Cyber Forensics MCQ 60 Tests With Answers (2026)
PerfectNotes TeamUpdated: March 2026~15 min practice 60 Questions Β· 3 Levels 60 Questions Β· 3 Levels
Cyber Forensics MCQ practice questions are essential for preparing for competitive exams, threat hunting assessments, and professional certifications (CHFI, GCFE, GCFA, EnCE, CISSP). This comprehensive MCQ platform provides 60 carefully curated practice questions covering evidence acquisition, physical vs. logical imaging, volatility, memory analysis, anti-forensics detection, and courtroom evidence standards.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering first responder rules, chain of custody, write blockers, and the order of volatility), Concepts (covering disk imaging, memory forensics, network capture, log correlation, and file carving signatures), and Advanced (covering scenario-based malware analysis, timestomping detection, anti-forensics techniques, and the Daubert Standard for expert witness admissibility). Each question includes a verified, in-depth explanation to reinforce learning.
Practice in Study Mode to reveal answers and detailed explanations instantly, or use Exam Mode for timed testing and real-time scoring to simulate certification or university exam conditions. The interactive engine tracks your progress and identifies knowledge gaps across disk forensics, memory triage, and log correlation.
Contents
- 1.Basics (20 Questions)Order of Volatility Β· Write Blockers Β· Forensic Imaging Types
- 2.Concepts (20 Questions)Memory Analysis Β· Steganography & StegExpose Β· Anti-Forensics & Timestomping
- 3.Advanced (20 Questions)Scenario-based Β· complex mechanics
- 4.Conclusionsummary Β· next steps Β· study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept Β· definition Β· key fact table
- 7.FAQcommon questions answered
Cyber Forensics β Basics
1What is the primary goal of digital forensics?
CorrectB: To identify, collect, preserve, and analyze digital evidence for legal proceedings
Digital forensics is the application of scientific methods to identify, collect, preserve, and analyze digital evidence in a manner that maintains its integrity and admissibility in court. While file recovery may be one activity involved, the overarching goal is to support legal proceedings with reliable evidence.
IncorrectB: To identify, collect, preserve, and analyze digital evidence for legal proceedings
Digital forensics is the application of scientific methods to identify, collect, preserve, and analyze digital evidence in a manner that maintains its integrity and admissibility in court. While file recovery may be one activity involved, the overarching goal is to support legal proceedings with reliable evidence.
2Which principle ensures that digital evidence is not altered during the investigation process?
CorrectC: Evidence integrity
Evidence integrity is the core principle ensuring that digital evidence remains unaltered from the moment of collection through analysis and presentation. Techniques such as cryptographic hashing (MD5, SHA-256) are used to verify that evidence has not been tampered with at any stage.
IncorrectC: Evidence integrity
Evidence integrity is the core principle ensuring that digital evidence remains unaltered from the moment of collection through analysis and presentation. Techniques such as cryptographic hashing (MD5, SHA-256) are used to verify that evidence has not been tampered with at any stage.
3What device is used to prevent writes to a storage medium during forensic acquisition?
CorrectD: Hardware write blocker
A hardware write blocker is a physical device that sits between the suspect drive and the forensic workstation, permitting read operations while intercepting and blocking any write commands. This ensures the original evidence medium is not modified during imaging.
IncorrectD: Hardware write blocker
A hardware write blocker is a physical device that sits between the suspect drive and the forensic workstation, permitting read operations while intercepting and blocking any write commands. This ensures the original evidence medium is not modified during imaging.
4What is a forensic image?
CorrectA: A bit-for-bit copy of a storage device that includes all data, including deleted files and unallocated space
A forensic image (also called a bit-stream image or mirror image) is an exact sector-by-sector copy of a storage medium, capturing all allocated and unallocated space, deleted files, file slack, and metadata. Tools such as dd, FTK Imager, and EnCase create forensic images in formats like E01 or raw (dd).
IncorrectA: A bit-for-bit copy of a storage device that includes all data, including deleted files and unallocated space
A forensic image (also called a bit-stream image or mirror image) is an exact sector-by-sector copy of a storage medium, capturing all allocated and unallocated space, deleted files, file slack, and metadata. Tools such as dd, FTK Imager, and EnCase create forensic images in formats like E01 or raw (dd).
5Which hashing algorithm is most commonly used to verify the integrity of a forensic image?
CorrectC: SHA-256
SHA-256 (and MD5 as a legacy option) are used to generate hash values before and after acquisition. If the hashes match, the copy is forensically identical to the original. AES is an encryption algorithm, Base64 is an encoding scheme, and ROT13 is a simple substitution cipher β none of these verify integrity.
IncorrectC: SHA-256
SHA-256 (and MD5 as a legacy option) are used to generate hash values before and after acquisition. If the hashes match, the copy is forensically identical to the original. AES is an encryption algorithm, Base64 is an encoding scheme, and ROT13 is a simple substitution cipher β none of these verify integrity.
6What does the "order of volatility" guide in digital forensics?
CorrectD: The sequence in which evidence should be collected, from most to least volatile
The order of volatility (per RFC 3227) dictates that investigators collect evidence from the most volatile sources first β CPU registers and cache β RAM β swap/page file β temporary files β disk β remote logs β because volatile data is lost when the system is powered off or rebooted.
IncorrectD: The sequence in which evidence should be collected, from most to least volatile
The order of volatility (per RFC 3227) dictates that investigators collect evidence from the most volatile sources first β CPU registers and cache β RAM β swap/page file β temporary files β disk β remote logs β because volatile data is lost when the system is powered off or rebooted.
7Which of the following is the most volatile type of evidence?
CorrectB: Contents of RAM (main memory)
RAM is the most volatile digital evidence; its contents are lost the moment the system loses power. It may contain running processes, open network connections, encryption keys, and plaintext passwords that exist nowhere else, making live memory acquisition a critical early step.
IncorrectB: Contents of RAM (main memory)
RAM is the most volatile digital evidence; its contents are lost the moment the system loses power. It may contain running processes, open network connections, encryption keys, and plaintext passwords that exist nowhere else, making live memory acquisition a critical early step.
8What is the chain of custody in digital forensics?
CorrectC: A documented record of who handled evidence, when, and what actions were taken
The chain of custody is a chronological paper trail documenting every person who handled the evidence, the date and time of each transfer, the storage conditions, and any actions performed. Gaps or inconsistencies in the chain of custody can render evidence inadmissible in court.
IncorrectC: A documented record of who handled evidence, when, and what actions were taken
The chain of custody is a chronological paper trail documenting every person who handled the evidence, the date and time of each transfer, the storage conditions, and any actions performed. Gaps or inconsistencies in the chain of custody can render evidence inadmissible in court.
9Which file system is natively used by most Windows NTFS partitions to track file metadata such as timestamps and permissions?
CorrectA: Master File Table (MFT)
The NTFS Master File Table (MFT) is a database that stores a record for every file and directory on the volume, including file names, sizes, timestamps (created, modified, accessed, MFT-entry changed β MACB times), permissions, and data runs. The MFT is a primary artifact examined in Windows forensics.
IncorrectA: Master File Table (MFT)
The NTFS Master File Table (MFT) is a database that stores a record for every file and directory on the volume, including file names, sizes, timestamps (created, modified, accessed, MFT-entry changed β MACB times), permissions, and data runs. The MFT is a primary artifact examined in Windows forensics.
10What does "file carving" refer to in digital forensics?
CorrectD: Reconstructing files from raw disk data based on known file headers and footers, without relying on file system metadata
File carving is the process of recovering files from unallocated disk space or a damaged file system by searching for known file signatures (magic bytes/headers and footers). Tools like Scalpel, PhotoRec, and Foremost use this technique. It does not rely on directory entries or file system structures.
IncorrectD: Reconstructing files from raw disk data based on known file headers and footers, without relying on file system metadata
File carving is the process of recovering files from unallocated disk space or a damaged file system by searching for known file signatures (magic bytes/headers and footers). Tools like Scalpel, PhotoRec, and Foremost use this technique. It does not rely on directory entries or file system structures.
