Computer Forensics Quiz

Question 1: ________ is a unique identifier assigned to network interfaces for communications on the physical network segment.
A. Domain Name System
B. Traceroute
C. MAC Address
D. Internet Protocol (IP) Addresses

Solution: MAC Address

Question 2:________ unique address assigned to every computer connected to the network.
A. MAC Address
B. Domain Name System
C. Internet Protocol (IP) Addresses
D. Traceroute

Solution: Internet Protocol (IP) Addresses

Question 3: Which of the following are the possible locations to look for evidence in a network?
(I) From the victim computer
(II) From the attacked computer and intermediate computers
(III) From firewalls
(IV) From internetworking devices
A. (I), (II), (III) and (IV)
B. (II), (III) and (IV)
C. (I) and (II)
D. (I), (II) and (III)

Solution: (I), (II), (III) and (IV)

Question 4:A (n ) ________detection system is hardware or software used to monitor network traffic for malicious activity. It can provide alerts when suspicious activity occurs and provide detailed logging information with professional reporting capabilities.
A. firewall
B. intrusion
C. application
D. prevention

Solution: intrusion

Question 5: Which of the following is used by a network administrator to inspect data packets on a network and determine, based on its set of rules, whether each packet should be allowed through?
A. Content filter
B. Sandbox
C. Packet capturing
D. Firewall

Solution: Firewall

Question 6: Which of the following security tool would BEST be used at identifying and reacting to an attack by shutting down a port or dropping certain types of packets?
A. Intrusion Prevention System
B. Intrusion Detection System
C. Security Information and Event Manager (SIEM)
D. Sandbox

Solution: Intrusion Prevention System

Question 7: Which of the following information cannot be revealed by network forensics?
A. Intrusion techniques used by attackers
B. Hardware configuration of the attacker’s system
C. Path of intrusion
D. Source of security incidents and network attacks

Solution: Hardware configuration of the attacker’s system

Question 8:  _______ can be used to determine the path a transmitted e-mail has taken.
A. Routers logs
B. Application programs
C. Text editors
D. Internal memory

Solution: Routers logs

Question 9: Tracking internet e-mail users is more difficult because these accounts don’t always use standard naming schemes.
True
False
Solution: True

Question 10:If we have obtained a warrant to conduct social media forensics investigation for a specific social media account, but the suspect refuses to cooperate, we can use any workstation to Google search information about the suspect in the social media.
True
False

Solution: False

Question 11: E-mail is a major communication medium and some people may use e-mail when committing crimes such as narcotics trafficking, extortion, sexual harassment, stalking, fraud, child abductions, terrorism, child pornography, and so on. After you have determined that a crime has been committed involving e-mail, what’s the main piece of information you look for in an e-mail message you’re investigating?
A. Sender or receiver’s e-mail address.
B. Subject line content.
C. Message number.
D. Originating e-mail domain or IP address.

Solution: Originating e-mail domain or IP address.

Question 12: Which of the following is NOT a possible location where mobile device information might be stored?
A. SIM card
B. Power cable
C. Internal memory
D. Removable or external memory card

Solution: Power cable

Question 13: Malware analysis is the process of determining the _______ and ______ of a given malware sample such as a virus, worm, or backdoor.
A. purpose; functions
B. platform; operations
C. problem; functions
D. technology; operations

Solution: purpose; functions

Question 14: If investigators find a piece of evidence in the cloud that prove a particular IoT device in the crime scene is the cause of the crime, it will be easier to identify the criminal based on the registered account for the cloud service.
True
False

Solution: False

Question 15: ________ analysis is the process of studying a program without actually executing it.
A. Hybrid
B. Static
C. Dynamic
D. Statistic

Solution: Static

Question 16:

Computer Forensics Quiz

 Question 1: ________ can point to items on other drives or other parts of the network.
A. Full links
B. Half links
C. Soft links
D. Hard links

Solution: Soft links

 Question 2: To acquire RAID disks, you need to determine the _____ of RAID and which acquisition _____ to use.
A. location; size
B. location; type
C. type; tool
D. size; tool

Solution: type; tool

 Question 3:In Windows 8 and later versions, a USB’s last insertion and removal timestamps are stored in the registry hive:
A. SYSTEM
B. SOFTWARE
C. SAM
D. SECURITY

