ANSWER ALL SIXTY (60) QUESTIONS ON THE QUESTION PAPER

1. When acquiring digital evidence, why shouldn’t the evidence be left unattended in an
unsecured location?
a. Cross-contamination
b. Storage
c. Chain-of-custody
d. Not an issue
2. Which describes an HPA?
a. Stands for Host Protected Area
b. Is not normally seen by the BIOS
c. Is not normally seen through Direct ATA access
d. All of the above
3. Which describes a DCO?
a. Was introduced in the ATA-6 specification
b. Stands for Device Configuration Overlay
c. Is not normally seen by the BIOS
d. All of the above
4. When acquiring USB flash memory, you should write-protect it by:
a. Engaging the write-protect switch, if equipped
b. Modifying the Registry in XP SP2 (or higher) to make USB read-only
c. Introducing a hardware write blocking device between evidence source and target
drive
d. All of the above
5. FAT is defined as:
a. A table consisting of master boot record and logical partitions
b. A table created during the format that the operating system reads to locate data on
a drive
c. A table consisting of file names and file attributes
d. A table consisting of file names, deleted file names, and their attributes
6. What is the very first consideration when responding to a scene?
a. Your safety
b. Safety of others
c. Preservation of evidence
d. Documentation
7. How is the chain of custody maintained?
a. By bagging evidence and sealing it to protect it from contamination or tampering
b. By documenting what, when, where, how, and by whom evidence was seized
c. By documenting in a log the circumstances under which evidence was removed
from the evidence control room
d. All of the above
8. When shutting down a computer, what information is typically lost?
a. Data in RAM memory
b. Running processes
c. Current logged-in users
d. All of the above
9. When would it be acceptable to navigate through a live system?
a. To observe the operating system to determine the proper shutdown process
EXAMINER: MR. STEPHEN BRAKO OTI Page 1 of 7
 b. To document currently opened files
c. To observe an encryption program running
d. All of the above
10. The manager of a digital forensics lab is responsible for which of the following?
a. Making necessary changes in lab procedures and software
b. Ensuring that staff members have enough training to do the job
c. Knowing the lab objectives
d. None of the above
11. Kofi uses DISKPART and CLEAN ALL to write zeroes to his whole hard drive,
including the Word document. What type of data is the Word document now?
a. Active data
b. Archival data
c. None of the above
d. Latent data
12. Which of these documents is most important, and can ruin the evidence if it is lost?
a. Chain of custody
b. Summary
c. Detailed findings
d. Examiner's final report
13. Which of these items must be written in clear, non-technical English?
a. Chain of custody
b. Summary
c. Detailed findings
d. Examiner's final report
14. Which is the most reliable forensic software?
a. FTK
b. EnCase
c. Sleuth Kit and Autopsy
d. Never trust any of them, always use two
15. Which item must be placed in a Faraday bag immediately after seizure?
a. SD cards
b. Cell phone
c. Laptop
d. Hard disk
16. Which item of evidence is the most volatile?
a. Deleted files on a hard disk
b. Downloads in progress
c. USB thumb drive data
d. Data stored in the cloud
17. If a suspect is using encryption, which data below is likely to be lost if the device is
powered off?
a. Cell phone
b. Laptop hard drive
c. Contents of RAM
d. All of the above
18. Which is the first step done by a forensic examiner who arrives at a crime scene?
a. Take photographs
b. Label devices
EXAMINER: MR. STEPHEN BRAKO OTI Page 2 of 7
 c. Fill out Chain of Custody form
d. Take notes
19. Joe is making a clone of the evidence drive onto a target drive. Which of these is not a
good practice?
a. Forensically wipe target drive first
b. Use antivirus to scan the forensic workstation
c. Use antivirus to scan the evidence drive
d. Use a hardware write-blocker
20. You find a laptop at a crime scene with a dead battery. What type of acquisition should
you perform?
a. Live acquisition in a laboratory
b. Live acquisition at the scene
c. Static acquisition in a laboratory
d. They are all equally useful
21. The application of science to solve legal problems is known as_______?
a. Digital Forensics
b. Forensics science
c. Criminal investigations
d. DNA
22. Digital forensics can be used in a variety of settings, including
a. Criminal investigations
b. Administrative matters
c. Both (a) and (b)
d. None of the above
23. The following are all phases in the digital forensics investigation lifecycle except?
a. Identification
b. Preservation
c. Documentation
d. Analysis
24. The basic methodology employed in acquiring digital evidence (3As) are _____
a. Acquire, authenticate, administer
b. Administer, assess, authenticate
c. Acquire, authenticate, analyze
d. Authenticate, administer, analyze
25. In the physical world, when perpetrators enter or leave a crime scene, they will leave
something behind and take something with them. This is known as the
a. Principle of detectability
b. Locards exchange principle
c. Locards intrusion principle
d. Lornhro’s Exchange matrix principle
26. Examples of digital evidence a perpetrator could leave behind include: (choose two)
a. Registry keys
b. SNMP traps
c. Log files
d. Hiberfil.sys file
27. The body concerned with developing consensus standards of practice for the forensics
community is known as_______
a. American Society of crime laboratory directors/ Laboratory accreditation board
b. National Institute of Standards and Technology

