Digital Forensics Quiz and Answer
Digital Forensics is focused on the identification, preservation, analysis, and presentation of digital evidence found on electronic devices or digital storage media.
It involves applying specialized techniques and methodologies to gather data from computers, mobile devices, networks, and other digital systems in a way that ensures the integrity of the evidence, often for use in legal or criminal investigations.
The following are quizzes and answers related to Digital Forensics. They are listed in no particular order.
- What is meant by distributed denial of service (DDoS) attack?
An attack in which the attacker seeks to infect several machines, and use those machines to overwhelm the target system to achieve a denial of service.
- Ben was browsing reviews on a sporting goods website from which he purchased items in the past. He saw a comment that read "Great price on camping gear! Read my review." When he clicked the associated link, a new window appeared and prompted him to log in again. What type of attack is most likely underway?
Cross-site scripting (XSS)
- Which of the following are subclasses of fraud?
Investment offers and data piracy
- Malware that executes damage when a specific condition is met is the definition of?
logic bomb
- Most often, criminals commit __________ in order to perpetrate some kind of financial fraud.
identity theft
- China Eagle Union is __________.
Chinese cyberterrorism group
- __________ is the cyber equivalent of vandalism.
A denial of service (DoS) attack
- A SYN flood is an example of a(n) _______.
denial of service (DoS) attack
- What is a type of targeted phishing attack in which the criminal targets a specific group; for example, IT staff at a bank?
Spear phishing
- __________ is designed to render a target unreachable by legitimate users, not to provide the attacker access to the site.
A denial of service (DoS) attack.
- Use of __________ enables an investigator to reconstruct file fragments if files have been deleted or overwritten.
bit-level tools
- Forensic investigators who collect data as evidence must understand the __________ of information, which refers to how long it is valid.
life span
- __________ govern whether, when, how, and why proof of a legal case can be placed before a judge or jury.
Rules of evidence
- A system forensics specialist has three basic tasks related to handling evidence: find evidence, preserve evidence, and __________ evidence.
prepare
- How you will gather evidence and which tools are most appropriate for a specific investigation are part of ___________.
a forensic analysis plan
- __________ is information at the level of 1s and 0s stored in computer memory or on a storage device.
bit-level information
- When gathering systems evidence, what is NOT a common principle?
trust only virtual evidence
- _____ is an industry certification that focuses on knowledge of PC harware
CompTIA A+
- Which of the following requires certification candidates to take an approved training course, pass a written test, and submit to a review of the candidate’s work history?
High Tech Crime Network certifications
- Which of the following BEST defines rules of evidence?
rules that govern whether, when, how, and why proof of a legal case can be placed before a judge or jury
- What version of RAID uses three or more striped disks with parity that protects data against the loss of any one disk?
RAID 5
- What is the purpose of a swap file (or swap partition on some systems).
Swap is a temporary storage area on the hard drive used when RAM is overcommitted. This means that that RAM is full or nearly full so unused programs or data are written to swap so the RAM used can be freed up for other programs.
- What uses microchips that retain data in non-volatile memory chips and contains no moving parts?
Solid-state drive (SSD)
- What term describes data that an operating system creates and overwrites without the computer user directly saving this data?
Temporary data
- EIDE is _________.
a type of magnetic drive
- Two of the easiest things to extract during __________ are a list of all website uniform resource locators (URLs) and a list of all email addresses on the computer.
physical analysis.
- An example of volatile data is __________.
state of network connections
- Which of the following is NOT true of chain of custody forms?
A chain of custody form is a federal form and is therefore universal.
- What are attributes of a solid-state drive (SSD)?
Flash memory and microchips
- What was designed as an area where computer vendors could store data that is shielded from user activities and operating system utilities, such as delete and format?
Host protected area (HPA)
- Which of the following is the correct order in which to collect data from a computer system?
First – Volatile data. Next – temporary data. Finally – persistent data.
- What kind of data changes rapidly and may be lost when the machine that holds it is powered down?
volatile data
- People try to thwart investigators by using encryption to scramble information or _________ to hide information, or both together.
steganography
- In World War II, the Germans made use of an electromechanical rotor-based cipher system known as __________
the Enigma machine
- __________ describes the total number of coprime numbers; two numbers are considered coprime if they have no common factors
Euler's Totient
- The __________ cipher is a Hebrew code that substitutes the first letter of the alphabet for the last letter and the second letter for the second-to-last letter, and so forth.
Atbash
- __________ is the process of analyzing a file or files for hidden content.
Steganalysis
- __________ is a term that refers to hiding messages in sound files.
Steganophony
- What is the definition of Feistel function?
A cryptographic function that splits blocks of data into two parts; it forms the basis for many block ciphers
- __________ is perhaps the most widely used public key cryptography algorithm in existence today.
RSA
- What is the definition of transposition in terms of cryptography?
The swapping of blocks of ciphertext
- What is the definition of stream cipher?
A form of cryptography that encrypts the data as a stream, one bit at a time
- The __________ cipher is a method of encrypting alphabetic text by using a series of different monoalphabetic ciphers selected based on the letters of a keyword.
