Advanced Digital Forensics

Question 1

What is the purpose of securing a digital crime scene?

Answer 1

To prevent tampering with evidence and preserve its integrity for investigation.

Question 2

Name two things to check when securing a digital device at a crime scene.

Answer 2

Device ownership and whether it is connected to a network.

Question 3

What is volatile data, and why is it important?

Answer 3

Data that disappears when power is lost; important because it must be collected immediately.

Question 4

Give an example of volatile data.

Answer 4

RAM contents, running processes, open network connections.

Question 5

What tool is used to capture volatile memory?

Answer 5

Belkasoft Live RAM Capturer.

Question 6

What is Dead Acquisition?

Answer 6

Collecting data from a powered-off device, preserving the original data structure.

Question 7

What is the Order of Volatility?

Answer 7

The priority order for collecting data based on how quickly it can be lost.

Question 8

What is the primary goal of forensic data acquisition?

Answer 8

To make an exact bit-by-bit copy of evidence media without altering original data.

Question 9

List three types of data acquisition methods.

Answer 9

Logical acquisition, Sparse acquisition, Bit-stream imaging.

Question 10

What is Logical Acquisition?

Answer 10

Capturing specific files or file types of interest.

Question 11

What is Sparse Acquisition?

Answer 11

Capturing both selected files and fragments of deleted files from unallocated space.

Question 12

What is a Bit-stream Disk-to-Disk Copy?

Answer 12

Cloning one disk directly to another, preserving original data structure.

Question 13

Name two hashing algorithms used for verifying digital evidence.

Answer 13

MD5, SHA-1.

Question 14

What is a Write Blocker, and why is it used?

Answer 14

A device preventing any write commands to evidence media during acquisition.

Question 15

What is the purpose of forensic imaging tools like AccessData FTK Imager?

Answer 15

To create forensic images of storage media for investigation.

Question 16

What are the benefits of forensic readiness for an organization?

Answer 16

Faster investigations, lower costs, better defense against cybercrimes.

Question 17

What are examples of Anti-Forensic Techniques?

Answer 17

Encryption, steganography, data wiping.

Question 18

What is Steganography?

Answer 18

Hiding secret data within ordinary files like images or audio.

Question 19

Name two steganography tools.

Answer 19

Steghide, OpenPuff.

Question 20

What is the Sleuth Kit?

Answer 20

A set of forensic tools used to examine file systems and disk images.

Question 21

What file systems are analyzed using Autopsy and Sleuth Kit?

Answer 21

NTFS, FAT, ExFAT, HFS+, ext3, ext4, UFS.

Question 22

What is the importance of documenting the investigation process?

Answer 22

Ensures repeatability, preserves evidence authenticity, and supports court admissibility.

Question 23

What does ‘Bagging and Tagging’ mean in forensics?

Answer 23

Labeling and securing physical evidence to maintain the chain of custody.

Question 24

What is a Cluster in file systems?

Answer 24

The smallest logical storage unit composed of multiple sectors.

Question 25

What is Slack Space?

Answer 25

Unused space within a disk cluster that may contain remnants of old files.

Question 26

What is a Lost Cluster?

Answer 26

Clusters marked used but not allocated to any file.

Question 27

What is a primary partition?

Answer 27

A disk division that stores the operating system and is necessary for booting.

Question 28

What does the Master Boot Record (MBR) contain?

Answer 28

Partition information and the bootloader needed to start the OS.

Question 29

What is the difference between cold boot and warm boot?

Answer 29

Cold boot starts from powered-off state; warm boot restarts without power off.