1 $Which of the following best describes a 'bit-stream' image in digital forensics?$

A.

A file containing only the active files from a hard drive

B.

A bit-by-bit copy of the source drive, including unallocated space and slack space

C.

A compressed folder of the user's documents

D.

A logical backup of the Windows Registry

2 $In the context of the Order of Volatility, which data should be collected first?$

A.

Archival media (CDs/DVDs)

B.

Disk data (Hard Drive)

C.

CPU cache, registers, and RAM

D.

Temporary file systems

3 $Which hardware device is essential during static data acquisition to prevent data alteration on the source drive?$

A.

Network Tap

B.

Write Blocker

C.

Hex Editor

D.

Packet Sniffer

4 $Which file format is considered a 'raw' forensic image format?$

A.

.E01

B.

.dd

C.

.vmdk

D.

.ad1

5 $What is the primary purpose of generating a hash value (MD5 or SHA) immediately after data acquisition?$

A.

To compress the image size

B.

To encrypt the image for security

C.

To verify the integrity of the evidence

D.

To index the files for searching

6 $Which acquisition method is necessary when a computer cannot be shut down due to encryption or critical service availability?$

A.

Static Acquisition

B.

Live Acquisition

C.

Sparse Acquisition

D.

Dead Acquisition

7 $Where is the 'SAM' (Security Account Manager) hive located in a Windows system?$

A.

C:\Windows\System32\config

B.

C:\Windows\System

C.

C:\Users\Default

D.

C:\Program Files\Windows

8 $Which Windows artifact is essentially a snapshot of the contents of RAM saved to the hard drive when a computer is put into hibernation?$

A.

pagefile.sys

B.

swapfile.sys

C.

hiberfil.sys

D.

config.sys

9 $Which Registry hive contains settings specific to the currently logged-in user?$

A.

HKEY_LOCAL_MACHINE

B.

HKEY_USERS

C.

HKEY_CURRENT_USER

D.

HKEY_CLASSES_ROOT

10 $Which Windows artifact allows an investigator to see which applications were recently executed and the frequency of execution?$

A.

Prefetch files

B.

Cookies

C.

Hosts file

D.

SAM hive

11 $In Windows 10/11, where are Windows Event Logs typically stored?$

A.

C:\Windows\Logs

B.

C:\Windows\System32\winevt\Logs

C.

C:\Windows\Events

D.

C:\ProgramData\Logs

12 $Which browser artifact stores a small piece of data sent from a website to remember stateful information (like login status)?$

A.

Cache

B.

Cookie

C.

History

D.

Bookmark

13 $What is the function of the Windows 'Pagefile.sys'?$

A.

It stores the boot configuration

B.

It acts as virtual memory, extending physical RAM

C.

It records all keystrokes

D.

It stores printer spooling data

14 $Which proprietary file format, developed by Guidance Software, is standard for forensic images and supports compression and encryption?$

A.

DD

B.

AFF

C.

E01

D.

ISO

15 $When analyzing the Recycle Bin on Windows 10, which file contains the original filename and deletion date?$

A.

$R file

B.

$I file

C.

INFO2

D.

Desktop.ini

16 $Which Windows Event Log ID is commonly associated with a successful user logon?$

A.

4624

B.

4625

C.

1102

D.

6005

17 $What is 'Slack Space'?$

A.

The space on a hard drive reserved for the OS

B.

The unused space between the end of a file and the end of the cluster

C.

The space used by the Recycle Bin

D.

The RAM allocated to the GPU

18 $Which registry key is typically analyzed to determine which USB devices have been connected to the system?$

A.

HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

B.

HKLM\SOFTWARE\Microsoft\Windows\Run

C.

HKCU\Software\Microsoft\Internet Explorer

D.

HKLM\SAM\Domains

19 $What does the term 'Logical Acquisition' refer to?$

A.

Copying the physical drive bit-by-bit

B.

Copying only the files and folders visible to the operating system

C.

Copying data via a logic analyzer

D.

Copying only the RAM

20 $Which artifact typically stores the user's browsing history in Google Chrome?$

A.

index.dat

B.

places.sqlite

C.

History (SQLite database)

D.

WebCache.dat

21 $What is the purpose of 'Web Cache' or 'Temporary Internet Files'?$

A.

To store user passwords encrypted

B.

To speed up browsing by storing static web content like images locally

C.

To record a log of all visited websites

D.

To block malicious pop-ups

22 $Which Windows Registry key is known as a 'Run key' used for persistence (starting programs automatically)?$

A.

Software\Microsoft\Windows\CurrentVersion\Run

B.

System\CurrentControlSet\Control\Lsa

C.

Software\Policies\Microsoft\Windows

D.

System\Setup\Status

23 $What is the difference between 'Volatile' and 'Non-volatile' memory?$

A.

Volatile memory is slower

B.

Volatile memory loses data when power is cut; Non-volatile retains it

C.

Volatile memory is stored on the hard drive

D.

Non-volatile memory cannot be imaged

24 $Which file system artifact tracks the date and time a user last accessed a specific folder structure or window preference?$

A.

Shellbags

B.

Jump Lists

C.

Thumbcache

D.

Amcache

25 $What is an LNK file?$

A.