Vigenère
- A forensic examiner is performing analysis on an image of a seized machine. A power outage causes the computer to power off and back on again. When he attempts to boot up the machine to continue his work, the Windows operating system begins to initialize. However, it does not proceed past the loading screen. What type of damage is likely to have occurred?
Logical damage
- Which operating system commonly uses the Ext file system?
Linux
- ________ is the preferred file system of Windows 2000 and later operating systems.
NTFS
- When preparing to perform a manual recovery on a Linux system, what is the first step?
Move the system to single-user mode
- In Windows, what does the file allocation table (FAT) store?
The mapping between files and their cluster location on the hard drive
- The ________ and the ________ are the two NTFS files of most interest to forensics efforts
(i) Master File Table (MFT), and (ii) cluster bitmap
- You are a forensic examiner. The logical structure of a hard disk that you are analyzing appears almost destroyed. You are not able to get the system to boot up despite your best efforts. You choose to perform a zero-knowledge analysis. Is this an appropriate choice for the next step?
Yes. Using this technique, the file system is rebuilt from scratch using knowledge of an undamaged file system structure. It should allow for data retrieval.
- You are attempting to recover deleted files from a storage device. The device's operating system uses the FAT32 file system. What is the most important advantage you have when attempting to recover specific deleted files?
Time. Files that were deleted relatively recently are more likely to be recovered.
- Which of the following is not true of file carving?
You can perform file carving on the NTFS file system but not FAT32
- A symbolic link is ________ another file.
a pointer to
- A suspect has erased their browsing history on their computer. The computer has Microsoft Internet Explorer installed. The forensic investigator must retrieve recently visited web addresses and recently opened files. What should the investigator do?
Download a tool that allows for retrieval and review of the index.dat file
- What is the repository of all information on a Windows system?
The Windows Registry
- What is the Windows swap file used to augment?
Random access memory (RAM)
- The Windows Registry is organized into five sections. The __________ section contains those settings common to the entire machine, regardless of the individual user.
HKEY_LOCAL_MACHINE (HKLM)
- Carl is beginning a digital forensic investigation. He has been sent into the field to collect a machine. When he arrives, he sees that the computer is running Windows and has open applications. He decides to preserve as much data as possible by capturing data in memory. What should Carl perform?
Volatile memory analysis
- A __________is a software program that appears to be a physical computer and executes programs as if it were a physical computer.
virtual machine
- The Windows Registry is organized into five sections. The __________ section is critical to forensic investigations. It has profiles for all the users, including their settings.
HKEY_USERS (HKU)
- _______ is the Windows program that handles security and logon policies.
Lsass.exe
- You boot up a machine to start a forensic investigation. You get a message on screen indicating that the "Master Boot Record Cannot Be Found." What step of the boot process has failed?
The computer has failed to read the master boot record (MBR)
- What is the best definition of "dump" in terms of computer memory?
A complete copy of every bit of memory or cache recorded in permanent storage or printed on paper
- The Linux __________ command can be used to quickly catalog a suspect drive.
ls
- In Linux, as with Windows, the first sector on any disk is called the __________
boot sector
- The Linux __________ command displays a list of all users currently logged in to a system.
who
- Which Linux distribution is highly popular with beginners?
Ubuntu
- In the Linux boot process, the master boot record (MBR) loads up a(n) __________ program, such as GRUB or LILO.
boot loader
- If you type the __________ command at the Linux shell, you are asked for the root password. If you successfully supply it, you will then have root privileges.
su
- A system that monitors network traffic looking for suspicious activity is __________.
an IDS
- Which Linux shell command removes or deletes entire directories?
rmdir
- The Linux __________ shell command shows all the messages that were displayed during the boot process.
dmesg
- It is a common practice to keep Linux kernel images in which directory?
the /boot directory
- What is the primary purpose of "Boot Camp Assistant," usually just called Boot Camp?
It allows one to install additional operating systems on the same machine as macOS.
- On a Macintosh, in the __________ folder, you will find a subfolder named app profile. This contains lists of recently opened applications as well as temporary data used by applications.
var/vm
- On a Macintosh, the _________ directory contains information about mounted devices
/Volumes
- _________ is the process whereby the file system keeps a record of what file transactions take place so that in the event of a hard drive crash, the files can be recovered.
Journaling
- In macOS, the __________ shell command returns the hardware information for the host system. This provides information useful for the basic documentation of the system prior to beginning your forensic examination.
system_profiler SPHardwareDataType
- Apple Hardware: In 2020, Apple announced plans to shift the Macintosh to an Apple-designed CPU. Apple licensed the __________ architecture to design the new CPUs.
ARM
- The current primary file system used by Apple for its devices is __________________________.
APFS
- In macOS, the __________ folder can give you that information about what documents have been printed from a Macintosh.
/var/spool/cups
- On a Macintosh, the __________ directory contains information about servers, network libraries, and network properties.
/Network
- On a Macintosh, the __________ folder contains information about system and software updates.
/Library/Receipts
- You are investigating an email reported by a client as malicious. The email came from a known source, passed all validity checks, and originated from a mail server not blacklisted by any blacklist service. However, the message was short and contained a link that, when clicked, loaded malicious software onto the client's server. What form of email faking are you looking at?
