Skip to content

Quiz — Chapter 27: Digital Forensics

Quiz Instructions

15 questions covering acquisition, analysis, chain of custody, artifact interpretation, and legal admissibility.

Questions

1. Which forensic acquisition method preserves the most evidence including deleted files and unallocated space?

  • [ ] A. Logical acquisition (file-level copy)
  • [ ] B. Physical acquisition (bit-for-bit image)
  • [ ] C. Cloud acquisition via API
  • [ ] D. Live triage collection
Answer: B

A physical/bit-for-bit image captures all sectors including deleted file remnants, slack space, and unallocated areas. Logical acquisition (A) only copies active file system objects.

2. The primary purpose of hashing an evidence image immediately after acquisition is:

  • [ ] A. Compression of the evidence file
  • [ ] B. Proving integrity — demonstrating no modification since acquisition (chain of custody)
  • [ ] C. Encrypting the evidence for secure transport
  • [ ] D. Indexing file contents for faster searching
Answer: B

MD5/SHA-256 hashes at acquisition create a fingerprint. Re-hashing at each custody transfer proves the image was not tampered with — foundational to admissibility.

3. On a Windows system, which artifact records the first and last execution time of applications, even after the application is deleted?

  • [ ] A. Windows Event Log (Security.evtx)
  • [ ] B. Prefetch files (C:\Windows\Prefetch\*.pf)
  • [ ] C. Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • [ ] D. LNK (shortcut) files
Answer: B

Prefetch files record application execution timestamps (first and last 8 run times in Windows 10+), loaded DLLs, and run count. They persist even after the executable is deleted.

4. A forensic examiner finds a file with a .jpg extension but the file header reads PK\x03\x04. What does this indicate?

  • [ ] A. Corrupted JPEG file
  • [ ] B. Steganography embedded in the image
  • [ ] C. File extension masking — the file is a ZIP archive
  • [ ] D. Encrypted JPEG using PKI
Answer: C

PK\x03\x04 is the ZIP magic bytes signature. The .jpg extension is misleading — this is a ZIP file renamed to evade detection. File carving by magic bytes catches this.

5. Which Windows registry hive stores evidence of USB device connections including device serial numbers and first/last connection times?

  • [ ] A. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
  • [ ] B. HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
  • [ ] C. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
  • [ ] D. HKLM\SECURITY\Cache
Answer: B

USBSTOR tracks every USB storage device ever connected: vendor, product, serial number, and connection timestamps. Correlate with setupapi.dev.log for first connection time.

6. [SCENARIO] A suspect's laptop was seized powered-on. The examiner faces a choice: image RAM immediately (risky — may crash) or shut down and image disk (lose volatile data).

The system has suspected malware running in memory only (fileless). What is the correct decision?

  • [ ] A. Power off immediately to preserve disk integrity
  • [ ] B. Capture RAM first using WinPmem/LiME, then power off and image disk
  • [ ] C. Leave system running and remotely triage via EDR
  • [ ] D. Remove the disk without powering off using a write blocker
Answer: B

RAM acquisition first is essential for fileless malware — it exists only in memory. Use forensic tools (WinPmem, DumpIt, Magnet RAM Capture) then power off for disk imaging. The risk of crash is acceptable given the alternative is losing all malware evidence.

7. The MFT (Master File Table) in NTFS contains which forensically valuable information?

  • [ ] A. Network connection history
  • [ ] B. File metadata: creation, modification, access, MFT record change timestamps (MACB), file size, and data runs
  • [ ] C. User login history and session tokens
  • [ ] D. Application installation logs
Answer: B

The $MFT contains MACB timestamps (Modified, Accessed, Changed, Birth/$MFT entry), file attributes, and cluster locations. Timestomping alters Standard Information but not Filename attribute — cross-comparison detects manipulation.

8. Which anti-forensics technique involves modifying file timestamps to disguise when a file was created or modified?

  • [ ] A. Steganography
  • [ ] B. Slack space hiding
  • [ ] C. Timestomping
  • [ ] D. Log wiping
Answer: C

Timestomping alters $STANDARD_INFORMATION timestamps. Detection: compare SI timestamps vs $FILENAME attribute timestamps — attackers often forget to modify both, revealing the discrepancy.

