Computer Forensics Quiz

Question 1: ________ is a unique identifier assigned to network interfaces for communications on the physical network segment.
A. Domain Name System
B. Traceroute
C. MAC Address
D. Internet Protocol (IP) Addresses

Solution: MAC Address

Question 2:________ unique address assigned to every computer connected to the network.
A. MAC Address
B. Domain Name System
C. Internet Protocol (IP) Addresses
D. Traceroute

Solution: Internet Protocol (IP) Addresses

Question 3: Which of the following are the possible locations to look for evidence in a network?
(I) From the victim computer
(II) From the attacked computer and intermediate computers
(III) From firewalls
(IV) From internetworking devices
A. (I), (II), (III) and (IV)
B. (II), (III) and (IV)
C. (I) and (II)
D. (I), (II) and (III)

Solution: (I), (II), (III) and (IV)

Question 4:A (n ) ________detection system is hardware or software used to monitor network traffic for malicious activity. It can provide alerts when suspicious activity occurs and provide detailed logging information with professional reporting capabilities.
A. firewall
B. intrusion
C. application
D. prevention

Solution: intrusion

Question 5: Which of the following is used by a network administrator to inspect data packets on a network and determine, based on its set of rules, whether each packet should be allowed through?
A. Content filter
B. Sandbox
C. Packet capturing
D. Firewall

Solution: Firewall

Question 6: Which of the following security tool would BEST be used at identifying and reacting to an attack by shutting down a port or dropping certain types of packets?
A. Intrusion Prevention System
B. Intrusion Detection System
C. Security Information and Event Manager (SIEM)
D. Sandbox

Solution: Intrusion Prevention System

Question 7: Which of the following information cannot be revealed by network forensics?
A. Intrusion techniques used by attackers
B. Hardware configuration of the attacker’s system
C. Path of intrusion
D. Source of security incidents and network attacks

Solution: Hardware configuration of the attacker’s system

Question 8:  _______ can be used to determine the path a transmitted e-mail has taken.
A. Routers logs
B. Application programs
C. Text editors
D. Internal memory

Solution: Routers logs

Question 9: Tracking internet e-mail users is more difficult because these accounts don’t always use standard naming schemes.
True
False
Solution: True

Question 10:If we have obtained a warrant to conduct social media forensics investigation for a specific social media account, but the suspect refuses to cooperate, we can use any workstation to Google search information about the suspect in the social media.
True
False

Solution: False

Question 11: E-mail is a major communication medium and some people may use e-mail when committing crimes such as narcotics trafficking, extortion, sexual harassment, stalking, fraud, child abductions, terrorism, child pornography, and so on. After you have determined that a crime has been committed involving e-mail, what’s the main piece of information you look for in an e-mail message you’re investigating?
A. Sender or receiver’s e-mail address.
B. Subject line content.
C. Message number.
D. Originating e-mail domain or IP address.

Solution: Originating e-mail domain or IP address.

Question 12: Which of the following is NOT a possible location where mobile device information might be stored?
A. SIM card
B. Power cable
C. Internal memory
D. Removable or external memory card

Solution: Power cable

Question 13: Malware analysis is the process of determining the _______ and ______ of a given malware sample such as a virus, worm, or backdoor.
A. purpose; functions
B. platform; operations
C. problem; functions
D. technology; operations

Solution: purpose; functions

Question 14: If investigators find a piece of evidence in the cloud that prove a particular IoT device in the crime scene is the cause of the crime, it will be easier to identify the criminal based on the registered account for the cloud service.
True
False

Solution: False

Question 15: ________ analysis is the process of studying a program without actually executing it.
A. Hybrid
B. Static
C. Dynamic
D. Statistic

Solution: Static

Question 16:

Computer Forensics Quiz

 Question 1: ________ can point to items on other drives or other parts of the network.
A. Full links
B. Half links
C. Soft links
D. Hard links

Solution: Soft links

 Question 2: To acquire RAID disks, you need to determine the _____ of RAID and which acquisition _____ to use.
A. location; size
B. location; type
C. type; tool
D. size; tool