11Which of the following best describes "live forensics"?
CorrectB: Conducting forensic investigation on a running system to capture volatile data
Live forensics (also called live response) involves collecting evidence from a system while it is still running. This is necessary to capture volatile evidence such as RAM contents, active network connections, running processes, and logged-on users that would be lost upon shutdown.
IncorrectB: Conducting forensic investigation on a running system to capture volatile data
Live forensics (also called live response) involves collecting evidence from a system while it is still running. This is necessary to capture volatile evidence such as RAM contents, active network connections, running processes, and logged-on users that would be lost upon shutdown.
12What is the primary purpose of a forensic write blocker?
CorrectA: To speed up data acquisition from suspect drives
Write blockers β both hardware and software β prevent the investigator's system from writing to the evidence drive. Without a write blocker, simply connecting a drive to a Windows machine can alter timestamps and last-accessed metadata, contaminating the evidence. Preventing modification of the original drive is their sole purpose.
IncorrectA: To speed up data acquisition from suspect drives
Write blockers β both hardware and software β prevent the investigator's system from writing to the evidence drive. Without a write blocker, simply connecting a drive to a Windows machine can alter timestamps and last-accessed metadata, contaminating the evidence. Preventing modification of the original drive is their sole purpose.
13In Windows forensics, which registry hive stores information about recently accessed files and application usage?
CorrectC: HKEY_CURRENT_USER (NTUSER.DAT)
NTUSER.DAT is the registry hive for the current user and contains forensically valuable artefacts such as RecentDocs (recently opened files), MRU (most recently used) lists, UserAssist (program execution history), typed URLs, and search history. It is one of the most important artefact sources in Windows user-activity investigations.
IncorrectC: HKEY_CURRENT_USER (NTUSER.DAT)
NTUSER.DAT is the registry hive for the current user and contains forensically valuable artefacts such as RecentDocs (recently opened files), MRU (most recently used) lists, UserAssist (program execution history), typed URLs, and search history. It is one of the most important artefact sources in Windows user-activity investigations.
14Which tool is widely regarded as the industry-standard open-source memory analysis framework?
CorrectB: Volatility
Volatility is the open-source memory forensics framework used to analyze RAM dumps. It supports plugins that list running processes (pslist, pstree), network connections (netscan), loaded DLLs, injected code, registry hives in memory, and more. Autopsy and FTK Imager are disk forensics tools; Wireshark is for network analysis.
IncorrectB: Volatility
Volatility is the open-source memory forensics framework used to analyze RAM dumps. It supports plugins that list running processes (pslist, pstree), network connections (netscan), loaded DLLs, injected code, registry hives in memory, and more. Autopsy and FTK Imager are disk forensics tools; Wireshark is for network analysis.
15What is steganography in the context of digital forensics?
CorrectD: The practice of hiding secret information within ordinary, non-secret data or media files
Steganography is the technique of concealing data within another carrier file (image, audio, video, or document) such that the existence of the hidden message is not apparent. In forensics, investigators use steganalysis tools such as StegDetect and zsteg to detect and extract hidden content that suspects may have used to conceal evidence.
IncorrectD: The practice of hiding secret information within ordinary, non-secret data or media files
Steganography is the technique of concealing data within another carrier file (image, audio, video, or document) such that the existence of the hidden message is not apparent. In forensics, investigators use steganalysis tools such as StegDetect and zsteg to detect and extract hidden content that suspects may have used to conceal evidence.
16Which of the following best defines "anti-forensics"?
CorrectC: Techniques used to impede or mislead forensic investigations, such as data wiping or timestamp manipulation
Anti-forensics encompasses any deliberate technique intended to destroy, hide, or falsify digital evidence. Common methods include secure file deletion (using tools like Eraser or `shred`), timestamp manipulation (timestomping), encryption, steganography, log tampering, and the use of live boot OS environments that leave no traces on disk.
IncorrectC: Techniques used to impede or mislead forensic investigations, such as data wiping or timestamp manipulation
Anti-forensics encompasses any deliberate technique intended to destroy, hide, or falsify digital evidence. Common methods include secure file deletion (using tools like Eraser or `shred`), timestamp manipulation (timestomping), encryption, steganography, log tampering, and the use of live boot OS environments that leave no traces on disk.
17What is the role of metadata in a digital forensic investigation?
CorrectA: Metadata is irrelevant because it can be easily forged by any user
Metadata β data about data β is enormously valuable in forensic investigations. File system metadata (MACB timestamps), EXIF data in photographs (camera model, GPS coordinates, date/time), document metadata (author, revision history), and email headers all provide investigative leads and can be used to establish timelines or link a suspect to a file or device.
IncorrectA: Metadata is irrelevant because it can be easily forged by any user
Metadata β data about data β is enormously valuable in forensic investigations. File system metadata (MACB timestamps), EXIF data in photographs (camera model, GPS coordinates, date/time), document metadata (author, revision history), and email headers all provide investigative leads and can be used to establish timelines or link a suspect to a file or device.
18What does MACB stand for in Windows NTFS timestamp analysis?
CorrectC: Modified, Archived, Compressed, Backed up
MACB stands for Modified, Accessed, Created, and Born (also called Changed β the $MFT entry change time). NTFS stores two sets of timestamps per file: one in the $STANDARD_INFORMATION attribute (user-visible, can be manipulated) and one in the $FILE_NAME attribute (harder to modify, updated by the OS). Comparing both sets can reveal timestomping.
IncorrectC: Modified, Archived, Compressed, Backed up
MACB stands for Modified, Accessed, Created, and Born (also called Changed β the $MFT entry change time). NTFS stores two sets of timestamps per file: one in the $STANDARD_INFORMATION attribute (user-visible, can be manipulated) and one in the $FILE_NAME attribute (harder to modify, updated by the OS). Comparing both sets can reveal timestomping.
19Which imaging format stores the forensic image along with case metadata, hash values, and compression in a single container?
CorrectB: VMDK format
The Expert Witness Format (E01), developed by Guidance Software (EnCase), stores the forensic image in compressed segments along with case metadata (examiner name, case number, acquisition date), MD5/SHA-1 hash values, and CRC checksums for each block. RAW/dd is an uncompressed stream with no embedded metadata.
IncorrectB: VMDK format
The Expert Witness Format (E01), developed by Guidance Software (EnCase), stores the forensic image in compressed segments along with case metadata (examiner name, case number, acquisition date), MD5/SHA-1 hash values, and CRC checksums for each block. RAW/dd is an uncompressed stream with no embedded metadata.
20In network forensics, what does a "full packet capture" preserve?
CorrectB: Both the packet headers and the complete payload (content) of all captured network traffic
Full packet capture (FPC) preserves the entire contents of each network packet β headers (source/destination IP, port, protocol, flags) as well as the payload (actual data content). Tools like Wireshark, tcpdump, and Zeek can capture and analyze full packets, enabling session reconstruction and content analysis. This is in contrast to NetFlow/IPFIX, which captures only flow metadata.
IncorrectB: Both the packet headers and the complete payload (content) of all captured network traffic
Full packet capture (FPC) preserves the entire contents of each network packet β headers (source/destination IP, port, protocol, flags) as well as the payload (actual data content). Tools like Wireshark, tcpdump, and Zeek can capture and analyze full packets, enabling session reconstruction and content analysis. This is in contrast to NetFlow/IPFIX, which captures only flow metadata.
Cyber Forensics β Concepts
1During a memory forensics investigation using Volatility, which plugin is most appropriate for listing all active and terminated processes along with their parent-child relationships?
CorrectA: pstree
The `pstree` plugin displays processes in a hierarchical parent-child tree view, making it easier to spot anomalies such as a `cmd.exe` spawned by `iexplore.exe` (which could indicate a browser exploit). `pslist` lists processes linearly from the ActiveProcessLinks doubly-linked list. `pstree` also shows hidden/unlinked processes that might evade `pslist`.