Solution: SYSTEM

 Question 4: A deleted file is any file that has been ________ erased from the file system but may still remain ________ on storage media.
A. logically; physically
B. logically; forensically
C. physically; logically
D. physically; forensically

Solution: logically; physically

 Question 5: A _______ is a data acquisition method is similar to logical acquisition but also collects fragments of unallocated (deleted) data.
A. sparse acquisition
B. disk-to-disk copy
C. disk-to-image file
D. logical acquisition

Solution: sparse acquisition

 Question 6: Which of the following is NOT the expected technology used in Data Centre?
A. Server uses Linux or Unix operating system.
B. Database may be on a separate server.
C. May use virtualization technology.
D. May use Windows 98 as email server.

Solution: May use Windows 98 as email server.

 Question 7:  Forensics acquisition can be done in static and live modes.
a) Describe the concept of live acquisition in digital forensics.
b)  Discuss TWO (2) cases in which live acquisition should be considered in finding potential crime evidence.

Solution: A-The acquisition of live device is manily of concern to digital investigator and incident responds,
Who must normally follow protocols and policies that produce forensically sound duplicates.
When gathering data from a live device for analysis,we are most concerned with volatile data,which is irretievable until the system is turned off.
In an ideal process each stage of the acquired by previous stage.
Its difficult to find optimal procedures however we should try .
Computer data is classified intp two types:Volatile data and permanent data.
When computer is turned off All volatile data is lost changed or made unavaliable.
Anything else is premanent data can be accessed even after the power is turned off.
The passing of time or the acquisition process itself can further alter volatile data .
Ram is the best example of data volatile because loses it contants very easily after machine is turned off.

B-some of the cases in which the The live acquisition is good that when the user who committed the crime has a device running and there has been crime committed fairly recently and evidence can be flound in the ram.
Another case could be when the device is password protected and the criminal is not cooerative than the ram can give hints about the password and sometimes password information for the true cryot and other encryption programs can be found in Ram.

 Question 8: In an event of a forensics investigation, Windows Event Logs serve as the primary source of evidence as the operating system logs every system's activities. Explain how Windows Event Logs can help in forensics investigation and list TWO (2) types of events that are recorded in Windows event logs.

Solution: Based on the logging details and the discoverd objects, windows event log revuew will assist an investigator in creating timeline.
The windows case logs assist in reconstructiong the sequence of events to aid in an investigation.
any incident that has an impact on the system may be registered as an event:
<Incorrect login attempt><Hack breach>
<system settings change><application failure>
<system failure and so on.

consider the following scenario:
A hacher attempts to remptely break into the device, first the hacker can brute force the system and those logs would be found in security when the user is successful in breaking into the device.
another log is created in protection excepts IP address which may aid in the investigation.

  Question 9:

Computer Forensics Quiz 3

 Question 1: In digital forensic analysis, we use MAC times to create a timeline of activities. Timeline analysis is considered an important element in most digital forensics investigations because:
(I) It gives a holistic view of the succession of events that have happened to the system.
(II) It allows investigators to save their investigation time by reducing the volume of data that needs to be investigated to a specific timeframe.
(III) It helps investigators reconstruct data to identify when activities occurred on a computer and in what sequence.
(IV) It helps the investigators to re-create the events of the crime and trace back the steps of the suspect/victim.
A. (I), (II), (III) and (IV)
B. (I), (II) and (III) only
C. (I), (III) and (IV) only
D. (I), (II) and (IV) only

Solution: (I), (II), (III) and (IV)

 Question 2: In Windows 8 and later versions, user account information for users and groups on the system are stored in the registry hive:
A. SECURITY
B. SAM
C. SOFTWARE
D. SYSTEM

Solution: SAM

Question 3: In Windows 8 and later versions, a USB’s last insertion and removal timestamps are stored in the registry hive:
A. SYSTEM
B. SAM
C. SECURITY
D. SOFTWARE

Solution: SYSTEM

Question 4:  It refers to a cluster (or a portion of a cluster) that is not being used by the current data. It may contain no data at all or data from a previously deleted file. The above statements refer to:
A. slack space
B. portion space
C. allocated space
D. deleted space