Solution: type; tool

 Question 3:In Windows 8 and later versions, a USB’s last insertion and removal timestamps are stored in the registry hive:
A. SYSTEM
B. SOFTWARE
C. SAM
D. SECURITY

Solution: SYSTEM

 Question 4: A deleted file is any file that has been ________ erased from the file system but may still remain ________ on storage media.
A. logically; physically
B. logically; forensically
C. physically; logically
D. physically; forensically

Solution: logically; physically

 Question 5: A _______ is a data acquisition method is similar to logical acquisition but also collects fragments of unallocated (deleted) data.
A. sparse acquisition
B. disk-to-disk copy
C. disk-to-image file
D. logical acquisition

Solution: sparse acquisition

 Question 6: Which of the following is NOT the expected technology used in Data Centre?
A. Server uses Linux or Unix operating system.
B. Database may be on a separate server.
C. May use virtualization technology.
D. May use Windows 98 as email server.

Solution: May use Windows 98 as email server.

 Question 7:  Forensics acquisition can be done in static and live modes.
a) Describe the concept of live acquisition in digital forensics.
b)  Discuss TWO (2) cases in which live acquisition should be considered in finding potential crime evidence.

Solution: A-The acquisition of live device is manily of concern to digital investigator and incident responds,
Who must normally follow protocols and policies that produce forensically sound duplicates.
When gathering data from a live device for analysis,we are most concerned with volatile data,which is irretievable until the system is turned off.
In an ideal process each stage of the acquired by previous stage.
Its difficult to find optimal procedures however we should try .
Computer data is classified intp two types:Volatile data and permanent data.
When computer is turned off All volatile data is lost changed or made unavaliable.
Anything else is premanent data can be accessed even after the power is turned off.
The passing of time or the acquisition process itself can further alter volatile data .
Ram is the best example of data volatile because loses it contants very easily after machine is turned off.

B-some of the cases in which the The live acquisition is good that when the user who committed the crime has a device running and there has been crime committed fairly recently and evidence can be flound in the ram.
Another case could be when the device is password protected and the criminal is not cooerative than the ram can give hints about the password and sometimes password information for the true cryot and other encryption programs can be found in Ram.

 Question 8: In an event of a forensics investigation, Windows Event Logs serve as the primary source of evidence as the operating system logs every system's activities. Explain how Windows Event Logs can help in forensics investigation and list TWO (2) types of events that are recorded in Windows event logs.

Solution: Based on the logging details and the discoverd objects, windows event log revuew will assist an investigator in creating timeline.
The windows case logs assist in reconstructiong the sequence of events to aid in an investigation.
any incident that has an impact on the system may be registered as an event:
<Incorrect login attempt><Hack breach>
<system settings change><application failure>
<system failure and so on.

consider the following scenario:
A hacher attempts to remptely break into the device, first the hacker can brute force the system and those logs would be found in security when the user is successful in breaking into the device.
another log is created in protection excepts IP address which may aid in the investigation.

  Question 9:

Computer Forensics Quiz 3

 Question 1: In digital forensic analysis, we use MAC times to create a timeline of activities. Timeline analysis is considered an important element in most digital forensics investigations because:
(I) It gives a holistic view of the succession of events that have happened to the system.
(II) It allows investigators to save their investigation time by reducing the volume of data that needs to be investigated to a specific timeframe.
(III) It helps investigators reconstruct data to identify when activities occurred on a computer and in what sequence.
(IV) It helps the investigators to re-create the events of the crime and trace back the steps of the suspect/victim.
A. (I), (II), (III) and (IV)
B. (I), (II) and (III) only
C. (I), (III) and (IV) only
D. (I), (II) and (IV) only

Solution: (I), (II), (III) and (IV)

 Question 2: In Windows 8 and later versions, user account information for users and groups on the system are stored in the registry hive:
A. SECURITY
B. SAM
C. SOFTWARE
D. SYSTEM

Solution: SAM

Question 3: In Windows 8 and later versions, a USB’s last insertion and removal timestamps are stored in the registry hive:
A. SYSTEM
B. SAM
C. SECURITY
D. SOFTWARE

