardware device is essential during static data acquisition to prevent data alteration on the source drive?
A.Network Tap
B.Hex Editor
C.Write Blocker
D.Packet Sniffer
Correct Answer: Write Blocker
Explanation:
A Write Blocker ensures that read commands are allowed but write commands are blocked, preventing the forensic tool from altering the evidence.
Incorrect! Try again.
4Which file format is considered a 'raw' forensic image format?
A..ad1
B..E01
C..vmdk
D..dd
Correct Answer: .dd
Explanation:
The .dd format is a raw, bit-for-bit copy of the data without added metadata or compression headers, unlike .E01 which is proprietary.
Incorrect! Try again.
5What is the primary purpose of generating a hash value (MD5 or SHA) immediately after data acquisition?
A.To encrypt the image for security
B.To index the files for searching
C.To verify the integrity of the evidence
D.To compress the image size
Correct Answer: To verify the integrity of the evidence
Explanation:
Hashing creates a unique digital fingerprint. If the hash of the image matches the hash of the source, it proves the data was not altered during acquisition.
Incorrect! Try again.
6Which acquisition method is necessary when a computer cannot be shut down due to encryption or critical service availability?
A.Dead Acquisition
B.Static Acquisition
C.Live Acquisition
D.Sparse Acquisition
Correct Answer: Live Acquisition
Explanation:
Live acquisition is performed on a running system to capture volatile data (RAM) and encrypted volumes that would lock if the system were powered down.
Incorrect! Try again.
7Where is the 'SAM' (Security Account Manager) hive located in a Windows system?
A.C:\Windows\System
B.C:\Users\Default
C.C:\Windows\System32\config
D.C:\Program Files\Windows
Correct Answer: C:\Windows\System32\config
Explanation:
The SAM hive, which stores user passwords and account information, is located in the System32\config directory.
Incorrect! Try again.
8Which Windows artifact is essentially a snapshot of the contents of RAM saved to the hard drive when a computer is put into hibernation?
A.pagefile.sys
B.swapfile.sys
C.hiberfil.sys
D.config.sys
Correct Answer: hiberfil.sys
Explanation:
hiberfil.sys is created when Windows hibernates, storing the full contents of RAM, making it a critical source for memory analysis.
Incorrect! Try again.
9Which Registry hive contains settings specific to the currently logged-in user?
A.HKEY_CLASSES_ROOT
B.HKEY_CURRENT_USER
C.HKEY_LOCAL_MACHINE
D.HKEY_USERS
Correct Answer: HKEY_CURRENT_USER
Explanation:
HKEY_CURRENT_USER (HKCU) contains configuration data for the user currently logged on. It is mapped from the user's NTUSER.DAT file.
Incorrect! Try again.
10Which Windows artifact allows an investigator to see which applications were recently executed and the frequency of execution?
A.Hosts file
B.Prefetch files
C.SAM hive
D.Cookies
Correct Answer: Prefetch files
Explanation:
Prefetch files (.pf) are designed to speed up application startup, but forensically they show run count, last run time, and file path of executed programs.
Incorrect! Try again.
11In Windows 10/11, where are Windows Event Logs typically stored?
A.C:\Windows\System32\winevt\Logs
B.C:\ProgramData\Logs
C.C:\Windows\Events
D.C:\Windows\Logs
Correct Answer: C:\Windows\System32\winevt\Logs
Explanation:
Modern Windows systems store event logs in the .evtx format located in C:\Windows\System32\winevt\Logs.
Incorrect! Try again.
12Which browser artifact stores a small piece of data sent from a website to remember stateful information (like login status)?
A.History
B.Cookie
C.Cache
D.Bookmark
Correct Answer: Cookie
Explanation:
Cookies are text files used to store user-specific data, such as session IDs, preferences, and authentication tokens.
Incorrect! Try again.
13What is the function of the Windows 'Pagefile.sys'?
A.It records all keystrokes
B.It acts as virtual memory, extending physical RAM
C.It stores the boot configuration
D.It stores printer spooling data
Correct Answer: It acts as virtual memory, extending physical RAM
Explanation:
Pagefile.sys is used as an extension of RAM (Virtual Memory). It contains data moved out of RAM when physical memory is full, often holding evidence.
Incorrect! Try again.
14Which proprietary file format, developed by Guidance Software, is standard for forensic images and supports compression and encryption?
A.AFF
B.E01
C.ISO
D.DD
Correct Answer: E01
Explanation:
The EnCase Evidence File format (.E01) is a widely used industry standard that wraps the bit-stream data with metadata, checksums, and optional compression.
Incorrect! Try again.
