Digital Forensics Quiz and Answer

go back to home


Digital Forensics is focused on the identification, preservation, analysis, and presentation of digital evidence found on electronic devices or digital storage media.

It involves applying specialized techniques and methodologies to gather data from computers, mobile devices, networks, and other digital systems in a way that ensures the integrity of the evidence, often for use in legal or criminal investigations.

The following are quizzes and answers related to Digital Forensics. They are listed in no particular order.


  1. What is meant by distributed denial of service (DDoS) attack?

    An attack in which the attacker seeks to infect several machines, and use those machines to overwhelm the target system to achieve a denial of service.

  2. Ben was browsing reviews on a sporting goods website from which he purchased items in the past. He saw a comment that read "Great price on camping gear! Read my review." When he clicked the associated link, a new window appeared and prompted him to log in again. What type of attack is most likely underway?

    Cross-site scripting (XSS)

  3. Which of the following are subclasses of fraud?

    Investment offers and data piracy

  4. Malware that executes damage when a specific condition is met is the definition of?

    logic bomb

  5. Most often, criminals commit __________ in order to perpetrate some kind of financial fraud.

    identity theft

  6. China Eagle Union is __________.

    Chinese cyberterrorism group

  7. __________ is the cyber equivalent of vandalism.

    A denial of service (DoS) attack

  8. A SYN flood is an example of a(n) _______.

    denial of service (DoS) attack

  9. What is a type of targeted phishing attack in which the criminal targets a specific group; for example, IT staff at a bank?

    Spear phishing

  10. __________ is designed to render a target unreachable by legitimate users, not to provide the attacker access to the site.

    A denial of service (DoS) attack.

  11. Use of __________ enables an investigator to reconstruct file fragments if files have been deleted or overwritten.

    bit-level tools

  12. Forensic investigators who collect data as evidence must understand the __________ of information, which refers to how long it is valid.

    life span

  13. __________ govern whether, when, how, and why proof of a legal case can be placed before a judge or jury.

    Rules of evidence

  14. A system forensics specialist has three basic tasks related to handling evidence: find evidence, preserve evidence, and __________ evidence.

    prepare

  15. How you will gather evidence and which tools are most appropriate for a specific investigation are part of ___________.

    a forensic analysis plan

  16. __________ is information at the level of 1s and 0s stored in computer memory or on a storage device.

    bit-level information

  17. When gathering systems evidence, what is NOT a common principle?

    trust only virtual evidence

  18. _____ is an industry certification that focuses on knowledge of PC harware

    CompTIA A+

  19. Which of the following requires certification candidates to take an approved training course, pass a written test, and submit to a review of the candidate’s work history?

    High Tech Crime Network certifications

  20. Which of the following BEST defines rules of evidence?

    rules that govern whether, when, how, and why proof of a legal case can be placed before a judge or jury

  21. What version of RAID uses three or more striped disks with parity that protects data against the loss of any one disk?

    RAID 5

  22. What is the purpose of a swap file (or swap partition on some systems).

    Swap is a temporary storage area on the hard drive used when RAM is overcommitted. This means that that RAM is full or nearly full so unused programs or data are written to swap so the RAM used can be freed up for other programs.

  23. What uses microchips that retain data in non-volatile memory chips and contains no moving parts?

    Solid-state drive (SSD)

  24. What term describes data that an operating system creates and overwrites without the computer user directly saving this data?

    Temporary data

  25. EIDE is _________.

    a type of magnetic drive

  26. Two of the easiest things to extract during __________ are a list of all website uniform resource locators (URLs) and a list of all email addresses on the computer.

    physical analysis.

  27. An example of volatile data is __________.

    state of network connections

  28. Which of the following is NOT true of chain of custody forms?

    A chain of custody form is a federal form and is therefore universal.

  29. What are attributes of a solid-state drive (SSD)?

    Flash memory and microchips

  30. What was designed as an area where computer vendors could store data that is shielded from user activities and operating system utilities, such as delete and format?

    Host protected area (HPA)

  31. Which of the following is the correct order in which to collect data from a computer system?

    First – Volatile data. Next – temporary data. Finally – persistent data.

