IT 488 Cyber Forensics Quiz

Answer key:

1) There is a file called "pagefile.sys" on Windows systems. What is the

significance of this file for forensic analysis?

a. It contains a log of all system errors encountered during opera>on.

b. It is a compressed archive of all user documents stored on the computer.
c. It poten>ally holds "paged out" por>ons of memory, which might
include traces of sensi>ve data.
d. It stores fragmented pieces of unused memory space with no forensic
value.

2) In an NTFS file system, where is informa>on about a file's data clusters

stored?

a. Within the actual file data

b. In a separate header file for each file
c. In the file's entry within the Master File Table (MFT)
d. ScaIered throughout unused sectors on the drive

3) What is the main benefit of developing a strong incident response plan?

a. To collect evidence for future legal ac>on.

b. To improve digital forensics capabili>es.
c. To ensure a well-organized response to poten>al security incidents.
d. To deter cybercriminals and na>on-states from targe>ng the
organiza>on.
4) Why is incident response becoming increasingly important?
a. Because new laws require digital forensics exper>se.
b. Because regula>ons like GDPR and NIS emphasize data security.
V0 c. Because modern threats are more complex and require forensics.
d. Because digital lifestyles rely heavily on uninterrupted IT services.

5) What will the following regular expression match: colou?r ?

a. Words with "color" or "colour".
b. Words containing "col" followed by either "o" or "u" (but not both), and
ending with "r".
c. Only the exact word "colour".
d. Words star>ng with "col" and ending with "r" but with any number of
characters in between.

6) Why are Shellbags considered important to a forensic expert?

a. They enhance system performance
b. They indicate that a user has visited a par>cular folder
c. They store encryp>on keys T
d. hey speed up the browsing process

7) ______is simply informa>on that is basically a dic>onary of all files and

folders on the NTFS par>>on.
a. Rou>ng Table
b. Master File Table
c. Slave File Table
d. Page Table

8) is a device that is put between the digital evidence and the computer it is
connected to and that prohibits the computer from wri>ng any data to the
device.
a. thumbcache
b. write blocker
c. Shellbags
d. System Log
9) The final step in a forensic analysis is to write a report. What should the
report NOT be wriIen to do?
a. Explain technical terms for those unfamiliar with forensics.
b. Clearly present objec>ve findings from the examina>on.
c. Maintain a chain of custody for the evidence examined.
d. Persuade the reader of the inves>gator's personal opinions.

10) What is the primary focus of the "Analyzing" process in digital

forensics?
a. Ignoring ques>ons raised during the inves>ga>on
b. Op>mizing data storage
c. Determining what has happened in a digital environment
d. Enhancing data encryp>on techniques

11) What makes .Lnk files interes>ng for forensic examiners?

a. They enhance system performance
b. They provide encryp>on keys
c. They are not deleted when a remote drive is removed or when a file is
deleted
d. They are only accessible from the user's desktop

12) can define a paIern matching any e mail address, phone numbers,
credit card number, social security number
a. Regular expressions
b. PaIern
c. Arguments
d. Directory

13) Which hive stores hashed passwords for user accounts on the local
machine?
a. SOFTWARE
b. SYSTEM
c. SAM
d. SECURITY
14) ou need to know how to use character ranges in grep regular
expressions. What does [a-zA-Z] match?
a. It matches any punctua>on mark or symbol.
b. It matches a single number between 0 and 9.
c. It matches any leIer, uppercase or lowercase.
d. It matches any character, including spaces and special characters.

15) What is the biggest drawback of using a physical disk image?

a. It requires a write blocker, which can be expensive.
b. It is a slower process compared to crea>ng a logical image.
c. It cannot be used to image encrypted devices, as the image itself will be
encrypted.
d. It captures unnecessary data, making analysis more >me-consuming.

16) imagine you are using grep and want to find lines containing any
leIer or number (0-9). Which of these grep expressions would achieve?
a. [0-9]
b. [.akz]
c. [a-zA-Z0-9]
d. [a-z]

17) What is the primary func>on of the Windows Registry?

a. To store user documents and mul>media files
b. To manage the internet browsing history
c. To store configura>on seings for users, applica>ons, and the Windows
system itself
d. To serve as the main memory for running programs

18) There are differences between the two methods for forensic imaging:
physical and logical. Under which circumstance would a logical disk image
be the preferred choice?
a. When the inves>gator needs to capture deleted data and hidden files.
b. When the hard drive can be easily removed and a write blocker is
available.
c. When the target device is encrypted and a physical image would be
useless.
d. When a faster imaging process is crucial for the inves>ga>on.
19) What is the encryp>on formula used in asymmetric encryp>on?
a. P + K1 = C
b. C + K2 = P
c. P + K = C
d. C + K = P

20) What is the main benefit of developing a strong incident response

plan?
a. To collect evidence for future legal ac>on.
b. To improve digital forensics capabili>es.
c. To ensure a well-organized response to poten>al security incidents.
d. To deter cybercriminals and na>on-states from targe>ng the
organiza>on.