15When analyzing the Recycle Bin on Windows 10, which file contains the original filename and deletion date?
A.$I file
B.INFO2
C.$R file
D.Desktop.ini
Correct Answer: $I file
Explanation:
When a file is deleted, two files are created: I (index info). The $I file contains metadata like the original path and deletion timestamp.
Incorrect! Try again.
16Which Windows Event Log ID is commonly associated with a successful user logon?
A.4625
B.6005
C.1102
D.4624
Correct Answer: 4624
Explanation:
Event ID 4624 in the Security Log indicates that an account was successfully logged on.
Incorrect! Try again.
17What is 'Slack Space'?
A.The space used by the Recycle Bin
B.The space on a hard drive reserved for the OS
C.The unused space between the end of a file and the end of the cluster
D.The RAM allocated to the GPU
Correct Answer: The unused space between the end of a file and the end of the cluster
Explanation:
File systems allocate data in fixed clusters. If a file doesn't fill the last cluster, the remaining space (slack) may contain data from previously deleted files.
Incorrect! Try again.
18Which registry key is typically analyzed to determine which USB devices have been connected to the system?
The USBSTOR key contains subkeys for every USB storage device that has been connected to the computer, including vendor, product, and serial number.
Incorrect! Try again.
19What does the term 'Logical Acquisition' refer to?
A.Copying only the files and folders visible to the operating system
B.Copying data via a logic analyzer
C.Copying only the RAM
D.Copying the physical drive bit-by-bit
Correct Answer: Copying only the files and folders visible to the operating system
Explanation:
Logical acquisition captures files as seen by the OS. It is faster but misses unallocated space and deleted files that are not in the file system table.
Incorrect! Try again.
20Which artifact typically stores the user's browsing history in Google Chrome?
A.History (SQLite database)
B.index.dat
C.WebCache.dat
D.places.sqlite
Correct Answer: History (SQLite database)
Explanation:
Chrome stores history, downloads, and search terms in an SQLite database file simply named 'History' within the user's profile.
Incorrect! Try again.
21What is the purpose of 'Web Cache' or 'Temporary Internet Files'?
A.To store user passwords encrypted
B.To block malicious pop-ups
C.To record a log of all visited websites
D.To speed up browsing by storing static web content like images locally
Correct Answer: To speed up browsing by storing static web content like images locally
Explanation:
Browsers cache images, scripts, and HTML to load pages faster on subsequent visits. Investigators analyze this to see what content a user viewed.
Incorrect! Try again.
22Which Windows Registry key is known as a 'Run key' used for persistence (starting programs automatically)?
The 'Run' and 'RunOnce' keys are standard locations where malware or legitimate software add entries to start automatically when Windows boots or a user logs in.
Incorrect! Try again.
23What is the difference between 'Volatile' and 'Non-volatile' memory?
A.Volatile memory loses data when power is cut; Non-volatile retains it
B.Volatile memory is slower
C.Non-volatile memory cannot be imaged
D.Volatile memory is stored on the hard drive
Correct Answer: Volatile memory loses data when power is cut; Non-volatile retains it
Explanation:
Volatile memory (RAM) requires power to maintain data. Non-volatile memory (HDD, SSD, USB) retains data even when powered off.
Incorrect! Try again.
24Which file system artifact tracks the date and time a user last accessed a specific folder structure or window preference?
A.Amcache
B.Thumbcache
C.Shellbags
D.Jump Lists
Correct Answer: Shellbags
Explanation:
Shellbags store preferences for folder display (size, position, view mode) in the Registry. They persist even after the folder is deleted, proving the folder existed.
Incorrect! Try again.
25What is an LNK file?
A.A system link file for network drivers
B.A Windows shortcut file that links to an application or file
C.A locked file in the registry
D.A log file for kernel errors
Correct Answer: A Windows shortcut file that links to an application or file
Explanation:
LNK files are shortcuts. Forensically, they provide metadata about the target file (path, timestamps, volume serial) even if the target is on a removed external drive.
Incorrect! Try again.
26Which command line tool is built into Windows and can be used to query the registry?
A.grep
B.netstat
C.ipconfig
D.reg query
Correct Answer: reg query
Explanation:
The 'reg' command allows users to add, delete, and query keys and values in the Windows Registry.
Incorrect! Try again.
27Which of the following is considered 'metadata' of a file?
A.The text inside a text file
B.The pixel data of an image
C.The actual content of a Word document
D.The creation, modification, and access timestamps
Correct Answer: The creation, modification, and access timestamps
Explanation:
Metadata is 'data about data.' Timestamps, file owner, permissions, and file size are metadata, distinct from the file's actual content.