A Windows shortcut file that links to an application or file

B.

A system link file for network drivers

C.

A locked file in the registry

D.

A log file for kernel errors

26 $Which command line tool is built into Windows and can be used to query the registry?$

A.

grep

B.

reg query

C.

netstat

D.

ipconfig

27 $Which of the following is considered 'metadata' of a file?$

A.

The actual content of a Word document

B.

The creation, modification, and access timestamps

C.

The text inside a text file

D.

The pixel data of an image

28 $Why is 'Incognito' or 'Private' browsing mode a challenge for forensics?$

A.

It encrypts the internet connection

B.

It does not save history, cookies, or cache to the hard drive upon closing

C.

It routes traffic through the Dark Web

D.

It prevents the ISP from seeing traffic

29 $What is the 'Master File Table' (MFT)?$

A.

A partition table for the hard drive

B.

A database in NTFS that stores information about every file and directory

C.

A log of all master users

D.

A backup of the BIOS

30 $Which registry hive corresponds to the file 'NTUSER.DAT'?$

A.

HKEY_CURRENT_CONFIG

B.

HKEY_LOCAL_MACHINE

C.

HKEY_CURRENT_USER

D.

HKEY_USERS

31 $In a live acquisition, which tool is commonly used to capture RAM?$

A.

FTK Imager

B.

Photoshop

C.

Wireshark

D.

RegEdit

32 $What is a 'Sparse Copy'?$

A.

A copy containing only allocated data and ignoring unallocated space

B.

A copy of only the registry

C.

A copy made using a write blocker

D.

A copy of data spread across multiple disks

33 $Which text-based log file is generated by the IIS (Internet Information Services) web server?$

A.

W3C Extended Log

B.

Event Viewer Log

C.

Syslog

D.

Kernel Log

34 $The 'UserAssist' registry key provides information about:$

A.

User passwords

B.

GUI-based programs run by the user

C.

Network connections

D.

Installed USB devices

35 $What is 'Alternate Data Stream' (ADS) in Windows NTFS?$

A.

A backup stream for internet data

B.

A feature allowing data to be hidden behind a file without changing the file size

C.

A method for streaming video

D.

A corrupt file segment

36 $Which artifact lists files that were present on the system before a reboot or shutdown, often used to identify malware execution upon boot?$

A.

ShimCache (AppCompatCache)

B.

Recycle Bin

C.

Jump Lists

D.

Thumb.db

37 $What does Event ID 4625 represent in the Windows Security Log?$

A.

Successful Logon

B.

An account was locked out

C.

An account failed to log on

D.

System shutdown

38 $In the context of browser forensics, what is 'Form Data'?$

A.

The structure of the HTML page

B.

Information entered by the user into web fields (names, addresses, search terms)

C.

The digital signature of the browser

D.

The encryption key for SSL

39 $Which system file contains the mapping of IP addresses to hostnames, often modified by malware to redirect users?$

A.

services.exe

B.

hosts

C.

networks

D.

protocol

40 $What is the primary difference between Copy and Bit-stream Image?$

A.

Copy captures only active file content; Image captures the exact state of the drive

B.

Copy is faster; Image is slower

C.

Copy is compressed; Image is not

D.

There is no difference

41 $Which tool is commonly used to analyze Windows Registry hives?$

A.

Registry Viewer

B.

Notepad

C.

Wireshark

D.

Paint

42 $What is the function of the 'SYSTEM' hive?$

A.

Stores user settings

B.

Stores file extensions

C.

Stores system configuration, driver settings, and hardware profiles

D.

Stores internet history

43 $Which metadata standard is commonly found in image files (JPEG) containing camera model and GPS coordinates?$

A.

EXIF

B.

NTFS

C.

FAT

D.

ASCII

44 $When preparing a drive for an image, what should be done to the destination drive?$

A.

It should be forensically wiped (sterilized)

B.

It should be defragmented

C.

It should contain the operating system

D.

It should be smaller than the source drive

45 $What is 'Unallocated Space'?$

A.

Space that is damaged

B.

Space on the drive not currently assigned to any active file by the file system

C.

Space reserved for the system

D.

Space used by hidden files

46 $Which artifact is created when a user right-clicks the taskbar icon of an application to see recent files?$

A.

Jumplist

B.

Prefetch

C.

Shortcut

D.

Logfile

47 $In Windows Event Logs, what does the 'System' log record?$

A.

Events logged by applications

B.

Security audits like logins

C.

Events logged by Windows system components (drivers, boot errors)

D.

Internet history

48 $Why is 'Time Zone' information critical during analysis?$

A.

To calculate the internet speed

B.

To convert UTC timestamps in artifacts to the local time of the suspect

C.

To determine the language of the OS

D.

To decrypt files

49 $Which registry value controls the time zone information of the system?$

A.

TimeZoneInformation

B.

CurrentVersion

C.

ControlSet

D.

HardwareProfiles

50 $Which of the following describes a 'Static Acquisition'?$

A.

Acquisition performed on a system that is powered off

B.

Acquisition performed while the user is typing

C.

Acquisition via a network connection

D.

Acquisition of RAM only

Unit 3 - Practice Quiz