Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1. When acquiring digital evidence, why shouldn’t the evidence be left unattended in an
unsecured location?
a. Cross-contamination
b. Storage
c. Chain-of-custody
d. Not an issue
2. Which describes an HPA?
a. Stands for Host Protected Area
b. Is not normally seen by the BIOS
c. Is not normally seen through Direct ATA access
d. All of the above
3. Which describes a DCO?
a. Was introduced in the ATA-6 specification
b. Stands for Device Configuration Overlay
c. Is not normally seen by the BIOS
d. All of the above
4. When acquiring USB flash memory, you should write-protect it by:
a. Engaging the write-protect switch, if equipped
b. Modifying the Registry in XP SP2 (or higher) to make USB read-only
c. Introducing a hardware write blocking device between evidence source and target
drive
d. All of the above
5. FAT is defined as:
a. A table consisting of master boot record and logical partitions
b. A table created during the format that the operating system reads to locate data on
a drive
c. A table consisting of file names and file attributes
d. A table consisting of file names, deleted file names, and their attributes
6. What is the very first consideration when responding to a scene?
a. Your safety
b. Safety of others
c. Preservation of evidence
d. Documentation
7. How is the chain of custody maintained?
a. By bagging evidence and sealing it to protect it from contamination or tampering
b. By documenting what, when, where, how, and by whom evidence was seized
c. By documenting in a log the circumstances under which evidence was removed
from the evidence control room
d. All of the above
8. When shutting down a computer, what information is typically lost?
a. Data in RAM memory
b. Running processes
c. Current logged-in users
d. All of the above
9. When would it be acceptable to navigate through a live system?
a. To observe the operating system to determine the proper shutdown process
EXAMINER: MR. STEPHEN BRAKO OTI Page 1 of 7
b. To document currently opened files
c. To observe an encryption program running
d. All of the above
10. The manager of a digital forensics lab is responsible for which of the following?
a. Making necessary changes in lab procedures and software
b. Ensuring that staff members have enough training to do the job
c. Knowing the lab objectives
d. None of the above
11. Kofi uses DISKPART and CLEAN ALL to write zeroes to his whole hard drive,
including the Word document. What type of data is the Word document now?
a. Active data
b. Archival data
c. None of the above
d. Latent data
12. Which of these documents is most important, and can ruin the evidence if it is lost?
a. Chain of custody
b. Summary
c. Detailed findings
d. Examiner's final report
13. Which of these items must be written in clear, non-technical English?
a. Chain of custody
b. Summary
c. Detailed findings
d. Examiner's final report
14. Which is the most reliable forensic software?
a. FTK
b. EnCase
c. Sleuth Kit and Autopsy
d. Never trust any of them, always use two
15. Which item must be placed in a Faraday bag immediately after seizure?
a. SD cards
b. Cell phone
c. Laptop
d. Hard disk
16. Which item of evidence is the most volatile?
a. Deleted files on a hard disk
b. Downloads in progress
c. USB thumb drive data
d. Data stored in the cloud
17. If a suspect is using encryption, which data below is likely to be lost if the device is
powered off?
a. Cell phone
b. Laptop hard drive
c. Contents of RAM
d. All of the above
18. Which is the first step done by a forensic examiner who arrives at a crime scene?
a. Take photographs
b. Label devices
EXAMINER: MR. STEPHEN BRAKO OTI Page 2 of 7
c. Fill out Chain of Custody form
d. Take notes
19. Joe is making a clone of the evidence drive onto a target drive. Which of these is not a
good practice?
a. Forensically wipe target drive first
b. Use antivirus to scan the forensic workstation
c. Use antivirus to scan the evidence drive
d. Use a hardware write-blocker
20. You find a laptop at a crime scene with a dead battery. What type of acquisition should
you perform?
a. Live acquisition in a laboratory
b. Live acquisition at the scene
c. Static acquisition in a laboratory
d. They are all equally useful
21. The application of science to solve legal problems is known as_______?
a. Digital Forensics
b. Forensics science
c. Criminal investigations
d. DNA
22. Digital forensics can be used in a variety of settings, including
a. Criminal investigations
b. Administrative matters
c. Both (a) and (b)
d. None of the above
23. The following are all phases in the digital forensics investigation lifecycle except?
a. Identification
b. Preservation
c. Documentation
d. Analysis
24. The basic methodology employed in acquiring digital evidence (3As) are _____
a. Acquire, authenticate, administer
b. Administer, assess, authenticate
c. Acquire, authenticate, analyze
d. Authenticate, administer, analyze
25. In the physical world, when perpetrators enter or leave a crime scene, they will leave
something behind and take something with them. This is known as the
a. Principle of detectability
b. Locards exchange principle
c. Locards intrusion principle
d. Lornhro’s Exchange matrix principle
26. Examples of digital evidence a perpetrator could leave behind include: (choose two)
a. Registry keys
b. SNMP traps
c. Log files
d. Hiberfil.sys file
27. The body concerned with developing consensus standards of practice for the forensics
community is known as_______
a. American Society of crime laboratory directors/ Laboratory accreditation board
b. National Institute of Standards and Technology
52. Rearrange the following in the right order of volatility (i.e. from the most volatile to the
least volatile).
(IV. Hard disk V. temp files VI. Archival data VII. Remotely logged data)
a. IV, V, VI and VII
b. VI, IV, V and VII
c. VII, V, VI and IV
d. V, IV, VII and VI
53. An exact bit for bit copy of a hard drive is known as _______
a. Forensic copy
b. Forensic clone
c. Digital copy
d. Data extraction
For question 56 – 60, indicate true or false where appropriate in your answer booklet.
56. Reacquiring an image and adding compression will change the MD5 value of the
acquisition hash.
57. Forensically speaking, files are strings or sequences of bits and bytes identified by the
hash value.
58. Most drives read and write data magnetically. If the particle is magnetized, it’s read as a
0. If not, it’s read as a 1.
59. A flash drive is made up of diodes which may or may not carry an electric charge. When
a diode is charged, it is read as a “0”; without a charge it reads as a “1.”
60. The windows registry keeps track of user and system configuration and preferences and
provides an abundance of potential evidence.