  32. What kind of data changes rapidly and may be lost when the machine that holds it is powered down?

    volatile data

  33. People try to thwart investigators by using encryption to scramble information or _________ to hide information, or both together.

    steganography

  34. In World War II, the Germans made use of an electromechanical rotor-based cipher system known as __________

    the Enigma machine

  35. __________ describes the total number of coprime numbers; two numbers are considered coprime if they have no common factors

    Euler's Totient

  36. The __________ cipher is a Hebrew code that substitutes the first letter of the alphabet for the last letter and the second letter for the second-to-last letter, and so forth.

    Atbash

  37. __________ is the process of analyzing a file or files for hidden content.

    Steganalysis

  38. __________ is a term that refers to hiding messages in sound files.

    Steganophony

  39. What is the definition of Feistel function?

    A cryptographic function that splits blocks of data into two parts; it forms the basis for many block ciphers

  40. __________ is perhaps the most widely used public key cryptography algorithm in existence today.

    RSA

  41. What is the definition of transposition in terms of cryptography?

    The swapping of blocks of ciphertext

  42. What is the definition of stream cipher?

    A form of cryptography that encrypts the data as a stream, one bit at a time

  43. The __________ cipher is a method of encrypting alphabetic text by using a series of different monoalphabetic ciphers selected based on the letters of a keyword.

    Vigenère

  44. A forensic examiner is performing analysis on an image of a seized machine. A power outage causes the computer to power off and back on again. When he attempts to boot up the machine to continue his work, the Windows operating system begins to initialize. However, it does not proceed past the loading screen. What type of damage is likely to have occurred?

    Logical damage

  45. Which operating system commonly uses the Ext file system?

    Linux

  46. ________ is the preferred file system of Windows 2000 and later operating systems.

    NTFS

  47. When preparing to perform a manual recovery on a Linux system, what is the first step?

    Move the system to single-user mode

  48. In Windows, what does the file allocation table (FAT) store?

    The mapping between files and their cluster location on the hard drive

  49. The ________ and the ________ are the two NTFS files of most interest to forensics efforts

    (i) Master File Table (MFT), and (ii) cluster bitmap

  50. You are a forensic examiner. The logical structure of a hard disk that you are analyzing appears almost destroyed. You are not able to get the system to boot up despite your best efforts. You choose to perform a zero-knowledge analysis. Is this an appropriate choice for the next step?

    Yes. Using this technique, the file system is rebuilt from scratch using knowledge of an undamaged file system structure. It should allow for data retrieval.

  51. You are attempting to recover deleted files from a storage device. The device's operating system uses the FAT32 file system. What is the most important advantage you have when attempting to recover specific deleted files?

    Time. Files that were deleted relatively recently are more likely to be recovered.

  52. Which of the following is not true of file carving?

    You can perform file carving on the NTFS file system but not FAT32

  53. A symbolic link is ________ another file.

    a pointer to

  54. A suspect has erased their browsing history on their computer. The computer has Microsoft Internet Explorer installed. The forensic investigator must retrieve recently visited web addresses and recently opened files. What should the investigator do?

    Download a tool that allows for retrieval and review of the index.dat file

  55. What is the repository of all information on a Windows system?

    The Windows Registry

  56. What is the Windows swap file used to augment?

    Random access memory (RAM)

  57. The Windows Registry is organized into five sections. The __________ section contains those settings common to the entire machine, regardless of the individual user.

    HKEY_LOCAL_MACHINE (HKLM)

  58. Carl is beginning a digital forensic investigation. He has been sent into the field to collect a machine. When he arrives, he sees that the computer is running Windows and has open applications. He decides to preserve as much data as possible by capturing data in memory. What should Carl perform?

    Volatile memory analysis

  59. A __________is a software program that appears to be a physical computer and executes programs as if it were a physical computer.

    virtual machine

  60. The Windows Registry is organized into five sections. The __________ section is critical to forensic investigations. It has profiles for all the users, including their settings.

    HKEY_USERS (HKU)

  61. _______ is the Windows program that handles security and logon policies.