Valid emails
- If an internet service provider (ISP) or any other communications network stores an email, retrieval of that evidence must be analyzed under __________, which creates statutory restrictions on government access to such evidence from ISPs or other electronic communications service providers.
the Electronic Communications Privacy Act (ECPA)
- You want to send an email anonymously for malicious purposes. You know you have the option to "spoof" a number of different aspects about the email. You want to spoof the hardware address of your computer's network card. What sort of spoofing is that?
Media Access Control (MAC) spoofing
- The CAN-SPAM Act applies only to _______ emails.
commercial
- Files with .pst extensions belong to which email client?
Microsoft Outlook
- You are a forensic investigator researching an email sent for malicious intent. The sender used an email web service to transmit the message. The receiver also used an email web service. Both the sender and receiver deleted the message and then deleted the message from their trash folders. What is your only possible option to recover the email?
Issue a subpoena to the service provider and possibly recover the message from a backup
- What is Internet Message Access Protocol (IMAP)?
A protocol used to receive email that works on port 143
- What email header field includes tracking information generated by mail servers that have previously handled a message, in reverse order?
Received
- The process of sending an email message to an anonymizer is the definition of:
anonymous remailing
- You are a forensic investigator. You are looking for clues about where an email message has been. This is a frequent task you perform. You often use audits and paper trails of email traffic as evidence in court and sometimes network tracing tools. Which task are you performing?
Email tracing
- The __________ is a code used to reset a forgotten PIN. Using this code returns the phone to its original state (reset), causing the loss of most useful forensic data.
personal unlocking code (PUK)
- There are four layers to iOS. The__________ layer responds to gestures, such as swipe, drag, pinch, and tap.
Cocoa Touch
- The __________ is a unique identification number for identifying code division multiple access (CDMA) cell phones.
electronic serial number (ESN)
- In a cellular network, the __________ database contains subscriber data and service information for roaming phones
visitor location register (VLR)
- The __________________ is a unique number identifying phones, typically on GSM and LTE networks. It can be accessed easily on most smarthphones by entering *#06# on the dial pad.
International Mobile Equipment Identity (IMEI) number
- There are four layers to iOS. The _________ layer is the heart of the operating system.
Core OS
- There are four layers to iOS. The__________ layer is how applications interact with iOS
Core services
- In a cellular network, the __________ is a database used by the mobile switching center (MSC) that contains subscriber data and service information
home location register (HLR)
- The 4G standard for cellular networks is known as _________________________.
Long Term Evolution (LTE)
- The __________ consists of a Base Transceiver Station and a Base Station Controller. It is a set of radio transceiver equipment that communicates with subscribers' cellular devices.
base station system (BSS)
- The Transmission Control Protocol (TCP) header has synchronization bits that are used to establish and terminate communications across a network between two communicating parties. The __________ bit indicates that there is no more data from the sender
FIN
- Packets are divided into two parts, the header and the __________.
payload
- A port is a number that identifies a channel in which communication can occur. By default, which port does SSH (Secure Shell) use to remotely and securely log on to a system?
22
- Which of the following IPv4 addresses does not fall within one of the ranges reserved for private neworks?
127.0.0.1
- A port is a number that identifies a channel in which communication can occur. By default, which port does SMTP (Simple Mail Transfer Protocol) use to send email?
25
- A ______________________ firewall will examine each and every packet, denying or permitting them based on not only the current packet but also the previous packets in the conversation. The firewall is aware of the context of the traffic moving back and forth.
stateful packet inspection
- Which port does Post Office Protocol Version 3 (POP3) use to retrieve email?
Port 110
- A port is a number that identifies a channel in which communication can occur. By default, which port does Domain Name Service (DNS) use to translate host names into IP addresses?
53
- At the Transport layer (OSI model), the __________ header has a source and destination port number, but it lacks a sequence number and synchronization bits.
UDP
- The Transmission Control Protocol (TCP) header has synchronization bits that are used to establish and terminate communications across a network between two communicating parties. The __________ bit acknowledges the attempt to synchronize communications.
ACK
- A ____________ is malware code that attaches itself or embeds itself into a legitimate program, which then produces output that the original author did not intend.
Virus
- Which of the following is the best definition of DLL injection?
Forcing a program to load a particular DLL
- What is one of the primary purposes of OSForensics Volatility Workbench?
It provides a GUI to select Volatility commands
- A "worm" at its most basic is a program that __________________ rather than attach/embed itself like a virus.
Self-propagates
- The _________ is computer memory that is automatically allocated and managed as needed for temporary variable wtihin functions inside programs.
stack
- _______________ is malware that monitors activities on the computer - keystrokes, mouse clicks, screen captures, and more.
spyware
- __________ is memory that programs can allocate as needed.
heap
- What is a Volatility profile used for?
the memory profile of the memory image
- What maps virtual memory addresses to physical addresses?
page
- _____________ is a memory tool with an innovative process for discovering possible malware in a memory dump. It examines and then assigns a density rating to a file. Since malware tends to use various packing techniques like encryption, malware tends to have a very low density
Density Scout