9. In Linux forensics, which file provides a record of all commands executed by root including timestamps?

  • [ ] A. /var/log/auth.log
  • [ ] B. /root/.bash_history (with HISTTIMEFORMAT set)
  • [ ] C. /var/log/syslog
  • [ ] D. /proc/cmdline
Answer: B

~/.bash_history with HISTTIMEFORMAT records timestamped commands. Attackers often unset HISTFILE or history -c — absence of history is itself an indicator. Also check /proc//cmdline for running processes.

10. [SCENARIO] During analysis of a compromised Windows server, you find event ID 7045 (new service installed) at 03:12, followed by event ID 4624 (logon type 3) from an external IP at 03:11, then event ID 4688 (process creation) showing cmd.exe spawned mimikatz.exe at 03:13.

Reconstruct the attack timeline:

  • [ ] A. Mimikatz → lateral movement → service install
  • [ ] B. External logon → service install → mimikatz execution
  • [ ] C. Service install → logon → mimikatz
  • [ ] D. Mimikatz → service install → logon
Answer: B

Chronological order: 03:11 remote logon → 03:12 service installed (persistence) → 03:13 mimikatz executed (credential harvesting). Classic post-exploitation sequence.

11. Which tool is the industry standard for creating forensically sound disk images with MD5/SHA verification?

  • [ ] A. FTK Imager
  • [ ] B. Volatility
  • [ ] C. Autopsy
  • [ ] D. Wireshark
Answer: A

FTK Imager (or dd + dcfldd on Linux) creates bit-for-bit images with hash verification. Volatility is for memory analysis; Autopsy is an analysis platform; Wireshark captures network traffic.

12. Under what condition is forensic evidence most likely to be ruled inadmissible in court?

  • [ ] A. The examiner used open-source tools instead of commercial software
  • [ ] B. Chain of custody documentation has a gap (unaccounted handling period)
  • [ ] C. The analysis took more than 30 days
  • [ ] D. The evidence was collected remotely rather than on-site
Answer: B

Chain of custody gaps are the primary basis for evidence exclusion. Every person who handled evidence must be documented with time/date/reason. Tool choice (A) and timeline (C) are rarely disqualifying alone.

13. Memory forensics with Volatility: which plugin identifies processes injected with malicious code (hollowing, reflective DLL injection)?

  • [ ] A. pslist
  • [ ] B. malfind
  • [ ] C. netscan
  • [ ] D. hivelist
Answer: B

malfind scans process memory for anomalous regions: executable, non-backed memory pages (no file on disk) with MZ headers — hallmarks of process injection. pslist shows process list; netscan shows network connections.

14. [SCENARIO] A financial institution suspects an employee copied 50,000 customer records to a USB drive. The employee denies it. You have the employee's workstation image.

Which artifact combination MOST strongly proves USB usage and file copying?

  • [ ] A. Browser history + recent files list
  • [ ] B. USBSTOR registry key (device serial) + LNK files pointing to USB drive letter + Shellbags for USB folder navigation + Event ID 6416 (new device recognized)
  • [ ] C. Prefetch for xcopy.exe + Windows Security event logs
  • [ ] D. Email sent folder + clipboard history
Answer: B

USBSTOR + LNK files + Shellbags + Event 6416 provides a complete picture: device identity, files accessed, folder navigation, and device recognition event. This multi-artifact correlation is court-ready.

15. The "order of volatility" principle in forensic acquisition prioritizes:

  • [ ] A. Largest files first
  • [ ] B. Encrypted volumes before plaintext
  • [ ] C. Most volatile data first: CPU registers → RAM → swap → disk → logs → archival
  • [ ] D. Network captures before endpoint artifacts
Answer: C

RFC 3227 establishes volatility order. CPU/register state is lost on context switch; RAM is lost on power-off; swap on reboot; disk survives power-off but can be wiped. Always capture most volatile first.

Score Interpretation

Score Level
13–15 Expert — GCFA/GCFE ready
10–12 Proficient — solid forensics fundamentals
7–9 Developing — review artifact types and chain of custody
<7 Foundational — revisit Chapter 27 fully

Key References: RFC 3227, NIST SP 800-86, SWGDE Best Practices, Volatility Framework docs