Solution: slack space

Question 5: When a document is printed, which of these files are created during the spooling process?
(I) A shadow file (.SHD) that contains information about the print job.
(II) A spool file (.SPL) that contains the document’s contents.
(III) A temp file (.TMP) for temporally storing the information about the print job.
A. (I) and (III) only
B. (I) and (II) only
C. (II) and (III) only
D. (I), (II) and (III)

Solution:  (I) and (II) only

 Question 6: In Windows Vista or a later OS, when a file is sent to the $Recycle.Bin, metadata information such as the file’s original filename/path information, size, and data/time moved to the $Recycle.Bin, is created and stored in:
A. An INFO2 file
B. A $R file
C. A $I file
D. An INFO file

Solution: A $I file

Question 7: A ________ is a pointer that allows accessing the same file by different filenames.
A. half link
B. hard link
C. soft link
D. full link

Solution: hard link

 Question 8: ________ can point to items on other drives or other parts of the network.
A. Half links
B. Full links
C. Hard links
D. Soft links

Solution: Soft links

 Question 9:____________ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.
A. Vector images
B. Metafile images
C. Forensic images
D. Raster images

Solution: Vector images

 Question 10: ____________ are collections of dots, or pixels, in a grid format that form a graphic.
Select one:
A. Raster images
B. Forensic images
C. Metafile images
D. Vector images

Solution: Raster images

 Question 11: You use ______________ to create, modify, and save raster, vector, and metafile graphics.
A. clone editors
B. image viewers
C. graphics editors
D. write blockers

Solution: graphics editors

Computer Forensics Quiz 2

 Question 1: Which of the following is NOT the expected technology used in Data Centre?
A. Server uses Linux or Unix operating system.
B. May use Windows 98 as email server.
C. May use virtualization technology.
D. Database may be on a separate server.

Solution: May use Windows 98 as email server.

Question 2: A disk-to-disk copy acquisition method is required due to the following reasons:
(i) Hardware or software errors
(ii) Hardware or software incompatibilities
(iii) To acquire older drives
(iv) To capture only specific files of interest to the case
A. (ii), (iii) and (iv)
B. (i), (ii) and (iii)
C. (i), (ii) and (iv)
D. (i), (iii) and (iv)

Solution: (i), (ii) and (iii)

Question 3: Static acquisition is the process of acquiring data from a hard drive that remains unaltered when the system is powered off or shutdown. This acquisition type is performed due to the following reasons, EXCEPT:
A. Non-critical systems that can be shut down
B. Volatile data is more important than deleted files
C. Deleted files are more important than volatile data
D. The memory does not contains important data

Solution: Volatile data is more important than deleted files

Question 4:  A deleted file is any file that has been ________ erased from the file system but may still remain ________ on storage media.
A. physically; logically
B. physically; forensically
C. logically; physically
D. logically; forensically

Solution: logically; physically

Question 5: To acquire RAID disks, you need to determine the _____ of RAID and which acquisition _____ to use.
A. type; tool
B. location; type
C. location; size
D. size; tool

Solution: type; tool

Question 6: Which of the following is NOT the expected exhibit that can be found at home?
A. Laptop
B. Wireless router
C. Desktop computer
D. RAID server

Solution: RAID server

Question 7: What is the biggest concern when acquiring data from a RAID server?
A. Size
B. Firewall program
C. Access permissions
D. Data transfer speeds

Solution: Size

Question 8: Live acquisition is the process of acquiring data from a running computer (already powered on when encountered at a crime scene) that would be lost when it powered off. This acquisition type is performed due to the following reasons, EXCEPT:
A. Deleted files are more important than volatile data.
B. Volatile data is more important than deleted files.
C. The memory contains important data.
D. Business-critical systems that cannot be shut down.

Solution: Deleted files are more important than volatile data.