IncorrectA: pstree
The `pstree` plugin displays processes in a hierarchical parent-child tree view, making it easier to spot anomalies such as a `cmd.exe` spawned by `iexplore.exe` (which could indicate a browser exploit). `pslist` lists processes linearly from the ActiveProcessLinks doubly-linked list. `pstree` also shows hidden/unlinked processes that might evade `pslist`.
2What is the significance of finding a discrepancy between the $STANDARD_INFORMATION and $FILE_NAME timestamps in an NTFS file?
CorrectB: It may indicate that the file's timestamps were manipulated (timestomping) using a tool that only updates $STANDARD_INFORMATION
Timestomping tools like Metasploit's `timestomp` and the Windows API `SetFileTime()` modify the $STANDARD_INFORMATION attribute (visible in Windows Explorer) but typically do not update the $FILE_NAME attribute (maintained by the NTFS kernel). A discrepancy between these two sets of timestamps is a strong indicator of deliberate timestamp manipulation.
IncorrectB: It may indicate that the file's timestamps were manipulated (timestomping) using a tool that only updates $STANDARD_INFORMATION
Timestomping tools like Metasploit's `timestomp` and the Windows API `SetFileTime()` modify the $STANDARD_INFORMATION attribute (visible in Windows Explorer) but typically do not update the $FILE_NAME attribute (maintained by the NTFS kernel). A discrepancy between these two sets of timestamps is a strong indicator of deliberate timestamp manipulation.
3What is the Daubert Standard, and why is it relevant to digital forensics?
CorrectB: A legal framework used by U.S. federal courts to evaluate whether expert testimony and scientific evidence is admissible based on reliability and relevance
The Daubert Standard (established in Daubert v. Merrell Dow Pharmaceuticals, 1993) requires federal judges to act as gatekeepers, assessing whether scientific expert testimony is based on sufficient facts, reliable methodology, and is relevant to the case. In digital forensics, methodology must be testable, peer-reviewed, have a known error rate, and be generally accepted β criteria forensic experts must satisfy.
IncorrectB: A legal framework used by U.S. federal courts to evaluate whether expert testimony and scientific evidence is admissible based on reliability and relevance
The Daubert Standard (established in Daubert v. Merrell Dow Pharmaceuticals, 1993) requires federal judges to act as gatekeepers, assessing whether scientific expert testimony is based on sufficient facts, reliable methodology, and is relevant to the case. In digital forensics, methodology must be testable, peer-reviewed, have a known error rate, and be generally accepted β criteria forensic experts must satisfy.
4Which artifact on a Windows system records the execution of programs, including those that have been deleted, and is stored in the registry under NTUSER.DAT?
CorrectA: UserAssist
UserAssist is a registry key under `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist` that records GUI program execution β including the program name (ROT13-encoded), run count, and last execution time. It is valuable because it also records execution of programs that have since been deleted. Prefetch, Shimcache, and LNK files are also execution artifacts but are stored differently.
IncorrectA: UserAssist
UserAssist is a registry key under `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist` that records GUI program execution β including the program name (ROT13-encoded), run count, and last execution time. It is valuable because it also records execution of programs that have since been deleted. Prefetch, Shimcache, and LNK files are also execution artifacts but are stored differently.
5What is the purpose of the Windows Prefetch mechanism from a forensic perspective?
CorrectC: It provides a real-time feed of running processes to the Windows Event Log
Windows Prefetch files (in `C:\Windows\Prefetch\`, extension `.pf`) are created for each launched executable. They record the application path, the last 8 run times (on Windows 8+), number of times run, and files/directories referenced during startup. Investigators use them to prove program execution β including malware that has been removed after the fact.
IncorrectC: It provides a real-time feed of running processes to the Windows Event Log
Windows Prefetch files (in `C:\Windows\Prefetch\`, extension `.pf`) are created for each launched executable. They record the application path, the last 8 run times (on Windows 8+), number of times run, and files/directories referenced during startup. Investigators use them to prove program execution β including malware that has been removed after the fact.
6In the context of cloud forensics, what is the primary challenge compared to traditional disk forensics?
CorrectD: Evidence is distributed across multiple geographic jurisdictions, access depends on service provider cooperation, and data may be co-mingled with other tenants' data
Cloud forensics presents unique challenges: data is physically located across multiple datacenters in different countries (raising jurisdictional issues), investigators depend on CSPs for access (which may require legal process such as subpoenas), multi-tenancy means evidence may be interleaved with other customers' data, and evidence is ephemeral (VMs can be terminated, logs may be overwritten rapidly).
IncorrectD: Evidence is distributed across multiple geographic jurisdictions, access depends on service provider cooperation, and data may be co-mingled with other tenants' data
Cloud forensics presents unique challenges: data is physically located across multiple datacenters in different countries (raising jurisdictional issues), investigators depend on CSPs for access (which may require legal process such as subpoenas), multi-tenancy means evidence may be interleaved with other customers' data, and evidence is ephemeral (VMs can be terminated, logs may be overwritten rapidly).
7What forensic information can be extracted from Windows Event Log file ID 4624?
CorrectA: Details of a successful user logon, including the account name, logon type, and source IP address
Windows Security Event ID 4624 ("An account was successfully logged on") records successful authentication events, including the target account name, domain, logon type (2=interactive, 3=network, 10=remote interactive/RDP), workstation name, and source IP address. It is one of the most important event IDs for investigating unauthorized access.
IncorrectA: Details of a successful user logon, including the account name, logon type, and source IP address
Windows Security Event ID 4624 ("An account was successfully logged on") records successful authentication events, including the target account name, domain, logon type (2=interactive, 3=network, 10=remote interactive/RDP), workstation name, and source IP address. It is one of the most important event IDs for investigating unauthorized access.
8What does the NTFS $LogFile artifact record, and why is it useful for forensic analysis?
CorrectB: It is a transaction log that records metadata changes to the file system, helping investigators reconstruct file creation, deletion, and renaming events even after the MFT record has been reused
The NTFS $LogFile is a circular transaction journal that records file system metadata operations (file create, rename, delete, attribute changes) to support crash recovery. Forensically, tools like LogFileParser can extract historical file operations β even after MFT records have been reallocated β providing evidence of file activity that no longer appears in the current file system.
IncorrectB: It is a transaction log that records metadata changes to the file system, helping investigators reconstruct file creation, deletion, and renaming events even after the MFT record has been reused
The NTFS $LogFile is a circular transaction journal that records file system metadata operations (file create, rename, delete, attribute changes) to support crash recovery. Forensically, tools like LogFileParser can extract historical file operations β even after MFT records have been reallocated β providing evidence of file activity that no longer appears in the current file system.
9What is the purpose of a "Faraday bag" or "Faraday cage" in mobile device forensics?
CorrectA: To prevent electrostatic discharge from damaging the device's circuit board during seizure
A Faraday bag blocks all electromagnetic signals from reaching or leaving the device. This prevents the suspect or a remote administrator from sending a remote wipe command (such as via MDM or Find My Device), stops new messages or app updates from altering the device state, and prevents location tracking. Isolating the device from networks is a standard first step in mobile forensics.
IncorrectA: To prevent electrostatic discharge from damaging the device's circuit board during seizure
A Faraday bag blocks all electromagnetic signals from reaching or leaving the device. This prevents the suspect or a remote administrator from sending a remote wipe command (such as via MDM or Find My Device), stops new messages or app updates from altering the device state, and prevents location tracking. Isolating the device from networks is a standard first step in mobile forensics.
10Which Windows artifact stores evidence of USB storage devices that have been connected to a system, including the device serial number and first/last connection times?
CorrectA: HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR and setupapi.dev.log
The `USBSTOR` registry key stores a record of every USB mass storage device that has been connected, keyed by device type, vendor, product name, and serial number. The `setupapi.dev.log` (or `setupapi.setup.log`) records the first connection time. Last connection time is found in the device's registry entry or Windows Event Log. Together, these artifacts prove a specific device was connected to a specific system.