    Lsass.exe

  62. You boot up a machine to start a forensic investigation. You get a message on screen indicating that the "Master Boot Record Cannot Be Found." What step of the boot process has failed?

    The computer has failed to read the master boot record (MBR)

  63. What is the best definition of "dump" in terms of computer memory?

    A complete copy of every bit of memory or cache recorded in permanent storage or printed on paper

  64. The Linux __________ command can be used to quickly catalog a suspect drive.

    ls

  65. In Linux, as with Windows, the first sector on any disk is called the __________

    boot sector

  66. The Linux __________ command displays a list of all users currently logged in to a system.

    who

  67. Which Linux distribution is highly popular with beginners?

    Ubuntu

  68. In the Linux boot process, the master boot record (MBR) loads up a(n) __________ program, such as GRUB or LILO.

    boot loader

  69. If you type the __________ command at the Linux shell, you are asked for the root password. If you successfully supply it, you will then have root privileges.

    su

  70. A system that monitors network traffic looking for suspicious activity is __________.

    an IDS

  71. Which Linux shell command removes or deletes entire directories?

    rmdir

  72. The Linux __________ shell command shows all the messages that were displayed during the boot process.

    dmesg

  73. It is a common practice to keep Linux kernel images in which directory?

    the /boot directory

  74. What is the primary purpose of "Boot Camp Assistant," usually just called Boot Camp?

    It allows one to install additional operating systems on the same machine as macOS.

  75. On a Macintosh, in the __________ folder, you will find a subfolder named app profile. This contains lists of recently opened applications as well as temporary data used by applications.

    var/vm

  76. On a Macintosh, the _________ directory contains information about mounted devices

    /Volumes

  77. _________ is the process whereby the file system keeps a record of what file transactions take place so that in the event of a hard drive crash, the files can be recovered.

    Journaling

  78. In macOS, the __________ shell command returns the hardware information for the host system. This provides information useful for the basic documentation of the system prior to beginning your forensic examination.

    system_profiler SPHardwareDataType

  79. Apple Hardware: In 2020, Apple announced plans to shift the Macintosh to an Apple-designed CPU. Apple licensed the __________ architecture to design the new CPUs.

    ARM

  80. The current primary file system used by Apple for its devices is __________________________.

    APFS

  81. In macOS, the __________ folder can give you that information about what documents have been printed from a Macintosh.

    /var/spool/cups

  82. On a Macintosh, the __________ directory contains information about servers, network libraries, and network properties.

    /Network

  83. On a Macintosh, the __________ folder contains information about system and software updates.

    /Library/Receipts

  84. You are investigating an email reported by a client as malicious. The email came from a known source, passed all validity checks, and originated from a mail server not blacklisted by any blacklist service. However, the message was short and contained a link that, when clicked, loaded malicious software onto the client's server. What form of email faking are you looking at?

    Valid emails

  85. If an internet service provider (ISP) or any other communications network stores an email, retrieval of that evidence must be analyzed under __________, which creates statutory restrictions on government access to such evidence from ISPs or other electronic communications service providers.

    the Electronic Communications Privacy Act (ECPA)

  86. You want to send an email anonymously for malicious purposes. You know you have the option to "spoof" a number of different aspects about the email. You want to spoof the hardware address of your computer's network card. What sort of spoofing is that?

    Media Access Control (MAC) spoofing

  87. The CAN-SPAM Act applies only to _______ emails.

    commercial

  88. Files with .pst extensions belong to which email client?

    Microsoft Outlook

  89. You are a forensic investigator researching an email sent for malicious intent. The sender used an email web service to transmit the message. The receiver also used an email web service. Both the sender and receiver deleted the message and then deleted the message from their trash folders. What is your only possible option to recover the email?

    Issue a subpoena to the service provider and possibly recover the message from a backup

  90. What is Internet Message Access Protocol (IMAP)?

    A protocol used to receive email that works on port 143

  91. What email header field includes tracking information generated by mail servers that have previously handled a message, in reverse order?