21) You can use grep expressions to find misspelled words. Which of the
following regular expressions would likely find the misspelling "calendar"
with an extra "e" anywhere in the word?
a. cal*ndar
b. cale*ndar
c. cal[ea]ndar
d. cal[a-z]*dar

22) in a forensic report, how should inves>gators present the pieces of

evidence they found during the examina>on?
a. Summarize the evidence with their personal interpreta>ons for context.
b. Organize the evidence chronologically based on the discovery order.
c. Present the evidence objec>vely, "as is," without any personal opinions.
d. Highlight the most drama>c or incrimina>ng pieces of evidence.

23) in digital forensics, what is a common entry point for law

enforcement to track a suspected user >ed to a specific ac>on online?
a. Encryp>on keys
b. MAC addresses
c. IP addresses
d. Browser cookies
24) A forensic report should be wriIen in a way that achieves two main
goals. Which of the following is NOT one of these goals?
a. Provide a clear and understandable record for someone else to
reproduce the examina>on.
b. Include a glossary of terms to explain technical language to a non-expert
audience (like judges or jurors).
c. Express strong opinions and judgments about the case.
d. Present the findings from the examina>on in an objec>ve manner.

25) Why is memory analysis so valuable for forensic inves>gators even

though it's vola>le (cleared on reboot)?
a. It provides a permanent record of all files accessed by the user.
b. It stores a complete backup of all data on the hard drive.
c. It can contain temporary, unencrypted versions of originally encrypted
data like passwords.
d. It offers a historical record of everything the computer has ever done.

26) What does The Interna>onal Society of Forensic Computer Examiners

emphasize regarding the truthfulness of forensic computer examiners?
a. Withhold findings to maintain confiden>ality
b. Express opinions based on personal beliefs
c. Always be truthful about findings
d. Exaggerate competence for professional recogni>on
Which of the following is NOT a common hive of interest to a forensic examiner in the Windows
Registry?

SAM

SECURITY

SOFTWARE

HARDWARE

According to The International Society of Forensic Computer Examiners' code of ethics, what is a
fundamental principle that forensic computer examiners should adhere to?

Withhold evidence to maintain objectivity

Express opinions on guilt to guide investigations

Be objective and accurate in all investigations

Engage in conflicts of interest to broaden perspectives

Where are .Lnk files created when a user opens files typically located on a Windows system?

C:\Windows\System32

C:\Program Files\Common Files

[userhomefolder]\AppData\Roaming\Microsoft\Windows\Recent

C:\Users\Public\Documents

What role do Internet service providers (ISPs) play in the process of tracing online users through IP
addresses?

They encrypt the IP addresses for security.

They provide unique MAC addresses.

They maintain records of the actual users behind IP addresses.

They anonymize user information for privacy.

is a log file located in the folder [SystemRoot]\Windows\INF. It logs events related to the installation
and uninstallation of devices

Registry log

System log

Setupapi.dev.log

Password history

What does a logical disk image in digital forensics capture?

Encrypted data only

The entire storage device, including encryption

Bit-by-bit copy of the original data

Only the files currently open in the operating system

Which of the following file systems is most commonly used for storing surveillance video on USB
drives?

ext4 (common on Linux)

NFS (common for network storage)

FAT32 (common on surveillance video and thumb drives)

NTFS (modern Windows-based computer)

What is the role of spaces in the indexing process?

They define characters in a string

They separate the data into strings

They make up noise words in the index

They enhance the security of the index

The ____ is a Windows feature with the purpose of making previewing of pictures quicker.
EXIF

thumbcache

Shellbags

.Lnk files

MRU - Stuff

A partition on a hard drive is formatted with a file system. What is the primary function of the file
system?

To erase all data on the partition

To create a bootable operating system

To organize and manage data storage and retrieval

To connect the hard drive to a network

is nothing more than a bag filled with the software and hardware you need to carry out live
investigations.

response kit

write blocker

Shellbags

.Lnk files
Which of the following is a typical application that might use an SQLite database on a mobile device?

Video editing software

Word processing application

SMS messaging application

Network web browser

What is one benefit of SQLite databases for forensic analysis?