IncorrectA: HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR and setupapi.dev.log
The `USBSTOR` registry key stores a record of every USB mass storage device that has been connected, keyed by device type, vendor, product name, and serial number. The `setupapi.dev.log` (or `setupapi.setup.log`) records the first connection time. Last connection time is found in the device's registry entry or Windows Event Log. Together, these artifacts prove a specific device was connected to a specific system.
11What is "slack space" in the context of disk forensics?
CorrectC: The unused sectors at the end of a partition that fall outside the last cluster
File slack space consists of two components: RAM slack (the space from the end of the logical file to the end of the sector, padded with RAM contents in older systems) and drive slack (the remaining unused sectors up to the end of the last allocated cluster). File slack can contain fragments of previously deleted data and is a valuable source of evidence in forensic investigations.
IncorrectC: The unused sectors at the end of a partition that fall outside the last cluster
File slack space consists of two components: RAM slack (the space from the end of the logical file to the end of the sector, padded with RAM contents in older systems) and drive slack (the remaining unused sectors up to the end of the last allocated cluster). File slack can contain fragments of previously deleted data and is a valuable source of evidence in forensic investigations.
12What is the primary function of the Autopsy digital forensics platform?
CorrectA: An open-source graphical front-end for The Sleuth Kit (TSK) and other forensic tools, providing case management, file system analysis, keyword search, email parsing, and timeline generation
Autopsy is a free, open-source digital forensics platform that acts as a graphical front-end for The Sleuth Kit (TSK). It supports disk image analysis, file carving, hash filtering, keyword searching, timeline generation, web artifact extraction, registry parsing, and more. It is used by law enforcement and private examiners worldwide as a full-featured forensic case management tool.
IncorrectA: An open-source graphical front-end for The Sleuth Kit (TSK) and other forensic tools, providing case management, file system analysis, keyword search, email parsing, and timeline generation
Autopsy is a free, open-source digital forensics platform that acts as a graphical front-end for The Sleuth Kit (TSK). It supports disk image analysis, file carving, hash filtering, keyword searching, timeline generation, web artifact extraction, registry parsing, and more. It is used by law enforcement and private examiners worldwide as a full-featured forensic case management tool.
13In mobile forensics, what is a "logical extraction" compared to a "physical extraction"?
CorrectA: A logical extraction uses the device's own operating system APIs to retrieve data (contacts, messages, apps, call logs), whereas a physical extraction is a bit-for-bit copy of the entire flash memory, including deleted and unallocated data
Logical extraction works through the device OS and standard interfaces (iTunes backup, ADB, vendor APIs), retrieving a structured view of active data. Physical extraction is a raw sector-by-sector copy of the flash memory chip, which contains deleted files, unallocated space, and app data not exposed through APIs. Physical is more complete but requires more sophisticated techniques (e.g., JTAG, chip-off, or advanced logical methods).
IncorrectA: A logical extraction uses the device's own operating system APIs to retrieve data (contacts, messages, apps, call logs), whereas a physical extraction is a bit-for-bit copy of the entire flash memory, including deleted and unallocated data
Logical extraction works through the device OS and standard interfaces (iTunes backup, ADB, vendor APIs), retrieving a structured view of active data. Physical extraction is a raw sector-by-sector copy of the flash memory chip, which contains deleted files, unallocated space, and app data not exposed through APIs. Physical is more complete but requires more sophisticated techniques (e.g., JTAG, chip-off, or advanced logical methods).
14Which forensic artifact on Windows contains the most recent mapped network drives, typed paths, and recently opened files and folders?
CorrectD: Windows Recycle Bin ($I/$R files)
Windows Shell Items β including LNK files (automatically created shortcuts in the Recent folder and Desktop for opened files) and ShellBags (registry keys recording folder navigation preferences stored even for remote or removable paths) β contain rich evidence of file and folder access. LNK files record the target path, MAC times of the target, volume serial number, and NetBIOS hostname. ShellBags in `USRCLASS.DAT` reveal folder access even if the folder was later deleted.
IncorrectD: Windows Recycle Bin ($I/$R files)
Windows Shell Items β including LNK files (automatically created shortcuts in the Recent folder and Desktop for opened files) and ShellBags (registry keys recording folder navigation preferences stored even for remote or removable paths) β contain rich evidence of file and folder access. LNK files record the target path, MAC times of the target, volume serial number, and NetBIOS hostname. ShellBags in `USRCLASS.DAT` reveal folder access even if the folder was later deleted.
15Why is the NTFS $UsnJrnl (Update Sequence Number Journal) a powerful forensic artifact?
CorrectB: It is a persistent change journal that records detailed file system events (create, write, rename, delete, security change) with timestamps, allowing investigators to reconstruct file activity long after the events occurred
The $UsnJrnl ($Extend\$UsnJrnl) is a change journal that records every file system event with a USN (unique sequence number), timestamp, file reference, and reason code (renamed, deleted, data extended, etc.). Even after a file is deleted and its MFT record reused, the USN journal may still contain the deletion event. Tools like MFTECmd and KAPE can parse it.
IncorrectB: It is a persistent change journal that records detailed file system events (create, write, rename, delete, security change) with timestamps, allowing investigators to reconstruct file activity long after the events occurred
The $UsnJrnl ($Extend\$UsnJrnl) is a change journal that records every file system event with a USN (unique sequence number), timestamp, file reference, and reason code (renamed, deleted, data extended, etc.). Even after a file is deleted and its MFT record reused, the USN journal may still contain the deletion event. Tools like MFTECmd and KAPE can parse it.
16What is the role of indicators of compromise (IOCs) in digital forensics?
CorrectB: IOCs are artifacts or patterns β such as malicious IP addresses, file hashes, registry keys, or domain names β that provide high-confidence evidence that a system has been breached
Indicators of Compromise (IOCs) are forensic artifacts observed on a network or OS that, with high confidence, indicate a security breach. They include known-bad file hashes, C2 IP addresses and domains, suspicious registry keys, unusual process names, and specific strings in memory or logs. Platforms like MISP and OpenIOC enable sharing and operationalizing IOCs across investigations.
IncorrectB: IOCs are artifacts or patterns β such as malicious IP addresses, file hashes, registry keys, or domain names β that provide high-confidence evidence that a system has been breached
Indicators of Compromise (IOCs) are forensic artifacts observed on a network or OS that, with high confidence, indicate a security breach. They include known-bad file hashes, C2 IP addresses and domains, suspicious registry keys, unusual process names, and specific strings in memory or logs. Platforms like MISP and OpenIOC enable sharing and operationalizing IOCs across investigations.
17In the context of the SANS DFIR methodology, what is the primary goal of the "triage" phase?
CorrectA: To negotiate with ransomware operators for the decryption key
During the triage phase, the investigator rapidly assesses the situation to determine the scope of the incident, identify the most critical systems affected, prioritize evidence collection starting with the most volatile sources, and establish a preliminary timeline. This phase allows efficient resource allocation and ensures the most time-sensitive evidence is not lost.
IncorrectA: To negotiate with ransomware operators for the decryption key
During the triage phase, the investigator rapidly assesses the situation to determine the scope of the incident, identify the most critical systems affected, prioritize evidence collection starting with the most volatile sources, and establish a preliminary timeline. This phase allows efficient resource allocation and ensures the most time-sensitive evidence is not lost.
18What is "timeline analysis" in digital forensics, and which artifact sources are commonly used to build a timeline?
CorrectC: A technique that correlates events from multiple sources β file system timestamps, Windows Event Logs, $UsnJrnl, prefetch files, registry hives, and browser history β onto a single chronological timeline to reconstruct attacker or user activity
Timeline analysis involves super-timeline creation β aggregating timestamps from diverse artifact sources (MFT, $UsnJrnl, Event Logs, prefetch, registry, browser history, LNK files, etc.) into a single chronological view. Tools like Plaso (log2timeline) automate this process, allowing investigators to correlate events across sources and reconstruct attacker activity with high precision.