    Received

  92. The process of sending an email message to an anonymizer is the definition of:

    anonymous remailing

  93. You are a forensic investigator. You are looking for clues about where an email message has been. This is a frequent task you perform. You often use audits and paper trails of email traffic as evidence in court and sometimes network tracing tools. Which task are you performing?

    Email tracing

  94. The __________ is a code used to reset a forgotten PIN. Using this code returns the phone to its original state (reset), causing the loss of most useful forensic data.

    personal unlocking code (PUK)

  95. There are four layers to iOS. The__________ layer responds to gestures, such as swipe, drag, pinch, and tap.

    Cocoa Touch

  96. The __________ is a unique identification number for identifying code division multiple access (CDMA) cell phones.

    electronic serial number (ESN)

  97. In a cellular network, the __________ database contains subscriber data and service information for roaming phones

    visitor location register (VLR)

  98. The __________________ is a unique number identifying phones, typically on GSM and LTE networks. It can be accessed easily on most smarthphones by entering *#06# on the dial pad.

    International Mobile Equipment Identity (IMEI) number

  99. There are four layers to iOS. The _________ layer is the heart of the operating system.

    Core OS

  100. There are four layers to iOS. The__________ layer is how applications interact with iOS

    Core services

  101. In a cellular network, the __________ is a database used by the mobile switching center (MSC) that contains subscriber data and service information

    home location register (HLR)

  102. The 4G standard for cellular networks is known as _________________________.

    Long Term Evolution (LTE)

  103. The __________ consists of a Base Transceiver Station and a Base Station Controller. It is a set of radio transceiver equipment that communicates with subscribers' cellular devices.

    base station system (BSS)

  104. The Transmission Control Protocol (TCP) header has synchronization bits that are used to establish and terminate communications across a network between two communicating parties. The __________ bit indicates that there is no more data from the sender

    FIN

  105. Packets are divided into two parts, the header and the __________.

    payload

  106. A port is a number that identifies a channel in which communication can occur. By default, which port does SSH (Secure Shell) use to remotely and securely log on to a system?

    22

  107. Which of the following IPv4 addresses does not fall within one of the ranges reserved for private neworks?

    127.0.0.1

  108. A port is a number that identifies a channel in which communication can occur. By default, which port does SMTP (Simple Mail Transfer Protocol) use to send email?

    25

  109. A ______________________ firewall will examine each and every packet, denying or permitting them based on not only the current packet but also the previous packets in the conversation. The firewall is aware of the context of the traffic moving back and forth.

    stateful packet inspection

  110. Which port does Post Office Protocol Version 3 (POP3) use to retrieve email?

    Port 110

  111. A port is a number that identifies a channel in which communication can occur. By default, which port does Domain Name Service (DNS) use to translate host names into IP addresses?

    53

  112. At the Transport layer (OSI model), the __________ header has a source and destination port number, but it lacks a sequence number and synchronization bits.

    UDP

  113. The Transmission Control Protocol (TCP) header has synchronization bits that are used to establish and terminate communications across a network between two communicating parties. The __________ bit acknowledges the attempt to synchronize communications.

    ACK

  114. A ____________ is malware code that attaches itself or embeds itself into a legitimate program, which then produces output that the original author did not intend.

    Virus

  115. Which of the following is the best definition of DLL injection?

    Forcing a program to load a particular DLL

  116. What is one of the primary purposes of OSForensics Volatility Workbench?

    It provides a GUI to select Volatility commands

  117. A "worm" at its most basic is a program that __________________ rather than attach/embed itself like a virus.

    Self-propagates

  118. The _________ is computer memory that is automatically allocated and managed as needed for temporary variable wtihin functions inside programs.

    stack

  119. _______________ is malware that monitors activities on the computer - keystrokes, mouse clicks, screen captures, and more.

    spyware

  120. __________ is memory that programs can allocate as needed.

    heap

  121. What is a Volatility profile used for?

    the memory profile of the memory image

  122. What maps virtual memory addresses to physical addresses?

    page

  123. _____________ is a memory tool with an innovative process for discovering possible malware in a memory dump. It examines and then assigns a density rating to a file. Since malware tends to use various packing techniques like encryption, malware tends to have a very low density

    Density Scout