They are encrypted by default, making it harder to extract data.

They require a separate C library to function, hindering analysis.

They can often be automatically analyzed by forensic software.

They are rarely used by mobile applications, limiting forensic value.

What is the primary function of the Windows Registry?

To store user documents and multimedia files

To manage the internet browsing history

To store configuration settings for users, applications, and the Windows system itself

To serve as the main memory for running programs

What are "noise words" in the context of indexing in digital forensics?

Words that are essential for creating the index

Words that make up a string

Words that are ignored in the index due to their frequency.

Words that are encrypted in the index.

There are differences between findings and conclusions in a forensic report. What is the key
distinction between these two elements?

Findings are presented visually (charts, graphs), while conclusions are written in text.

Findings are irrelevant information, while conclusions are the most critical points.

Findings are objective observations, while conclusions are subjective interpretations based on findings.

Findings are presented first, while conclusions come last in the report.
Q- what are the arguments taken by rendert) function :

A-First is JSX code, the second is DOM node ✅

Q- ?What is the role of the Adapter in a RecyclerView

It connects the data to be displayed with the RecyclerView✅

which of the following is a React 16 feature that allowing to render an element outside of its
component hierarchy

Portals ✅

Q- which of the following is a React 16 feature that prevent to use unnecessary DOM elements

Rendering fragments✅

Q- In topology, nodes are classi ed into groups or clusters.

Hierarchical ✅

Q- The _____hive contains information about the users on the local machine, information about when
they last logged on, when each account was created, and password hashes

-SAM✅

Q- ?What is one bene t of SQLite databases for forensic analysis

C-They can often be automatically analyzed by forensic software ✅

Q- are used to store information about GUI settings for explorer that is used to browse les and
folders on a Windows-based computer

A-Shellbags✅

Q- ?A partition on a hard drive is formatted with a le system. What is the primary function of the le
system

-To organize and manage data storage and retrieval ✅

Q- ?Which hive stores hashed passwords for user accounts on the local machine

SAM ✅
Q- You need to know how to use character ranges in grep regular expressions. What does [a-ZA-Z]
match

C-It matches any letter, uppercase or lowercase✅

Q- ?In a forensic report, how should investigators present the pieces of evidence they found during
the examination

C- Present the evidence objectively, "as is," without any personal opinions✅

Q- ?What is the role of spaces in the indexing process

They separate the data into strings ✅

Q— ?Why are Shellbags considered important to a forensic expert

They indicate that a user has visited a particular folder ✅

Q—?What is the main bene t of developing a strong incident response plan

-To ensure a well-organized response to potential security incidents ✅

Q—?According to The International Society of Forensic Computer Examiners' code of ethics, what is
a fundamental principle that forensic computer examiners should adhere to

C-Be objective and accurate in all investigations ✅

Q— ?In an NTFS le system, where is information about a le's data clusters stored

C-In the le's entry within the Master File Table (MFT) ✅

Q— ?Why is memory analysis so valuable for forensic investigators even though it's volatile (cleared
on reboot)

-It can contain temporary, unencrypted versions of originally encrypted data like passwords ✅
Q— ?In digital forensics, what is a common entry point for law enforcement to track a suspected user
tied to a speci c action online

IP addresses ✅

Q—What is the primary focus of the "Analyzing" process in digital forensics

C-Determining what has happened in a digital environment ✅

Q—is a device that is put between the digital evidence and the computer it is connected to and that
prohibits the computer from writing any data to the device

write blocker ✅

Q—What role do Internet service providers (ISP5) play in the process of tracing online users through
IP addresses

C-They maintain records of the actual users behind IP addresses ✅

Q—What are "noise words" in the context of indexing in digital forensics

C-Words that are ignored in the index due to their frequency ✅

Q— is the act of making data unreadable without the correct key____

Encryption ✅

Q—What does The International Society of Forensic Computer Examiners emphasize regarding the
truthfulness of forensic computer examiners

-Always be truthful about ndings ✅

Q— is the process of creating a copy that is identical to the original data, in terms of content___

Disk imaging ✅

Q—Which of the following is a typical application that might use an SQLite database on a mobile
SMS messaging application ✅

Q— Which registry hive would a forensic investigator examine to nd information about a user's
browsing history:

NTUSER.dat ✅
Q— is nathing more than a bag lled with the software and hardware you need to carry out live
response kit ✅

Q—_________ is the process of prioritizing data or devices for forensic examinations when a forensic
expert is tasked with several examinations at once and needs to complete examinations fast to avoid
a heavy backlog.

Forensic triage ✅