Sample Questions and Answers
1. What is the primary purpose of computer forensics in incident response?
A) To recover deleted files only
B) To analyze network traffic for optimization
C) To preserve, identify, extract, and document digital evidence
D) To enhance computer performance
Answer: C
Explanation: The core goal of computer forensics is to preserve the integrity of digital evidence while identifying, extracting, and documenting it to support legal proceedings or incident response.
2. Which of the following best describes the chain of custody?
A) Process of encrypting data
B) Documentation of evidence handling from collection to presentation
C) Technique for recovering deleted data
D) Software used to scan networks
Answer: B
Explanation: Chain of custody is a detailed and documented process that tracks who collected, handled, and analyzed evidence to ensure it remains admissible in court.
3. What is the first step in the forensic investigation process?
A) Evidence analysis
B) Securing the scene
C) Reporting findings
D) Presentation of evidence
Answer: B
Explanation: Securing the scene is critical to prevent contamination or alteration of evidence before beginning collection or analysis.
4. Which tool is commonly used for disk imaging during a forensic investigation?
A) Wireshark
B) FTK Imager
C) Nmap
D) Metasploit
Answer: B
Explanation: FTK Imager is widely used to create exact forensic images (bit-by-bit copies) of hard drives, preserving data for analysis.
5. What does hashing a file help ensure in forensic analysis?
A) Improves file transfer speed
B) Compresses the file size
C) Verifies file integrity
D) Encrypts the file for security
Answer: C
Explanation: Hashing produces a unique digital fingerprint for a file, ensuring it hasn’t been altered during investigation.
6. What is the primary file system used by Windows operating systems for storing file metadata?
A) FAT32
B) NTFS
C) ext4
D) HFS+
Answer: B
Explanation: NTFS stores detailed file metadata such as timestamps, permissions, and file attributes, which are crucial for forensic investigations.
7. Which of the following is NOT a volatile data source?
A) RAM contents
B) CPU cache
C) Hard disk drive contents
D) Network connections
Answer: C
Explanation: Hard drives contain non-volatile data, while RAM, CPU cache, and network connections are volatile and lost when powered off.
8. What type of attack involves intercepting communication between two parties without their knowledge?
A) Phishing
B) Man-in-the-middle
C) Denial-of-service
D) SQL injection
Answer: B
Explanation: A man-in-the-middle attack intercepts and possibly alters communication between two parties secretly.
9. Which of the following is NOT an appropriate method for preserving volatile data?
A) Taking a memory dump
B) Documenting active network connections
C) Powering off the system immediately
D) Capturing system processes
Answer: C
Explanation: Powering off the system causes loss of volatile data like RAM content, so investigators aim to capture volatile data before shutdown.
10. What is the primary purpose of steganography detection in forensic analysis?
A) Detecting hidden data within files
B) Encrypting sensitive files
C) Recovering deleted files
D) Scanning for malware
Answer: A
Explanation: Steganography involves hiding data within other files, and forensic analysts aim to detect and extract such concealed information.
11. Which Linux command is commonly used to view active network connections?
A) ls
B) netstat
C) ps
D) chmod
Answer: B
Explanation: The netstat command lists active network connections and listening ports, helpful for forensic network analysis.
12. When collecting evidence, why is it important to make a forensic image instead of working on the original device?
A) To avoid legal issues
B) To increase investigation speed
C) To preserve the original evidence’s integrity
D) To compress the data
Answer: C
Explanation: Working on a copy ensures the original evidence remains untouched and admissible in court.
13. Which of the following is a key characteristic of metadata in forensic investigations?
A) Only file size
B) Data about data, such as timestamps and ownership
C) Encryption keys
D) User passwords
Answer: B
Explanation: Metadata provides contextual information about data, including creation/modification times, permissions, and ownership.
14. What is the role of a write-blocker device in forensic imaging?
A) Speeds up imaging
B) Prevents any write operations to the original storage media
C) Erases hidden partitions
D) Encrypts the disk image
Answer: B
Explanation: Write-blockers allow read-only access to storage devices, preventing accidental modification during evidence collection.
15. Which of the following is an example of a file signature (magic number) used in forensic analysis?
A) 0x89504E47 for PNG files
B) SHA-256 hash
C) File extension .exe
D) Last modified date
Answer: A
Explanation: File signatures identify file types regardless of extensions by their unique hexadecimal patterns.