Solution: SYSTEM

Question 4:  It refers to a cluster (or a portion of a cluster) that is not being used by the current data. It may contain no data at all or data from a previously deleted file. The above statements refer to:
A. slack space
B. portion space
C. allocated space
D. deleted space

Solution: slack space

Question 5: When a document is printed, which of these files are created during the spooling process?
(I) A shadow file (.SHD) that contains information about the print job.
(II) A spool file (.SPL) that contains the document’s contents.
(III) A temp file (.TMP) for temporally storing the information about the print job.
A. (I) and (III) only
B. (I) and (II) only
C. (II) and (III) only
D. (I), (II) and (III)

Solution:  (I) and (II) only

 Question 6: In Windows Vista or a later OS, when a file is sent to the $Recycle.Bin, metadata information such as the file’s original filename/path information, size, and data/time moved to the $Recycle.Bin, is created and stored in:
A. An INFO2 file
B. A $R file
C. A $I file
D. An INFO file

Solution: A $I file

Question 7: A ________ is a pointer that allows accessing the same file by different filenames.
A. half link
B. hard link
C. soft link
D. full link

Solution: hard link

 Question 8: ________ can point to items on other drives or other parts of the network.
A. Half links
B. Full links
C. Hard links
D. Soft links

Solution: Soft links

 Question 9:____________ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.
A. Vector images
B. Metafile images
C. Forensic images
D. Raster images

Solution: Vector images

 Question 10: ____________ are collections of dots, or pixels, in a grid format that form a graphic.
Select one:
A. Raster images
B. Forensic images
C. Metafile images
D. Vector images

Solution: Raster images

 Question 11: You use ______________ to create, modify, and save raster, vector, and metafile graphics.
A. clone editors
B. image viewers
C. graphics editors
D. write blockers

Solution: graphics editors

Computer Forensics Quiz 2

 Question 1: Which of the following is NOT the expected technology used in Data Centre?
A. Server uses Linux or Unix operating system.
B. May use Windows 98 as email server.
C. May use virtualization technology.
D. Database may be on a separate server.

Solution: May use Windows 98 as email server.

Question 2: A disk-to-disk copy acquisition method is required due to the following reasons:
(i) Hardware or software errors
(ii) Hardware or software incompatibilities
(iii) To acquire older drives
(iv) To capture only specific files of interest to the case
A. (ii), (iii) and (iv)
B. (i), (ii) and (iii)
C. (i), (ii) and (iv)
D. (i), (iii) and (iv)

Solution: (i), (ii) and (iii)

Question 3: Static acquisition is the process of acquiring data from a hard drive that remains unaltered when the system is powered off or shutdown. This acquisition type is performed due to the following reasons, EXCEPT:
A. Non-critical systems that can be shut down
B. Volatile data is more important than deleted files
C. Deleted files are more important than volatile data
D. The memory does not contains important data

Solution: Volatile data is more important than deleted files

Question 4:  A deleted file is any file that has been ________ erased from the file system but may still remain ________ on storage media.
A. physically; logically
B. physically; forensically
C. logically; physically
D. logically; forensically

Solution: logically; physically

Question 5: To acquire RAID disks, you need to determine the _____ of RAID and which acquisition _____ to use.
A. type; tool
B. location; type
C. location; size
D. size; tool

Solution: type; tool

Question 6: Which of the following is NOT the expected exhibit that can be found at home?
A. Laptop
B. Wireless router
C. Desktop computer
D. RAID server

Solution: RAID server

Question 7: What is the biggest concern when acquiring data from a RAID server?
A. Size
B. Firewall program
C. Access permissions
D. Data transfer speeds

Solution: Size

Question 8: Live acquisition is the process of acquiring data from a running computer (already powered on when encountered at a crime scene) that would be lost when it powered off. This acquisition type is performed due to the following reasons, EXCEPT:
A. Deleted files are more important than volatile data.
B. Volatile data is more important than deleted files.
C. The memory contains important data.
D. Business-critical systems that cannot be shut down.

Solution: Deleted files are more important than volatile data.