Term 3 Practice Questions

What is the goal of computer forensics?

Computer forensics aims to collect, preserve, analyze and present digital evidence to reconstruct events and support legal or organizational decisions:

Spot and secure devices and data without altering originals
Create exact bit-for-bit images for safe analysis
Recover active, deleted or hidden files and logs
Rebuild a timeline of user actions and system events
Document methods and findings in clear, time-stamped records
Deliver concise reports and expert testimony for courts or management

Define traditional crime.

Traditional crime refers to illegal activities that occur in the physical world, often involving direct harm to individuals or property:

Examples: theft, assault, fraud, vandalism
Involves physical evidence (fingerprints, DNA, weapons)
Investigated by law enforcement using established procedures
May involve digital elements (e.g., surveillance cameras, online transactions)
Often leads to criminal charges and court proceedings

What is “identity fraud”?

Identity fraud is the unauthorized use or theft of personal identifying information to impersonate someone for financial or other gain:

Uses stolen names, SSNs, credit-card numbers or credentials
Opens accounts, obtains loans or makes purchases in victim’s name
May involve synthetic identities mixing real and fake data
Methods: phishing, data breaches, dumpster diving
Forensics traces transaction logs, account creation and device metadata

What is meant by a “phishing attack”?

A phishing attack is a social-engineering scam where attackers impersonate trusted entities to steal credentials or install malware:

Sends spoofed emails, messages or websites appearing genuine
Uses urgency or fear (“Account locked, verify now”)
Directs victims to fake login pages or malicious attachments
Variants: spear phishing (targeted), whaling (executive targets), smishing (SMS)
Forensics examines email headers, URLs and endpoint artifacts

Define the term “hacking.”

Hacking is the unauthorized exploitation of system, network or application flaws to gain access, steal data or disrupt operations:

Involves exploiting software bugs, misconfigurations or weak passwords
Objectives: data theft, service disruption, privilege escalation
Categories:
- Black Hat: malicious intent
- White Hat: authorized security testing
- Grey Hat: unauthorized but not purely malicious
Techniques: brute-force, SQL injection, malware deployment

What is a disk image?

A disk image is an exact bit-for-bit copy of a storage device (HDD, SSD, USB) saved as a single file:

Includes all files, partitions, slack and unallocated space
Preserves metadata and deleted data for analysis
Used to work on a copy, keeping the original unaltered
Verified by hashing (MD5/SHA256) to ensure integrity

What is a bit-stream copy?

A bit-stream copy is a raw, binary-level duplication of storage media, capturing every bit from the first to the last sector:

Replicates active, slack and unallocated areas
Creates a faithful image usable for deleted data recovery
Requires write-blockers to prevent any changes to source

What is a write-blocker and why is it used?

A write-blocker is a hardware or software tool that prevents any write commands from reaching original media:

Ensures the source device cannot be altered during imaging
Protects the integrity and admissibility of evidence
Acts like a one-way valve: allows reads but blocks writes

What is live acquisition?

Live acquisition is capturing volatile data from a running system without shutdown:

Retrieves RAM contents, running processes, network sessions and encryption keys
Essential when shutdown would erase critical evidence
Risks altering system state; requires detailed logging

What is a hash value (e.g., MD5 or SHA-1)?

A hash value is a fixed-length digital fingerprint computed from data; any change to the data alters the hash:

MD5 produces 128-bit, SHA-1 produces 160-bit output
Used to verify integrity of files or disk images
Collision risk: two different inputs rarely share the same hash

Define Computer Forensics and explain its primary objectives.

Computer forensics is the systematic process of collecting, preserving, analyzing and presenting digital evidence to support investigations:

Identification: Find potential evidence sources (devices, accounts)
Preservation: Secure originals and document chain of custody
Analysis: Recover and interpret active, deleted or hidden data
Documentation: Record tools, methods and timestamps for repeatability
Presentation: Produce clear reports and testimony for legal or corporate use

What are the key challenges faced in computer forensic investigations?