IncorrectC: A technique that correlates events from multiple sources β file system timestamps, Windows Event Logs, $UsnJrnl, prefetch files, registry hives, and browser history β onto a single chronological timeline to reconstruct attacker or user activity
Timeline analysis involves super-timeline creation β aggregating timestamps from diverse artifact sources (MFT, $UsnJrnl, Event Logs, prefetch, registry, browser history, LNK files, etc.) into a single chronological view. Tools like Plaso (log2timeline) automate this process, allowing investigators to correlate events across sources and reconstruct attacker activity with high precision.
19Which of the following best describes the forensic significance of the Windows Volume Shadow Copy Service (VSS)?
CorrectB: VSS shadow copies may contain previous versions of deleted or encrypted files, registry hives, and event logs, giving investigators access to the system state at earlier points in time
Volume Shadow Copies (VSS) are point-in-time snapshots of the NTFS volume, created automatically by Windows (before updates, restore points, etc.). Forensically, they can contain previous versions of files before encryption (critical in ransomware investigations), earlier versions of registry hives, event logs, and other artifacts from before the attacker's activity. Tools like ShadowExplorer and Velociraptor can access shadow copies.
IncorrectB: VSS shadow copies may contain previous versions of deleted or encrypted files, registry hives, and event logs, giving investigators access to the system state at earlier points in time
Volume Shadow Copies (VSS) are point-in-time snapshots of the NTFS volume, created automatically by Windows (before updates, restore points, etc.). Forensically, they can contain previous versions of files before encryption (critical in ransomware investigations), earlier versions of registry hives, event logs, and other artifacts from before the attacker's activity. Tools like ShadowExplorer and Velociraptor can access shadow copies.
20What does the term "dead-box forensics" mean, and what is one major limitation it has compared to live forensics?
CorrectB: Dead-box forensics is analysis of a system after it has been powered off; its major limitation is the permanent loss of volatile evidence (RAM contents, active network connections, encryption keys) that existed only in memory
Dead-box forensics involves analyzing a system after it has been shut down, typically by imaging the hard drive and examining it offline. The critical limitation is that all volatile data β RAM contents (running processes, encryption keys, network state, malware in memory, passwords), active connections, and any data not written to persistent storage β is irretrievably lost at the moment of power-off.
IncorrectB: Dead-box forensics is analysis of a system after it has been powered off; its major limitation is the permanent loss of volatile evidence (RAM contents, active network connections, encryption keys) that existed only in memory
Dead-box forensics involves analyzing a system after it has been shut down, typically by imaging the hard drive and examining it offline. The critical limitation is that all volatile data β RAM contents (running processes, encryption keys, network state, malware in memory, passwords), active connections, and any data not written to persistent storage β is irretrievably lost at the moment of power-off.
Cyber Forensics β Advanced
1An investigator suspects process hollowing was used to inject malicious code into a legitimate Windows process. Which combination of Volatility plugins would best confirm this?
CorrectC: malfind combined with pstree and cmdline to correlate the injected memory region with the parent process and command-line context
`malfind` scans for memory-resident code that has been injected (pages with PAGE_EXECUTE_READWRITE protection that contain MZ/PE headers) and identifies process hollowing indicators. Cross-referencing with `pstree` (to check the parent process legitimacy) and `cmdline` (to see if the command-line arguments are suspicious) provides the full context needed to confirm process hollowing rather than a false positive.
IncorrectC: malfind combined with pstree and cmdline to correlate the injected memory region with the parent process and command-line context
`malfind` scans for memory-resident code that has been injected (pages with PAGE_EXECUTE_READWRITE protection that contain MZ/PE headers) and identifies process hollowing indicators. Cross-referencing with `pstree` (to check the parent process legitimacy) and `cmdline` (to see if the command-line arguments are suspicious) provides the full context needed to confirm process hollowing rather than a false positive.
2During analysis of a forensic image, an investigator discovers that a file's $STANDARD_INFORMATION timestamps predate legitimate OS installation logs. What is the most likely explanation?
CorrectD: A threat actor used timestomping to backdate the file's SI timestamps to a time before the investigation period, attempting to make it appear to predate the OS installation
Timestomping is a common anti-forensics technique where attackers use tools (Metasploit's `timestomp`, PowerShell's `[System.IO.File]::SetCreationTime()`, or direct API calls) to set file timestamps to arbitrary values β sometimes before the OS was even installed. An $SI timestamp predating the OS installation is a hallmark indicator. The $FN attribute in the MFT (harder to modify) often reveals the true creation time.
IncorrectD: A threat actor used timestomping to backdate the file's SI timestamps to a time before the investigation period, attempting to make it appear to predate the OS installation
Timestomping is a common anti-forensics technique where attackers use tools (Metasploit's `timestomp`, PowerShell's `[System.IO.File]::SetCreationTime()`, or direct API calls) to set file timestamps to arbitrary values β sometimes before the OS was even installed. An $SI timestamp predating the OS installation is a hallmark indicator. The $FN attribute in the MFT (harder to modify) often reveals the true creation time.
3A JTAG extraction was attempted on a mobile device but is unavailable. Which technique involves directly desoldering the flash memory chip from the PCB to read its contents externally?
CorrectA: Chip-off forensics
Chip-off forensics involves physically removing (desoldering) the NAND or eMMC flash memory chip from the device's PCB and reading its raw contents using a specialized chip reader. This technique bypasses all OS security controls, PIN/pattern locks, and encryption β but requires hardware expertise and risks damaging the chip. It is used when other methods are impossible (broken screen, locked device, damaged board).
IncorrectA: Chip-off forensics
Chip-off forensics involves physically removing (desoldering) the NAND or eMMC flash memory chip from the device's PCB and reading its raw contents using a specialized chip reader. This technique bypasses all OS security controls, PIN/pattern locks, and encryption β but requires hardware expertise and risks damaging the chip. It is used when other methods are impossible (broken screen, locked device, damaged board).
4In a ransomware incident response investigation, which forensic artifact should be prioritized to determine the initial access vector before the ransomware executed?
CorrectD: The browser history, which always contains the phishing link that initiated the compromise
Reconstructing the initial access vector requires correlating multiple artifact sources. The $MFT and $UsnJrnl reveal the first malicious file dropped. Security Event IDs 4624/4625 identify authentication events, 4648 shows pass-the-hash/pass-the-ticket, and 4672 shows privilege escalation. PowerShell ScriptBlock logs capture malicious scripts. Browser history, email artifacts, and VPN logs may reveal the phishing campaign or exploitation, but prioritizing the earliest file system and authentication events gives the clearest picture.
IncorrectD: The browser history, which always contains the phishing link that initiated the compromise
Reconstructing the initial access vector requires correlating multiple artifact sources. The $MFT and $UsnJrnl reveal the first malicious file dropped. Security Event IDs 4624/4625 identify authentication events, 4648 shows pass-the-hash/pass-the-ticket, and 4672 shows privilege escalation. PowerShell ScriptBlock logs capture malicious scripts. Browser history, email artifacts, and VPN logs may reveal the phishing campaign or exploitation, but prioritizing the earliest file system and authentication events gives the clearest picture.
5What is the forensic significance of detecting a high number of PAGE_EXECUTE_READWRITE memory regions in a process using Volatility's malfind plugin?
CorrectC: It strongly suggests code injection: legitimate processes rarely allocate executable writable memory; such regions may contain injected shellcode, reflective DLL injection payloads, or process hollowing artifacts
Data Execution Prevention (DEP) means legitimate applications do not normally need memory that is simultaneously writable and executable. Memory regions flagged as PAGE_EXECUTE_READWRITE are a strong indicator of malicious activity β shellcode injection, reflective DLL loading (which writes and executes a PE in memory without touching disk), unpacking stubs, or process hollowing. This is one of the primary signals `malfind` reports.
IncorrectC: It strongly suggests code injection: legitimate processes rarely allocate executable writable memory; such regions may contain injected shellcode, reflective DLL injection payloads, or process hollowing artifacts
Data Execution Prevention (DEP) means legitimate applications do not normally need memory that is simultaneously writable and executable. Memory regions flagged as PAGE_EXECUTE_READWRITE are a strong indicator of malicious activity β shellcode injection, reflective DLL loading (which writes and executes a PE in memory without touching disk), unpacking stubs, or process hollowing. This is one of the primary signals `malfind` reports.