16. What does the term “slack space” refer to in computer forensics?
A) Unallocated space on a hard drive
B) The difference between allocated file size and cluster size
C) Memory used by running processes
D) Temporary files created by the OS
Answer: B
Explanation: Slack space is leftover space in a cluster after the end of a file, which may contain remnants of previous data.
17. Which phase in the forensic process involves interpreting data to determine what happened?
A) Collection
B) Analysis
C) Identification
D) Presentation
Answer: B
Explanation: Analysis involves examining the collected evidence to understand the sequence of events and identify relevant facts.
18. Which tool is commonly used for password cracking during forensic investigations?
A) EnCase
B) John the Ripper
C) Wireshark
D) Netcat
Answer: B
Explanation: John the Ripper is a widely-used password cracking tool for testing password strength or recovering passwords.
19. What is the difference between static and live forensics?
A) Static deals with powered-off systems; live deals with powered-on systems
B) Static is faster than live forensics
C) Live forensics involves only network traffic analysis
D) Static uses encryption, live uses decryption
Answer: A
Explanation: Static forensics analyzes offline (powered-off) systems, while live forensics captures data from running systems.
20. In file recovery, what is the purpose of carving?
A) Encrypting files for security
B) Extracting files from unallocated disk space without file system metadata
C) Compressing recovered files
D) Deleting malicious files
Answer: B
Explanation: Carving recovers files based on file signatures from raw disk data, bypassing the file system structures.
21. Which artifact is commonly examined to trace user web activity?
A) Registry entries
B) DNS cache
C) Browser history files
D) All of the above
Answer: D
Explanation: All these artifacts can provide insight into user web activity during forensic analysis.
22. Which of the following is a key consideration when presenting digital evidence in court?
A) The evidence must be encrypted
B) The evidence must be reproducible and authentic
C) The evidence must be publicly accessible
D) The evidence must be deleted after trial
Answer: B
Explanation: For digital evidence to be admissible, it must be shown to be authentic and its collection reproducible without tampering.
23. What is the function of a forensic workstation?
A) A standard PC for daily tasks
B) A dedicated system for forensic data acquisition and analysis
C) A server hosting websites
D) A tool for creating virtual machines
Answer: B
Explanation: Forensic workstations are specially configured computers with write-blockers, forensic software, and hardware for evidence processing.
24. What is a volatile data source that must be captured immediately during live forensics?
A) Files on the hard drive
B) Network connections and processes in RAM
C) Email archives
D) User manuals
Answer: B
Explanation: Volatile data like active processes, network connections, and memory contents disappear when the system powers down.
25. What kind of attack exploits vulnerabilities in SQL databases?
A) SQL Injection
B) Cross-site scripting
C) Brute force attack
D) Phishing
Answer: A
Explanation: SQL Injection attacks exploit vulnerabilities in database queries to manipulate or retrieve unauthorized data.
26. What is the typical format of a forensic image?
A) ISO
B) RAW (dd)
C) ZIP
D) EXE
Answer: B
Explanation: RAW format creates an exact sector-by-sector copy of a disk, preserving all data including deleted and slack space.
27. What does the term “data carving” specifically target?
A) Encrypted files only
B) Extracting files without file system metadata
C) Deleting unused files
D) Compressing large files
Answer: B
Explanation: Data carving recovers files by searching for file signatures directly in raw data, useful when metadata is missing.
28. Which Windows artifact records recently accessed files and folders?
A) Prefetch files
B) MFT (Master File Table)
C) Event logs
D) Recycle Bin
Answer: A
Explanation: Prefetch files are Windows artifacts that log frequently accessed applications and files, useful in forensic timelines.
29. What is the main advantage of using write-blockers?
A) Speed up file copying
B) Prevent changes to evidence storage media
C) Enhance network security
D) Automate evidence analysis
Answer: B
Explanation: Write-blockers prevent accidental writes to the original media, preserving the original evidence integrity.
30. In forensic analysis, what is meant by “memory dump”?
A) Transferring data to external storage
B) Capturing the entire contents of system RAM at a point in time
C) Removing malware from memory
D) Backing up hard drive contents
Answer: B
Explanation: A memory dump captures all data in RAM, which can contain valuable forensic artifacts such as running processes, passwords, and encryption keys.
Reviews
There are no reviews yet.