Data volume: Terabytes of files and logs slow analysis
Encryption & anti-forensics: Tools hide or destroy evidence
Rapid technology changes: New devices, file formats and apps
Jurisdictional issues: Cross-border data laws and treaties
Chain of custody: Strict logging to prove evidence integrity
Privacy laws: Balancing investigation with user rights
Resource constraints: Specialized tools and skilled analysts are costly

Explain the importance of Chain of Custody in handling digital evidence.

Chain of custody is the detailed record of who collected, handled and transferred evidence:

Proves evidence integrity by logging every action with timestamps
Ensures legal admissibility by documenting secure storage and transfers
Establishes accountability and prevents tampering or contamination
Enables reproducibility: independent experts can follow the same steps

List and briefly describe the five phases of the computer forensics process.

Identification: Spot devices and data that may hold evidence.
Preservation: Secure originals with write-blockers; document custody.
Acquisition: Create bit-for-bit images and RAM snapshots.
Examination & Analysis: Recover files, parse logs, reconstruct events.
Reporting/Presentation: Compile findings into clear, time-stamped reports; testify if needed.

Discuss the major legal and ethical issues in a digital investigation.

Search Warrants & Privacy: Must obtain proper legal authority; respect GDPR and local privacy laws.
Chain of Custody: Strict logging and sealing to prove no tampering.
Evidence Admissibility: Use accepted methods (ISO 27037, Daubert) to ensure courts accept findings.
Professional Conduct: Maintain impartiality, confidentiality and avoid conflicts of interest.

Describe standard phases of a computer forensic investigation (from acquisition through presentation).

Acquisition:
- Activities: Use write-blockers to image drives; capture RAM with tools like DumpIt.
- Challenges: Locked/encrypted systems; avoiding data alteration.
- Example: Imaging a suspect’s laptop HDD before analysis.
Examination:
- Activities: Carve deleted files with Autopsy; parse metadata and logs.
- Challenges: Large data volume; encrypted or proprietary formats.
- Example: Extracting deleted emails from a disk image.
Analysis:
- Activities: Correlate artifacts to build timelines; identify malicious code with Volatility.
- Challenges: False positives; complex data relationships.
- Example: Mapping file timestamps to user login records in a breach.
Presentation:
- Activities: Write concise reports; prepare slides; provide expert testimony.
- Challenges: Explaining technical details to non-experts.
- Example: Testifying in court about how stolen data was recovered and traced.

What is data carving?

Data carving is recovering files by scanning raw disk images for file signatures (headers/footers) without relying on file system metadata.

Process: Search for unique file headers, extract contiguous data until footer.
Examples: Carving JPEG images by scanning for FFD8…FFD9; carving PDF by %PDF…%%EOF.
Use case: Retrieve deleted photos when directory entries are removed.

What is a journaling file system?

A journaling file system logs metadata changes in a journal before committing them to the main file system to ensure consistency after crashes.

Journal: Records pending operations (create, delete, modify).
Examples: NTFS (Windows), ext4 (Linux).
Benefit: Fast recovery and reduced risk of corruption after unexpected shutdowns.

What is the Master File Table (MFT)?

The MFT is NTFS’s central metadata repository where each file and directory has a record with its attributes and data pointers.

Contents: File name, size, timestamps, security info, data cluster locations.
Role: Enables fast file lookup and aids recovery of deleted files by accessing orphaned MFT entries.

What is keyword searching in forensics?

Keyword searching scans collected data for specific terms or patterns to quickly locate relevant evidence.

Method: Tools like grep or FTK search text/hex for strings such as “password” or unique identifiers.
Examples: Searching emails for “confidential”; scanning logs for “Error 0x800”.

What is network forensics?

Network forensics captures and analyzes network traffic and logs to investigate intrusions, data exfiltration and malware communication.

Tools: Wireshark (packet analysis), tcpdump (CLI capture).
Process: Collect pcap files, filter by IP/port, reconstruct sessions and extract files.