6An investigator recovers a deleted SQLite database file from unallocated disk space using file carving. The file is intact but the WAL (Write-Ahead Log) file is missing. What is the forensic implication?
CorrectC: The recovered database reflects only the committed transactions at the last WAL checkpoint; uncommitted or recent transactions that were only in the WAL are lost, potentially missing the most recent activity
SQLite uses Write-Ahead Logging (WAL mode) where changes are first written to a .wal file before being checkpointed (merged) into the main database. If only the main database file is recovered without the WAL, only checkpointed data is visible. Recent uncommitted changes β potentially including the most recent messages, app activity, or user records β may exist only in the lost WAL file, creating a gap in the evidence.
IncorrectC: The recovered database reflects only the committed transactions at the last WAL checkpoint; uncommitted or recent transactions that were only in the WAL are lost, potentially missing the most recent activity
SQLite uses Write-Ahead Logging (WAL mode) where changes are first written to a .wal file before being checkpointed (merged) into the main database. If only the main database file is recovered without the WAL, only checkpointed data is visible. Recent uncommitted changes β potentially including the most recent messages, app activity, or user records β may exist only in the lost WAL file, creating a gap in the evidence.
7During network forensics analysis, an investigator observes DNS queries for domain names comprising long random-looking subdomains of a single parent domain, with responses containing TXT records. What attack technique does this pattern indicate?
CorrectB: DNS tunneling β used to exfiltrate data or establish a C2 channel by encoding data in DNS query/response payloads
DNS tunneling encodes data (often base32/base64) into DNS query subdomains (e.g., `aGVsbG8....<attacker>.com`) and receives data in DNS responses (TXT, CNAME, or NULL records). It abuses the fact that DNS traffic is often permitted through firewalls. Tools like iodine, dnscat2, and DNSExfiltrator implement this technique. Indicators include high query volumes, unusually long subdomain strings, high entropy subdomain names, and TXT/NULL record responses.
IncorrectB: DNS tunneling β used to exfiltrate data or establish a C2 channel by encoding data in DNS query/response payloads
DNS tunneling encodes data (often base32/base64) into DNS query subdomains (e.g., `aGVsbG8....<attacker>.com`) and receives data in DNS responses (TXT, CNAME, or NULL records). It abuses the fact that DNS traffic is often permitted through firewalls. Tools like iodine, dnscat2, and DNSExfiltrator implement this technique. Indicators include high query volumes, unusually long subdomain strings, high entropy subdomain names, and TXT/NULL record responses.
8What is the forensic value of the Windows $I30 index allocation attribute in NTFS?
CorrectC: When a file is deleted from a directory, its $FILE_NAME entry may persist in the $I30 slack space, revealing evidence of files that existed in the directory but that an attacker attempted to remove by deleting the file
$I30 is the index allocation attribute ($INDEX_ALLOCATION and $INDEX_ROOT) for NTFS directories, storing the directory's B-tree index of filenames. When files are deleted, their $FILE_NAME entries in the directory index may leave carve-able residue in the $I30 slack. Tools like INDXParse and MFTECmd can recover these ghost directory entries, revealing file existence even after deletion and MFT record reuse.
IncorrectC: When a file is deleted from a directory, its $FILE_NAME entry may persist in the $I30 slack space, revealing evidence of files that existed in the directory but that an attacker attempted to remove by deleting the file
$I30 is the index allocation attribute ($INDEX_ALLOCATION and $INDEX_ROOT) for NTFS directories, storing the directory's B-tree index of filenames. When files are deleted, their $FILE_NAME entries in the directory index may leave carve-able residue in the $I30 slack. Tools like INDXParse and MFTECmd can recover these ghost directory entries, revealing file existence even after deletion and MFT record reuse.
9A forensic analyst finds PowerShell script block logs showing the string `[System.Convert]::FromBase64String()` followed by `Invoke-Expression`. What threat does this represent?
CorrectB: A fileless malware technique where base64-encoded payloads are decoded and executed entirely in memory, potentially bypassing signature-based antivirus detection
Base64-encoded commands decoded with `[System.Convert]::FromBase64String()` and executed with `Invoke-Expression` (or `iex`) is a classic fileless malware/LOLBins technique. The payload never touches disk in a recognizable form, potentially bypassing file-based AV. PowerShell ScriptBlock logging (Event ID 4104) captures the decoded content before execution β making it a critical forensic artifact for detecting this attack pattern.
IncorrectB: A fileless malware technique where base64-encoded payloads are decoded and executed entirely in memory, potentially bypassing signature-based antivirus detection
Base64-encoded commands decoded with `[System.Convert]::FromBase64String()` and executed with `Invoke-Expression` (or `iex`) is a classic fileless malware/LOLBins technique. The payload never touches disk in a recognizable form, potentially bypassing file-based AV. PowerShell ScriptBlock logging (Event ID 4104) captures the decoded content before execution β making it a critical forensic artifact for detecting this attack pattern.
10In SSD (Solid State Drive) forensics, why does the TRIM command complicate evidence recovery compared to traditional spinning hard drives?
CorrectC: When TRIM is enabled, the operating system notifies the SSD controller to zero out (or mark as erasable) the blocks belonging to deleted files, meaning forensic file carving tools may find only zeroed blocks in unallocated space instead of recoverable file remnants
On TRIM-enabled SSDs, when a file is deleted, the OS sends a TRIM command that tells the SSD controller the blocks are no longer needed. The controller zeroes or reclaims those blocks for wear leveling, often before new data is written. Unlike HDDs (where deleted file data persists in unallocated space until overwritten), TRIM-enabled SSDs may immediately destroy the recoverable data, making file carving far less effective.
IncorrectC: When TRIM is enabled, the operating system notifies the SSD controller to zero out (or mark as erasable) the blocks belonging to deleted files, meaning forensic file carving tools may find only zeroed blocks in unallocated space instead of recoverable file remnants
On TRIM-enabled SSDs, when a file is deleted, the OS sends a TRIM command that tells the SSD controller the blocks are no longer needed. The controller zeroes or reclaims those blocks for wear leveling, often before new data is written. Unlike HDDs (where deleted file data persists in unallocated space until overwritten), TRIM-enabled SSDs may immediately destroy the recoverable data, making file carving far less effective.
11What is the forensic purpose of analyzing INDX records from $I30 files using a tool like MFTECmd?
CorrectC: To extract ghost directory entries β filename, file size, and MAC timestamps β from slack space in directory index records, revealing deleted files whose MFT records have been reused
When files are deleted, NTFS reuses MFT records, but the corresponding $FILE_NAME entries in parent directory $I30 B-tree index nodes can persist in the index slack. Parsing this slack with tools like MFTECmd or INDXParse extracts these orphaned entries, recovering file name, size, and full MACB timestamps β evidence that can reconstruct directory contents and timeline even after deletion.
IncorrectC: To extract ghost directory entries β filename, file size, and MAC timestamps β from slack space in directory index records, revealing deleted files whose MFT records have been reused
When files are deleted, NTFS reuses MFT records, but the corresponding $FILE_NAME entries in parent directory $I30 B-tree index nodes can persist in the index slack. Parsing this slack with tools like MFTECmd or INDXParse extracts these orphaned entries, recovering file name, size, and full MACB timestamps β evidence that can reconstruct directory contents and timeline even after deletion.
12An investigator imaging a suspect's eMMC storage chip using chip-off forensics observes that the raw dump contains areas of uniform bit patterns interspersed with data. What does this indicate?
CorrectB: The eMMC controller has performed wear leveling, and the uniform areas represent erased blocks β NAND flash erases in blocks and erased NAND reads as all 0xFF bytes, representing truly deleted data
NAND flash memory erases data at the block level, and after erasure, NAND cells read as all 0xFF (logic "1"). The eMMC/NAND controller performs wear leveling by spreading writes across blocks and erasing blocks that are no longer needed. Regions of uniform 0xFF bytes in a chip-off dump represent erased (truly deleted) NAND blocks where data is unrecoverable β a key distinction from HDDs, where "deleted" sectors just lose their directory entry but the data persists.
