Digital Forensics

Question 1

The application of investigation and analysis techniques to gather and preserve evidence from digital sources.

Answer 1

Digital forensics

Question 2

The formal documentation that proves evidence has not been altered and was handled properly.

Answer 2

Chain of custody

Question 3

A hash value used to verify the integrity of forensic images and data.

Answer 3

MD5 or SHA-1 hash

Question 4

Making an exact, bit-for-bit copy of a digital device for forensic analysis.

Answer 4

Imaging

Question 5

The first response step in forensics to ensure systems are not tampered with.

Answer 5

Evidence preservation

Question 6

The safest type of imaging that doesn’t modify the original data.

Answer 6

Write-blocked imaging

Question 7

A forensic action used to reconstruct attacker activity from logs or memory.

Answer 7

Timeline analysis

Question 8

A forensic process that recovers deleted or fragmented data.

Answer 8

File carving

Question 9

A temporary, volatile data source that must be captured before shutting down a system.

Answer 9

RAM (volatile memory)

Question 10

The stage in digital forensics where collected data is reviewed for evidence.

Answer 10

Examination

Question 11

The process of documenting forensic findings and presenting them clearly to stakeholders.

Answer 11

Reporting

Question 12

A live forensic technique used to collect data from a system while it’s running.

Answer 12

Volatile data acquisition

Question 13

Tool used to analyze disk images and file systems in forensic investigations.

Answer 13

Autopsy or FTK Imager

Question 14

The final phase of the forensic process where lessons learned are shared.

Answer 14

Post-incident review

Question 15

The type of forensics used to investigate suspicious behavior within logs and event files.

Answer 15

Log forensics

Question 16

An incident type requiring forensics when intellectual property is stolen.

Answer 16

Data breach investigation

Question 17

The standard order of volatility when collecting evidence.

Answer 17

CPU cache → RAM → disk → backups

Question 18

A location in digital forensics where original evidence is securely stored.

Answer 18

Evidence locker

Question 19

Forensic technique used to analyze unallocated disk space.

Answer 19

Slack space analysis

Question 20

Temporary storage space that may hold valuable artifacts like passwords or recent files.

Answer 20

Pagefile or swap file

Question 21

The process of examining running processes, open connections, and system artifacts on live systems.

Answer 21

Live forensics

Question 22

A type of tool that helps identify who accessed what file and when.

Answer 22

File access audit tool

Question 23

The forensic process of validating that the evidence matches what was originally acquired.

Answer 23

Integrity check

Question 24

The device used to prevent modification during forensic acquisition.

Answer 24

Hardware write blocker

Question 25

The practice of isolating systems to prevent tampering during forensic review.

Answer 25

Evidence containment

Question 26

A tool used to extract browser history, cookies, and cache during investigations.

Answer 26

Internet Evidence Finder (IEF)

Question 27

Artifacts like shellbags, prefetch files, and jump lists are found in what system?

Answer 27

Windows OS

Question 28

A standard forensic format used to store disk images.

Answer 28

E01 format

Question 29

The forensic method used to understand what was done on a device without directly examining it.

Answer 29

Artifact analysis

Question 30

A structured process for identifying, collecting, analyzing, and preserving digital evidence.

Answer 30

Forensic investigation lifecycle