Computer Forensics Quiz 1

Question 1: __________ evidence is the evidence of those who relate, not what they know themselves, but what they have heard from others.
A. Exculpatory
B. Inculpatory
C. Tainted
D. Hearsay

Solution: Hearsay

Question 2: Kingston is the security administrator of XYZ Corporation. One day he finds the company's database server has been compromised, and the customer information has been stolen along with financial data. The financial loss will be in millions of dollars if the competitors take the database into their hands. Kingston wants to report directly to law enforcement authorities. Which act caters offenses relating to the misuse of computers in Malaysia?
Select one:
A. Cyber Crime Act 2010
B. Digital Evidence Act 1997
C. Copyright Act 1987
D. Computer Crimes Act 1997

Solution: Computer Crimes Act 1997

Question 3: You are assigned to work in a state police agency's Computer Forensics laboratory. While working on a high-profile criminal case, you have followed every applicable procedure, but your superior is still worried that the defense attorney might question whether evidence has been modified while at the laboratory. What would you do to ensure the proof is the same as when it first went into the laboratory?
A. Sign a letter confirming that the evidence is the same as it was when it entered the laboratory.
B. Generate the hash value of the evidence and compare it to the standard database developed by the police agency.
C. Create a new image of the evidence, encrypt the evidence to avoid any changes and send the encrypted evidence to the defense attorney.
D. Generate the hash value of the evidence and compare it with the original hash value that was taken when the evidence first entered the laboratory.

Solution: Generate the hash value of the evidence and compare it with the original hash value that was taken when the evidence first entered the laboratory.

Question 4: Evidence that indicates the suspect is innocent of the crime.
The above statement refers to __________ evidence.
A. tainted
B. hearsay
C. inculpatory
D. exculpatory

Solution: exculpatory

Question 5:  When capturing a system image from a computer system, what type of device should you use when connecting to the evidence drive?
A. Extract blocker
B. Write blocker
C. Read blocker
D. Chain blocker

Solution: Write blocker

Question 6:Chain of custody in digital forensics investigation is referred to as a _____________________________.
A. Document to track the movement of evidences.
B. Suspect and witness that involve in crime investigation.
C. Formal letter to attend court trial.
D. Payment slip for forensic investigator.

Solution: Document to track the movement of evidences.

Question 7: You suspect that the workstation of a user is infected with malware and are about to begin an investigation. If you want to minimize the risk of infecting other devices on your network with this workstation, but you also want to retain as much evidence as possible, which of the following should you do?
A. Remove all USB drives and peripherals from the workstation.
B. Isolate from network.
C. Shut down the workstation.
D. Pull the power cord from the workstation.

Solution: Isolate from network.

Question 8: When preserving digital evidence, the evidence must be___________.
A. located close to electric source
B. uniquely label
C. transported immediately
D. power ON all the time

Solution: uniquely label

Question 9:  _________ is an exact bit-for-bit copy in a form same as the original exhibit (identical)
A. Chain
B. Extract
C. Clone
D. Image

Solution: Clone

Question 10: Evidence that indicates a suspect is guilty of the crime he or she is charged with.
The above statement refers to __________ evidence.
A. tainted
B. exculpatory
C. hearsay
D. inculpatory

Solution: inculpatory

Question 11:When dealing with the powered-off computers at the crime scene, if the computer is switched off, turn it on.
True
False

Solution: False

Question 12: Under what circumstances can an investigator conduct a search without a search warrant?
A. When the premise owner instructed the investigator.
B. When the case involves other parties such as Internet Service Provider (ISP) companies.
C. When the investigator believe if the search no done on the current time the evidence will be lost or destroy.
D. When the investigator need to record, dates for items that related to investigation.

Solution: When the investigator believe if the search no done on the current time the evidence will be lost or destroy.

Question 13: Computers can be evidence in crimes involving fraud and human trafficking.
True
False

Solution: True 

Question 14: Which of the following is NOT an example of a cyber crime?
A. Firing an employee for misconduct.
B. Fraud achieved by the manipulation of the computer records.
C. Intellectual property theft, including software piracy.
D. Deliberate circumvention of the computer security systems.

Solution: Firing an employee for misconduct.

Question 15: A 2017 story from Digital Forensics Magazine describes a hit-and-run car crash caused by the driver of a dark SUV without lights on. The SUV hit a car, ran into a clump of trees and then drove off. Police were able to locate an SUV that fit the description. After downloading data from its on-board diagnostics, infotainment and telematics systems, police were able to determine that the vehicle had passed the scene at the approximate time the crash had occurred, that the lights had not been on and that the SUV had been placed in reverse and forward several times immediately after the time of the crash in the proximity of the damaged trees. Police also found other implicating details of the SUV’s trip that night from routes and destinations in the navigation system. From the case study, explain what kind of information that can be found from the vehicle that helps police to determine the conclusion of the case.