IncorrectB: The eMMC controller has performed wear leveling, and the uniform areas represent erased blocks β NAND flash erases in blocks and erased NAND reads as all 0xFF bytes, representing truly deleted data
NAND flash memory erases data at the block level, and after erasure, NAND cells read as all 0xFF (logic "1"). The eMMC/NAND controller performs wear leveling by spreading writes across blocks and erasing blocks that are no longer needed. Regions of uniform 0xFF bytes in a chip-off dump represent erased (truly deleted) NAND blocks where data is unrecoverable β a key distinction from HDDs, where "deleted" sectors just lose their directory entry but the data persists.
13During a malware investigation, an investigator uses Volatility's dlllist plugin and notices a known-legitimate DLL loaded from `C:\Users\Public\Documents\` instead of `C:\Windows\System32\`. What technique does this indicate?
CorrectA: DLL search order hijacking β malware placed a malicious DLL with the same name as a system DLL in a directory that is searched before System32, causing the application to load the malicious version
DLL search order hijacking (also called DLL preloading or DLL planting) exploits the Windows DLL search order. If an attacker places a malicious DLL with the same name as a system DLL in a directory searched before System32 (such as the application directory, current directory, or a user-writable path), the application loads the malicious version. Finding a well-known system DLL loaded from an unexpected path like `C:\Users\Public\` is a definitive indicator.
IncorrectA: DLL search order hijacking β malware placed a malicious DLL with the same name as a system DLL in a directory that is searched before System32, causing the application to load the malicious version
DLL search order hijacking (also called DLL preloading or DLL planting) exploits the Windows DLL search order. If an attacker places a malicious DLL with the same name as a system DLL in a directory searched before System32 (such as the application directory, current directory, or a user-writable path), the application loads the malicious version. Finding a well-known system DLL loaded from an unexpected path like `C:\Users\Public\` is a definitive indicator.
14What forensic evidence would best confirm that a threat actor used Pass-the-Hash (PtH) to move laterally on a Windows network?
CorrectB: Windows Security Event ID 4624 with Logon Type 3 (network logon) and Authentication Package "NTLM" combined with Event ID 4672 (special privilege logon) from a workstation where the attacker was not physically present, showing the source IP differing from the account's normal access patterns
Pass-the-Hash uses a captured NTLM hash to authenticate without knowing the plaintext password, producing a network logon (Type 3) with NTLM authentication. Combining Event 4624 (Logon Type 3, NTLM auth package) with 4672 (special privileges assigned) from a source IP inconsistent with the account's normal access is strong PtH evidence. Note: Kerberoasting involves Kerberos tickets; LSASS memory contains hashes but their plaintext absence doesn't confirm PtH usage.
IncorrectB: Windows Security Event ID 4624 with Logon Type 3 (network logon) and Authentication Package "NTLM" combined with Event ID 4672 (special privilege logon) from a workstation where the attacker was not physically present, showing the source IP differing from the account's normal access patterns
Pass-the-Hash uses a captured NTLM hash to authenticate without knowing the plaintext password, producing a network logon (Type 3) with NTLM authentication. Combining Event 4624 (Logon Type 3, NTLM auth package) with 4672 (special privileges assigned) from a source IP inconsistent with the account's normal access is strong PtH evidence. Note: Kerberoasting involves Kerberos tickets; LSASS memory contains hashes but their plaintext absence doesn't confirm PtH usage.
15A forensic examiner is analyzing browser artifacts and finds IndexedDB databases, Local Storage files, and Cache2 folders. Which browser are these artifacts most associated with, and what forensic value do they provide?
CorrectB: These are Firefox artifacts; IndexedDB contains web app data, Local Storage has key-value site data, and Cache2 holds cached web resources β together revealing browsing patterns, web app sessions, and potentially credentials
Firefox stores web data in a profile directory containing: IndexedDB (NoSQL databases used by web apps, often containing session data and cached application state), Local Storage (persistent key-value pairs per origin, used by web apps for authentication tokens), and Cache2 (cached web resources including HTML, scripts, and images). These artifacts reveal web app usage that goes beyond simple history and cookie analysis.
IncorrectB: These are Firefox artifacts; IndexedDB contains web app data, Local Storage has key-value site data, and Cache2 holds cached web resources β together revealing browsing patterns, web app sessions, and potentially credentials
Firefox stores web data in a profile directory containing: IndexedDB (NoSQL databases used by web apps, often containing session data and cached application state), Local Storage (persistent key-value pairs per origin, used by web apps for authentication tokens), and Cache2 (cached web resources including HTML, scripts, and images). These artifacts reveal web app usage that goes beyond simple history and cookie analysis.
16In a large-scale incident response engagement, an investigator uses Plaso (log2timeline) to create a super-timeline. After normalizing timestamps to UTC, the investigator notices a cluster of file system events occurring at exactly 0 seconds past each minute. What anti-forensic or investigative artifact does this pattern suggest?
CorrectB: The timestomping was performed using a tool that only had minute-level timestamp precision, a known indicator of certain anti-forensics tools that do not preserve sub-second timestamp granularity, thus exposing itself within the super-timeline
NTFS stores timestamps with 100-nanosecond precision. When an anti-forensics tool manipulates timestamps but only writes minute-level precision (or zero sub-minute values), all modified timestamps cluster at exactly HH:MM:00.0000000. This is a documented artifact of certain timestomping tools (including older versions of Metasploit's `timestomp`), and its presence in a super-timeline is itself a strong indicator of tampering.
IncorrectB: The timestomping was performed using a tool that only had minute-level timestamp precision, a known indicator of certain anti-forensics tools that do not preserve sub-second timestamp granularity, thus exposing itself within the super-timeline
NTFS stores timestamps with 100-nanosecond precision. When an anti-forensics tool manipulates timestamps but only writes minute-level precision (or zero sub-minute values), all modified timestamps cluster at exactly HH:MM:00.0000000. This is a documented artifact of certain timestomping tools (including older versions of Metasploit's `timestomp`), and its presence in a super-timeline is itself a strong indicator of tampering.
17What is the forensic significance of the Windows Amcache.hve artifact, and how does it complement Shimcache?
CorrectB: Amcache.hve records installed application metadata including SHA-1 hash, PE compilation timestamp, and first execution time for executables run since Windows 8/Server 2012; Shimcache records execution order without hashes, the two together provide both execution proof and file identity verification
Amcache.hve (`C:\Windows\appcompat\Programs\Amcache.hve`) stores metadata for executed programs including the SHA-1 hash of the binary, PE compile timestamp, file size, and publisher. Shimcache (AppCompatCache) records the execution order and presence of executables in the compatibility cache (no hashes). Together: Amcache provides file identity (the SHA-1 can be looked up in malware databases like VirusTotal), while Shimcache proves the file existed and was run. Both survive deletion of the original executable.
IncorrectB: Amcache.hve records installed application metadata including SHA-1 hash, PE compilation timestamp, and first execution time for executables run since Windows 8/Server 2012; Shimcache records execution order without hashes, the two together provide both execution proof and file identity verification
Amcache.hve (`C:\Windows\appcompat\Programs\Amcache.hve`) stores metadata for executed programs including the SHA-1 hash of the binary, PE compile timestamp, file size, and publisher. Shimcache (AppCompatCache) records the execution order and presence of executables in the compatibility cache (no hashes). Together: Amcache provides file identity (the SHA-1 can be looked up in malware databases like VirusTotal), while Shimcache proves the file existed and was run. Both survive deletion of the original executable.
18An investigator analyzing a Linux system finds that `ls -la` shows a file with all 0-byte timestamps and a file size of 0, but `debugfs` reveals the inode was recently written. What anti-forensic technique does this indicate?