EXAMINER: MR. STEPHEN BRAKO OTI Page 3 of 7

 c. American academy of forensic sciences
d. Scientific working group on digital forensics
28. The body concerned with accrediting forensics laboratories and ensuring that labs meet
set standards for operation is known as______
a. American Society of crime laboratory directors/ Laboratory accreditation board
b. National Institute of Standards and Technology
c. American academy of forensic sciences
d. Scientific working group on digital forensics
29. How many bits are needed to encode one character of ASCII text?
a. 5
b. 6
c. 7
d. 8
30. How many printable characters can be found in the ASCII standard?
a. 128
b. 34
c. 94
d. 127
31. Suppose your first name was JOHN written in all uppercase. Which of the options below
represent the hexadecimal representation of the name JOHN? ( ASCII TABLE VALUES
J=74, O=79, H=72, N=78)
a. 6a 6f 68 6e
b. 4a 4f 48 4e
c. 65 76 61 6e
d. 4a 4b 4e 4c
32. Rebuilding files by assembling blobs of data found on a disk is known as _______
a. Forensic cloning
b. Data recovery
c. File carving
d. None of the above
33. A three or four letter long suffix usually attached to the end of a filename after a dot is
known as________
a. File type
b. Default application
c. File extension
d. Dot delimiter
34. Which device stores data using electromagnetism?
a. Hard disk
b. Solid state drive
c. DVD
d. USB Flash drive
35. Which device stores data using microscopic electrical transistors?
a. CD
b. DVD
c. Solid state drives
d. Both (a) and (b)
36. All the following are nonvolatile types of data storage except______
a. ROM
b. RAM
EXAMINER: MR. STEPHEN BRAKO OTI Page 4 of 7
 c. SSD
d. USB
37. Platter, spindle and read/write head are all components of a_______
a. Solid State Drive
b. DVD drive
c. Hard Disk
d. USB Drive
38. File systems _______
a. Keep track of used and free page files
b. Tracks location of each file
c. Tracks file precautions
d. all of the above
39. The following are all valid windows file systems except_______
a. HFS
b. NTFS
c. FAT32
d. FATX
40. Active data is typically found in the ________ space of the har
a. Unallocated
b. Host protected area
c. Slack
d. Allocated
41. Data remains on a hard disk until overwritten with new data. This concept is known as
a. Data storage
b. Persistence of data
c. Locards persistence principle
d. None of the above
42. A cluster often holds _______ sectors?
a. 64
b. 32
c. 16
d. 8
43. How much data does a sector on a hard disk hold?
a. 128bytes
b. 256bytes
c. 512bytes
d. 1024bytes
44. During a digital forensic analysis, an MS-WORD file was found to be 4000bytes in size.
What would be the corresponding size of the file in kilobytes and how sectors and
clusters would the file occupy on the hard disk?
a. 40kilobytes, 80sectors, 10clusters
b. 0.4kilobytes, 8sectors, 1 cluster
c. 4kilobytes, 8sectors, 1cluster
d. 32kilobytes, 4 sectors, 2 clusters
45. Three major concerns associated with the use of virtual forensics labs are ______ (choose
three)
a. Security
b. Performance
c. Configuration
EXAMINER: MR. STEPHEN BRAKO OTI Page 5 of 7
 d. Data replication
e. Cost
46. To avoid arguments over contamination by malware,________
a. Forensics examination computer should always be connected to the internet
b. Forensics examination computer should always be fitted with evidence drive with
preinstalled antivirus
c. Forensics examination computer should not be connected to the internet
d. None of the above
47. Documents that detail evidence collection procedures as well as laboratory examination
procedures a forensics laboratory must follow could be termed as
a. Process validation document
b. Tool validation document
c. Standard operating procedure
d. All of the above
48. The following are all documents contained in the case file expect______
a. Case submission forms
b. Chain of custody reports
c. Examiners final report
d. Examiners notes
49. Which of the following are open source forensics examinations tools? (Choose two)
a. SIFT
b. FTK
c. EnCase
d. Sleuth Kit
50. Which of the following are commercial forensics examinations tools? (Choose two)
a. SIFT
b. FTK
c. EnCase
d. Sleuth Kit
51. Rearrange the following in the right order of volatility (i.e. from the most volatile to the
least volatile).
(I. RAM II.CPU, Cache and registers III. Routing table, ARP cache, processes)
a. I, II and III
b. II, I and III
c. II, III and I
d. III, II and I

52. Rearrange the following in the right order of volatility (i.e. from the most volatile to the
least volatile).
(IV. Hard disk V. temp files VI. Archival data VII. Remotely logged data)
a. IV, V, VI and VII
b. VI, IV, V and VII
c. VII, V, VI and IV
d. V, IV, VII and VI
53. An exact bit for bit copy of a hard drive is known as _______
a. Forensic copy
b. Forensic clone
c. Digital copy
d. Data extraction

EXAMINER: MR. STEPHEN BRAKO OTI Page 6 of 7

 54. A forensically clean media ________
a. Can be proven to be devoid of data
b. Contains minimal data
c. May contain few lines of text and bitmaps
d. Is encrypted with true crypt
55. Which of the following provides a basis for discrediting digital forensics evidence?
(choose two)
a. Unaccredited laboratories
b. Certified examiner
c. Proper chain of custody documentation
d. Use of write blocker in forensic cloning process
e. Absence of tool validation report

For question 56 – 60, indicate true or false where appropriate in your answer booklet.
56. Reacquiring an image and adding compression will change the MD5 value of the
acquisition hash.
57. Forensically speaking, files are strings or sequences of bits and bytes identified by the
hash value.
58. Most drives read and write data magnetically. If the particle is magnetized, it’s read as a
0. If not, it’s read as a 1.
59. A flash drive is made up of diodes which may or may not carry an electric charge. When
a diode is charged, it is read as a “0”; without a charge it reads as a “1.”
60. The windows registry keeps track of user and system configuration and preferences and
provides an abundance of potential evidence.

EXAMINER: MR. STEPHEN BRAKO OTI Page 7 of 7