Incorrect! Try again.
28Why is 'Incognito' or 'Private' browsing mode a challenge for forensics?
A.It prevents the ISP from seeing traffic
B.It does not save history, cookies, or cache to the hard drive upon closing
C.It routes traffic through the Dark Web
D.It encrypts the internet connection
Correct Answer: It does not save history, cookies, or cache to the hard drive upon closing
Explanation:
Private modes prevent the browser from storing permanent artifacts on the local disk, meaning evidence is usually only available in RAM during the active session.
Incorrect! Try again.
29What is the 'Master File Table' (MFT)?
A.A log of all master users
B.A backup of the BIOS
C.A partition table for the hard drive
D.A database in NTFS that stores information about every file and directory
Correct Answer: A database in NTFS that stores information about every file and directory
Explanation:
In NTFS, the MFT contains a record for every file, including the file's attributes, location, and metadata. It is the core structure of the file system.
Incorrect! Try again.
30Which registry hive corresponds to the file 'NTUSER.DAT'?
A.HKEY_LOCAL_MACHINE
B.HKEY_CURRENT_CONFIG
C.HKEY_USERS
D.HKEY_CURRENT_USER
Correct Answer: HKEY_CURRENT_USER
Explanation:
When a user logs in, their profile's NTUSER.DAT file is loaded into the registry as HKEY_CURRENT_USER.
Incorrect! Try again.
31In a live acquisition, which tool is commonly used to capture RAM?
A.Wireshark
B.Photoshop
C.FTK Imager
D.RegEdit
Correct Answer: FTK Imager
Explanation:
FTK Imager is a widely used free tool that can capture the contents of physical memory (RAM) to a file on a running system.
Incorrect! Try again.
32What is a 'Sparse Copy'?
A.A copy of only the registry
B.A copy of data spread across multiple disks
C.A copy made using a write blocker
D.A copy containing only allocated data and ignoring unallocated space
Correct Answer: A copy containing only allocated data and ignoring unallocated space
Explanation:
A sparse acquisition copies allocated blocks but skips unallocated blocks (empty space), making the image smaller but potentially missing deleted data.
Incorrect! Try again.
33Which text-based log file is generated by the IIS (Internet Information Services) web server?
A.Syslog
B.Event Viewer Log
C.Kernel Log
D.W3C Extended Log
Correct Answer: W3C Extended Log
Explanation:
IIS typically uses the W3C Extended Log File Format (text-based) to record details about web requests, such as IP address, URI, and status codes.
Incorrect! Try again.
34The 'UserAssist' registry key provides information about:
A.Network connections
B.Installed USB devices
C.GUI-based programs run by the user
D.User passwords
Correct Answer: GUI-based programs run by the user
Explanation:
UserAssist keys (in NTUSER.DAT) track the execution of GUI programs, including run count and last execution time, often used to profile user activity.
Incorrect! Try again.
35What is 'Alternate Data Stream' (ADS) in Windows NTFS?
A.A method for streaming video
B.A backup stream for internet data
C.A corrupt file segment
D.A feature allowing data to be hidden behind a file without changing the file size
Correct Answer: A feature allowing data to be hidden behind a file without changing the file size
Explanation:
ADS is an NTFS feature allowing more than one data stream to be associated with a filename. Malware often uses ADS to hide code.
Incorrect! Try again.
36Which artifact lists files that were present on the system before a reboot or shutdown, often used to identify malware execution upon boot?
A.Recycle Bin
B.ShimCache (AppCompatCache)
C.Thumb.db
D.Jump Lists
Correct Answer: ShimCache (AppCompatCache)
Explanation:
ShimCache tracks executable file compatibility. It stores file paths, modification times, and execution flags, valuable for proving a file existed even if deleted.
Incorrect! Try again.
37What does Event ID 4625 represent in the Windows Security Log?
A.System shutdown
B.An account failed to log on
C.Successful Logon
D.An account was locked out
Correct Answer: An account failed to log on
Explanation:
Event ID 4625 records failed login attempts, which is critical for investigating brute-force attacks or unauthorized access attempts.
Incorrect! Try again.
38In the context of browser forensics, what is 'Form Data'?
A.Information entered by the user into web fields (names, addresses, search terms)
B.The structure of the HTML page
C.The encryption key for SSL
D.The digital signature of the browser
Correct Answer: Information entered by the user into web fields (names, addresses, search terms)
Explanation:
Form data allows browsers to autocomplete fields. Forensically, it can reveal personal info, search queries, or shipping addresses entered by the user.
Incorrect! Try again.