Solution: THE SUV NAVIGATION SYSTEM CAN BE FORENSICALLY INVESTIGATED AND THE DATA WHICH SHOWS THAT SUV PASSES EXACTLY AT THE TIME WHEN THE ACCIDENT HAPPENED AND THE MOVEMENT OF SUV LIKE REVERSE AND FORWARD MANY TIMES AFTER CRASH AND THE ROUTE OF CAR WHICH CAN BE FOUND IS SIMILAR TO DESCRIBED IN THE ACCIDENT.

Question 16:  Which of the following are the main activities during the Identification phase?
(i) Gather information about types of crime.
(ii) Identify the resources you may need at the crime scene.
(iii) Gather information about the location related to the crime.
(iv) Analyze the image copy.
A. (i), (ii) and (iii)
B. (i), (iii) and (iv)
C. (ii) and (iv)
D. (ii), (iii) and (iv)

Solution: (i), (ii) and (iii)

Question 17: It is important to sketch the crime scene for the purpose of _____________ details of the scene.
A. refurbishing
B. reenergizing
C. recreating
D. renovating

Solution: recreating

Computer Forensics Quiz

Question 1: Chain of custody in digital forensics investigation is referred to as a _______.

Select one:
A. Payment slip for forensic investigator.
B. Formal letter to attend court trial.
C. Suspect and witness that involve in crime investigation.
D. Document to track the movement of evidence.

Solution: Document to track the movement of evidence.

Question 2: In late 2019, it was reported by Infosecurity Magazine that 72% of former employees admitted taking company data with them upon departure. If there are concerns that a departing employee has stolen proprietary data, which of the following is NOT the steps to be taken to preserve forensically a departing employee’s computer?
Select one:
A. Determine if an employee connected a device such as a removable USB storage device or if a CD was created which contained confidential data.
B. Find and document instances of an employee’s improper conduct.
C. Pass the former employee’s computer to another employee to improve their productivity.
D. Identify which data was deleted from the computer.

Solution: Pass the former employee’s computer to another employee to improve their productivity.

Question 3: When preparing a questionnaire for interviewing individuals of the crime scene which of the following should NOT be requested:
Select one:
A. Passwords
B. Encryption keys
C. Details on removable storage
D. Admission of guilt

Solution: Admission of guilt

Question 4: Which of the following are the factors of inadmissible evidence?
(i) Any evidence that diverts the jury's attention away from the central premise of the case.
(ii) Evidence that arose from a privileged informational source.
(iii) Any evidence that proves or disproves a fact of the case but not necessarily innocence of guilt.
(iv) The mentioning of prior crimes unrelated to the current case.
Select one:
A. (i), (ii) and (iv)
B. (i), (iii) and (iv)
C. (ii), (iii) and (iv)
D. (i), (ii) and (iii)

Solution: (i), (ii) and (iv)

Question 5: Which of the following is NOT an example of cyber crime?
Select one:
A. Sending misleading messages via email or other channels, that cause internet users to provide personal information, access malicious websites or download malicious payloads.
B. Fake scratch cards that promise some sort of prize, on the condition that the 'winner' pays a collection fee.
C. A network of computers that attackers infected with malware, compromised and connected them to a central command & control center.
D. Fraudulent sales through online auction or retail sites or through bogus websites.

Solution: Fake scratch cards that promise some sort of prize, on the condition that the 'winner' pays a collection fee.

Question 6: How can digital forensics help to save organization money and time? Explain. 

Solution: As the modern day targets are increasing and with number of alarming attacks each that so it is possible for attack to happen in your organizations it will lead to loss of information like if someone breaks into your company and you loose a lot of information like trade secrets which the attackers would be able to steal the investigation will uncover which things were stolen and how they were stolen which can be used in court of law that the crime took place by which party and you could be compensated for the attack sometimes the files are deleted from the system and computer forensics could be used to recover such valuable information without having to pay and expose data to the third party.