What is timeline analysis?

Timeline analysis orders artifacts (logs, file timestamps) chronologically to reconstruct event sequences.

Steps: Normalize timestamps, merge sources, visualize with tools like Plaso.
Example: Correlate file creation times with user login events to trace attacker actions.

What is metadata?

Metadata is data about data, describing attributes like author, creation/modification timestamps and file size.

Examples: Document properties (author, creation date); image EXIF data (camera model, GPS).
Value: Provides attribution and timeline details.

What is malware forensics?

Malware forensics analyzes malicious code samples to understand behavior, payloads and command-and-control mechanisms.

Static analysis: Examine binary code for strings and imports using tools like IDA Pro.
Dynamic analysis: Run malware in a sandbox (e.g., Cuckoo) to monitor actions and network traffic.

What is triage in digital investigations?

Triage prioritizes data sources and devices based on relevance and time constraints to focus analysis efforts effectively.

On-scene triage: Quick logical acquisition of suspicious files.
Example: Copy browser history first from multiple devices; defer full disk imaging if time-limited.

What is logical acquisition?

Logical acquisition copies selected files and directories via the file system’s API without imaging entire media.

Scope: Active files, application data.
Limitation: Does not capture deleted data, slack or unallocated space.

List three hashing algorithms commonly used in forensics (e.g., MD5, SHA-1, SHA-256). For each, state one advantage and one limitation.

MD5:
- Advantage: Fast computation.
- Limitation: High collision risk.
SHA-1:
- Advantage: Better security than MD5.
- Limitation: Collision vulnerability proven.
SHA-256:
- Advantage: Strong collision resistance.
- Limitation: Slower and larger output size.

What is a registry hive? Name two forensic artifacts you can extract from it and their significance.

A registry hive is a Windows database file storing a portion of the system registry.

USBStor entries (SYSTEM hive): Shows USB device connection history (device IDs, timestamps).
RecentDocs list (NTUSER.DAT): Records recently opened files for user activity timeline.

Explain what slack space is and outline one technique for recovering hidden data from it.

Slack space is unused space in the last cluster of a file that may contain remnants of previous files.

Recovery technique: Cluster-based carving—read raw clusters and extract hidden data by matching known headers within slack.

Define each (volatile vs. non-volatile data), give two examples, and explain why volatile data must be captured first.

Volatile data: Lost on shutdown.
- Examples: RAM contents, active network connections.
Non-volatile data: Retained after power off.
- Examples: Hard drive files, system logs.
Reason: Volatile data contains live system state (encryption keys, running processes) that vanish at shutdown.

Compare and contrast NTFS and FAT file systems in terms of metadata structures (e.g., MFT vs. directory entries). Explain how an investigator recovers deleted files and analyzes slack space in each.

NTFS:
- Metadata in MFT records (timestamps, attributes, data pointers).
- Deleted recovery: MFT record flagged deleted but intact until overwritten; recover via unused MFT entries.
- Slack analysis: Read residual data from clusters referenced in MFT.
FAT:
- Metadata in directory entries (file name, size, start cluster) and FAT table (cluster chains).
- Deleted recovery: Directory entry marked deleted (first character 0xE5); recover chain via FAT table.
- Slack analysis: Extract leftover bytes in the last cluster using raw cluster reads.

Describe the different categories of digital evidence (e.g., volatile vs. non-volatile, network logs, registry entries). For each category, explain its forensic value, how it’s collected, and give a practical example.

Volatile data:
- Forensic value: Live system state (processes, RAM).
- Collection: RAM capture (DumpIt).
- Example: Extracting encryption keys from RAM to decrypt drive.
Non-volatile data:
- Forensic value: Persistent files and logs.
- Collection: Disk imaging (FTK Imager).
- Example: Recovering deleted emails from a disk image for fraud.
Network logs:
- Forensic value: Records of data flows and connections.
- Collection: Packet capture (Wireshark), firewall logs.
- Example: Identifying exfiltration server by analyzing pcap file.
Registry entries:
- Forensic value: System and user configuration, device history.
- Collection: Registry hive extraction (reg export, FTK Registry Viewer).
- Example: Determining USB devices connected via USBStor registry data.