CorrectC: The file timestamps in the directory entry were overwritten with zeros using a tool that directly modified the on-disk inode, but debugfs reading from raw filesystem structures reveals the true inode metadata β a mismatch indicating targeted anti-forensics using direct disk writes
On Linux ext4, direct inode editing using tools like `debugfs` or raw disk writes can modify directory entry timestamps independently. A discrepancy between directory-entry-visible timestamps (zeros) and raw inode metadata (recent ctime/mtime from debugfs) indicates surgical anti-forensics where only the user-visible metadata was wiped, but the underlying inode metadata was not correctly zeroed. This mirrors the Windows $SI vs $FN timestamp discrepancy in NTFS timestomping.
IncorrectC: The file timestamps in the directory entry were overwritten with zeros using a tool that directly modified the on-disk inode, but debugfs reading from raw filesystem structures reveals the true inode metadata β a mismatch indicating targeted anti-forensics using direct disk writes
On Linux ext4, direct inode editing using tools like `debugfs` or raw disk writes can modify directory entry timestamps independently. A discrepancy between directory-entry-visible timestamps (zeros) and raw inode metadata (recent ctime/mtime from debugfs) indicates surgical anti-forensics where only the user-visible metadata was wiped, but the underlying inode metadata was not correctly zeroed. This mirrors the Windows $SI vs $FN timestamp discrepancy in NTFS timestomping.
19During threat hunting on a Windows endpoint, an analyst discovers that `svchost.exe` is running from `C:\Users\AppData\Local\Temp\` rather than `C:\Windows\System32\`. What technique is this most likely indicative of?
CorrectC: Masquerading β a defense evasion technique (MITRE ATT&CK T1036) where malware uses the name of a trusted Windows process to blend in with legitimate system processes while running from a user-writable path outside System32
Masquerading (MITRE ATT&CK T1036.005) involves naming malware the same as β or similar to β legitimate system processes (svchost.exe, lsass.exe, explorer.exe) to evade detection. The key indicator is the process path: legitimate `svchost.exe` runs exclusively from `C:\Windows\System32\` (or `SysWOW64`). Any `svchost.exe` running from `%TEMP%`, `%APPDATA%`, or other user-writable directories is malicious with very high confidence.
IncorrectC: Masquerading β a defense evasion technique (MITRE ATT&CK T1036) where malware uses the name of a trusted Windows process to blend in with legitimate system processes while running from a user-writable path outside System32
Masquerading (MITRE ATT&CK T1036.005) involves naming malware the same as β or similar to β legitimate system processes (svchost.exe, lsass.exe, explorer.exe) to evade detection. The key indicator is the process path: legitimate `svchost.exe` runs exclusively from `C:\Windows\System32\` (or `SysWOW64`). Any `svchost.exe` running from `%TEMP%`, `%APPDATA%`, or other user-writable directories is malicious with very high confidence.
20What is the forensic importance of the Master Boot Record (MBR) and Volume Boot Record (VBR) in an investigation involving a bootkit?
CorrectB: The MBR and VBR execute before the OS kernel loads; a bootkit infects these structures to load malicious code before any OS-based security tool can detect it, making forensic analysis require bit-level comparison of these structures against known-good baselines to detect unauthorized modifications
Bootkits (such as TDL4, Rovnix, and BIOS-based implants) infect the MBR or VBR β structures that execute before the OS boots. Because they are loaded before the OS kernel and security software, they can hide their presence from OS-layer tools. Forensic detection requires offline analysis: computing the SHA-256 of the MBR/VBR from a forensic image and comparing against known-good baselines for the specific disk manufacturer and boot loader version.
IncorrectB: The MBR and VBR execute before the OS kernel loads; a bootkit infects these structures to load malicious code before any OS-based security tool can detect it, making forensic analysis require bit-level comparison of these structures against known-good baselines to detect unauthorized modifications
Bootkits (such as TDL4, Rovnix, and BIOS-based implants) infect the MBR or VBR β structures that execute before the OS boots. Because they are loaded before the OS kernel and security software, they can hide their presence from OS-layer tools. Forensic detection requires offline analysis: computing the SHA-256 of the MBR/VBR from a forensic image and comparing against known-good baselines for the specific disk manufacturer and boot loader version.
Conclusion: Mastering Cyber Forensics
Digital forensics is the discipline that transforms raw technical artifacts into admissible legal evidence. Mastering the order of volatility, understanding why write blockers are non-negotiable, knowing the Daubert Standard for expert testimony, and being able to use Volatility for memory forensics separates a first-responder who contaminates a crime scene from one who builds an airtight prosecution case.
The questions in this test map directly to domains assessed in certifications like CHFI, GCFE, EnCE, and CCE. Understanding how anti-forensics techniques (timestomping, log wiping, fileless malware) are detected β through memory forensics, network telemetry, and system integrity checks β is critical for both threat hunters and forensic examiners.
Revisit questions you missed, study their detailed explanations, and pair this practice test with the full Cyber Forensics Theory Guide and the Cyber Crimes MCQs for comprehensive exam and interview preparation.
Key Takeaways β Cyber Forensics
- Order of Volatility (RFC 3227) β collect from most volatile (CPU registers, RAM) to least volatile (hard disk, backups); collect RAM FIRST before powering off any compromised system.
- Daubert Standard β judge as βgatekeeperβ; forensic methodology must be tested, peer-reviewed, with a known error rate, and generally accepted. Undocumented tools and procedures fail Daubert.
- Write Blockers β mandatory for forensically sound acquisition; NO write operations to original evidence; hardware blockers preferred over software; broken hash = inadmissible evidence.
- Volatility (Memory Forensics) β reveals running processes, fileless malware, encryption keys in RAM, network connections, and injected DLLs β artifacts unavailable from disk imaging alone.
- Physical vs Logical Imaging β physical image = bit-for-bit copy of entire disk including unallocated space and deleted files; logical = allocated files only. Physical imaging is required for criminal investigations.
- Anti-Forensics Detection β timestomping detected by comparing MFT created time vs.\ $STANDARD_INFORMATION vs.\ $FILE_NAME; log wiping detected via event log cleared event (4616/1102); fileless malware requires memory forensics.
- File Carving β tools like PhotoRec and Foremost scan unallocated disk space for file header/footer signatures to recover deleted files β works even when file system metadata is destroyed.
Quick Review & Summary
Use this summary table to consolidate key concepts before or after attempting the questions above.
| Technique / Concept | Category | Key Tool(s) | Purpose / Output |
|---|---|---|---|
| Disk Imaging | Acquisition | FTK Imager, dd, dcfldd, Guymager | Bit-for-bit forensic copy (E01/AFF4/raw) with hash verification |
| Memory Forensics | Acquisition / Analysis | Volatility, Rekall, Magnet RAM Capture, WinPmem | Running processes, network connections, encryption keys, fileless malware |
| File Carving | Recovery | PhotoRec, Foremost, Scalpel | Recovers deleted files from unallocated space using header/footer signatures |
| Network Forensics | Analysis | Wireshark, Zeek (Bro), NetworkMiner, PCAP analysis | Reconstructs network sessions, identifies C2 traffic, extracts transferred files |
| Timestomping Detection | Anti-Forensics Detection | MFT analysis (Autopsy, MFTExplorer) | Compares $STANDARD_INFO vs $FILE_NAME timestamps to detect manipulation |
| Log Analysis | Analysis | SIEM, Windows Event Viewer, Splunk, ELK Stack | Identifies logon events, privilege escalation, log-clearing (Event 1102/104) |
| Steganography Detection | Anti-Forensics Detection | StegExpose, StegDetect, statistical analysis | Detects hidden data embedded in image/audio files via statistical anomalies |
Frequently Asked Questions
Q. What is the order of volatility in digital forensics and why does it matter?
Q. What is the Daubert Standard and how does it apply to digital evidence admissibility?
Q. What is a write blocker and why is it essential in digital forensics?
Q. What tools are used for memory forensics and what can they reveal?
Q. What is anti-forensics and what techniques does it employ?
Q. What is the difference between a logical acquisition and a physical forensic image?
Struggling with some questions? Re-read the full Theory Guide: Cyber Forensics