39Which system file contains the mapping of IP addresses to hostnames, often modified by malware to redirect users?
A.networks
B.hosts
C.services.exe
D.protocol
Correct Answer: hosts
Explanation:
The 'hosts' file (C:\Windows\System32\drivers\etc\hosts) is a text file used for local DNS overrides. Malware modifies it to block security sites or redirect to phishing sites.
Incorrect! Try again.
40What is the primary difference between Copy and Bit-stream Image?
A.Copy is faster; Image is slower
B.Copy captures only active file content; Image captures the exact state of the drive
C.There is no difference
D.Copy is compressed; Image is not
Correct Answer: Copy captures only active file content; Image captures the exact state of the drive
Explanation:
A standard copy (logical) transfers files. A bit-stream image (physical) transfers the entire structure of the disk, including empty and deleted space.
Incorrect! Try again.
41Which tool is commonly used to analyze Windows Registry hives?
A.Wireshark
B.Paint
C.Registry Viewer
D.Notepad
Correct Answer: Registry Viewer
Explanation:
Registry Viewer (like AccessData Registry Viewer or similar forensic tools) allows investigators to decode and view hive files that are otherwise unreadable binaries.
Incorrect! Try again.
42What is the function of the 'SYSTEM' hive?
A.Stores user settings
B.Stores file extensions
C.Stores internet history
D.Stores system configuration, driver settings, and hardware profiles
Correct Answer: Stores system configuration, driver settings, and hardware profiles
Explanation:
The SYSTEM hive contains critical configuration data for the OS start-up, drivers, and services.
Incorrect! Try again.
43Which metadata standard is commonly found in image files (JPEG) containing camera model and GPS coordinates?
A.EXIF
B.FAT
C.NTFS
D.ASCII
Correct Answer: EXIF
Explanation:
Exchangeable Image File Format (EXIF) stores metadata within image files, such as timestamp, camera settings, and sometimes GPS location.
Incorrect! Try again.
44When preparing a drive for an image, what should be done to the destination drive?
A.It should be defragmented
B.It should be smaller than the source drive
C.It should be forensically wiped (sterilized)
D.It should contain the operating system
Correct Answer: It should be forensically wiped (sterilized)
Explanation:
The destination drive should be wiped (all zeros) before use to ensure no residual data from previous use contaminates the new forensic image.
Incorrect! Try again.
45What is 'Unallocated Space'?
A.Space used by hidden files
B.Space that is damaged
C.Space on the drive not currently assigned to any active file by the file system
D.Space reserved for the system
Correct Answer: Space on the drive not currently assigned to any active file by the file system
Explanation:
Unallocated space is available for the OS to write new data. It often contains deleted files that have not yet been overwritten.
Incorrect! Try again.
46Which artifact is created when a user right-clicks the taskbar icon of an application to see recent files?
A.Shortcut
B.Logfile
C.Jumplist
D.Prefetch
Correct Answer: Jumplist
Explanation:
Jumplists (Automatic and CustomDestinations) show recently or frequently accessed files for specific applications, providing insight into user activity.
Incorrect! Try again.
47In Windows Event Logs, what does the 'System' log record?
A.Security audits like logins
B.Events logged by Windows system components (drivers, boot errors)
C.Internet history
D.Events logged by applications
Correct Answer: Events logged by Windows system components (drivers, boot errors)
Explanation:
The System log contains messages generated by the Windows operating system itself, such as driver failures, service starts/stops, and hardware issues.
Incorrect! Try again.
48Why is 'Time Zone' information critical during analysis?
A.To decrypt files
B.To convert UTC timestamps in artifacts to the local time of the suspect
C.To calculate the internet speed
D.To determine the language of the OS
Correct Answer: To convert UTC timestamps in artifacts to the local time of the suspect
Explanation:
Computers store times in UTC or local time depending on the artifact. Correctly interpreting the sequence of events requires accurate timezone conversion.
Incorrect! Try again.
49Which registry value controls the time zone information of the system?
A.ControlSet
B.CurrentVersion
C.HardwareProfiles
D.TimeZoneInformation
Correct Answer: TimeZoneInformation
Explanation:
Located in HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation, this key defines the system's offset from UTC.
Incorrect! Try again.
50Which of the following describes a 'Static Acquisition'?
A.Acquisition performed while the user is typing
B.Acquisition via a network connection
C.Acquisition of RAM only
D.Acquisition performed on a system that is powered off
Correct Answer: Acquisition performed on a system that is powered off
Explanation:
Static acquisition involves connecting the suspect drive to a forensic workstation (via write blocker) while the suspect system is off.