Define the following terms: E01 image; Physical acquisition; AFF (Advanced Forensic Format); Hex editor; SIM card reader; Cloud snapshot; API log; Volume header; eDiscovery; Encryption.

E01 image: Proprietary EnCase format storing bit-for-bit disk images with embedded metadata and hash values.
Physical acquisition: Direct block-level copy of storage media, capturing all data including deleted/unallocated space.
AFF: Open forensic image format supporting metadata, compression and segmentation for efficient storage.
Hex editor: Software to view/edit raw bytes of files or disks, enabling low-level artifact inspection.
SIM card reader: Hardware tool to extract and analyze SIM data (contacts, SMS, IMSI).
Cloud snapshot: Point-in-time copy of cloud storage volumes (e.g., AWS EBS) for remote forensic analysis.
API log: Record of cloud service or application programming interface calls, detailing user actions and system events.
Volume header: Initial sectors on a volume containing partition and filesystem metadata (e.g., NTFS boot record).
eDiscovery: Legal process for identifying, collecting and producing electronic evidence in litigation or compliance.
Encryption: Technique to encode data so only authorized parties with the correct key can decrypt and read it.

List the key sections of an examiner’s report (minimum five) and state the purpose of each.

Cover Page: Case ID, examiner’s name, date – identifiers for reference.
Executive Summary: High-level findings and conclusions – quick overview for decision-makers.
Scope & Objectives: Investigation boundaries and goals – defines what was/searched and why.
Methodology: Tools, processes and configurations used – ensures transparency and repeatability.
Findings & Analysis: Detailed evidence artifacts, interpretations and timelines – core of the report.
Conclusions & Recommendations: Summarizes impact, suggests next steps or mitigation – guides stakeholders.
Appendices: Hash lists, logs, evidence inventory – supports verification and court admissibility.

Define “anti-forensics.” List two common techniques and one countermeasure for each.

Definition: Methods to hinder forensic analysis or obscure evidence.
Techniques & Countermeasures:
- Timestamp Tampering: Alter file times to mislead timelines.
  - Countermeasure: Cross-verify with secure SIEM logs or network device timestamps.
- Data Wiping: Secure-delete tools overwrite data to prevent recovery.
  - Countermeasure: Analyze unallocated/slack space patterns and recover residual fragments.

Briefly explain each carving technique, when you’d choose one over the other, and a practical example.

Signature-Based (Header/Footer) Carving:
- When: File system metadata missing or damaged.
- Example: Recover deleted JPEGs by scanning for FFD8…FFD9 in raw image.
File System–Aware Carving:
- When: Metadata structures intact.
- Example: Use MFT entries on NTFS to rebuild DOCX files with accurate offsets.
Cluster-Based Carving:
- When: Files are contiguous and fragmentation is low.
- Example: Extract log files by reading whole clusters sequentially from a FAT volume.

Compare open-source vs commercial forensic suites on features, cost, and support.

Aspect	Open-Source (Autopsy, Volatility)	Commercial (EnCase, FTK)
Features	Core analysis, extensible via plugins	Advanced workflows, integrated modules
Cost	Free	License fees ($1K–$5K+ per seat)
Support	Community forums, limited official docs	Vendor support, training, SLAs
Updates	Community-driven, variable frequency	Regular vendor updates and patches

Question on AWS forensics.

Scenario: An organization’s AWS account shows unauthorized S3 access.

Describe where and how you’d collect forensic artifacts (e.g., CloudTrail, EBS snapshots, VPC flow logs).
Detail the process of preserving and analyzing those artifacts.
Highlight two legal or procedural considerations unique to cloud forensics.

Answer: Artifact Collection:

CloudTrail Logs: Export S3 API call history.
S3 Access Logs: Enable bucket logging for object-level events.
EBS Snapshots: Snapshot EC2 volumes for disk analysis.
VPC Flow Logs: Capture network traffic metadata.

Preservation & Analysis:

Copy logs to a WORM-protected bucket; snapshot volumes via AWS CLI.
Verify hashes of logs and snapshots.
Parse CloudTrail JSON with jq or load into SIEM; correlate user-IDs, IPs, timestamps.
Analyze EBS mounts in a sandbox VM to inspect file changes.

Legal/Procedural Considerations:

Jurisdiction: Data may span regions—ensure compliance with GDPR or local privacy laws.
Provider SLAs: Request AWS legal hold to prevent log rotation and data deletion.

Question on mobile forensics.

Scenario: You receive a rooted Android device suspected of containing evidence.

Outline each step from acquisition to reporting, naming tools you’d use (e.g., ADB, UFED).
Explain how you’d handle app data, SMS/Call logs, and locked‐screen bypass.
Discuss one major challenge and how to overcome it.

Answer:

Acquisition:
- Document device details (IMEI, OS, root method).
- Enable Airplane Mode; disable network to prevent remote wipes.
- Use ADB & dd to image /dev/block/mmcblk0; or UFED for a logical + physical extraction.
Verification:
- Compute MD5/SHA256 hashes of each partition image and original.
Analysis:
- Mount images; extract app data from /data/data/<package>.
- Open SMS/Call logs (mmssms.db) with SQLite Browser.
- Bypass lock screen by replacing locksettings.db via ADB or using adb shell content commands.
Reporting:
- Log tools, commands, timestamps and findings in the chain-of-custody record.
- Include screenshots, exported artifacts and hash lists in the final report.

Major Challenge:

Full-Disk Encryption: Blocks access to user data at rest.
- Solution: Perform live memory capture (RAM dump) to extract decryption keys before powering down.

What is an email header? Name two fields you examine and explain what investigative insight each provides.

An email header is the metadata block at the top of a message that records its path and origin details.

Received: Shows each mail‐server hop with IP address and timestamp—helps trace the sender’s true network location.
Message-ID: Unique identifier assigned by the originating mail server—used to confirm authenticity and match related messages.

Define steganography, give one way it can hide data in images or audio, and mention one forensic challenge it poses.

Steganography is the practice of embedding secret data within innocuous files so the hidden content is not apparent.

Example: Modifying the least-significant bits of pixels in a PNG image to hide a text message without visible changes.
Forensic Challenge: Detection requires statistical analysis of large datasets and can generate high false-positive rates, making it hard to identify which files actually contain hidden payloads.

Explain the purpose of hashing in evidence handling, outline how you generate/verify a hash, and state why it’s critical.

Hashing produces a fixed-length “fingerprint” of data to prove integrity—and detect any alteration.

Generate: Run a tool (e.g., md5sum or sha256sum) on the original file or disk image to record its hash.
Verify: After transfer or imaging, run the same tool on the copy and compare hashes—identical values confirm no changes.

Critical Because: Courts require proof that evidence wasn’t tampered with; matching hashes form that unbroken chain of trust.

Define both terms (swap file and prefetch file), give one example of each, and explain why you’d choose one over the other in practice.

Swap File (pagefile.sys): Disk‐based extension of RAM where the OS offloads inactive memory pages.
- Example: C:\pagefile.sys on Windows holds fragments of running programs and decrypted data.
Prefetch File (.pf): Windows metadata file recording when and how often applications launch to speed startup.
- Example: C:\Windows\Prefetch\CHROME.EXE-ABCDE123.pf logs Chrome launch times.
When to Choose:
- Use the swap file if you need remnants of live memory (e.g., decryption keys after shutdown).
- Use prefetch files when reconstructing program execution timelines without analyzing full memory dumps.

List key browser artifacts (history, cache, cookies). Explain how you’d extract and interpret each artifact in an investigation. Give one real-world example of how browser data solved a case.

History: SQLite database of visited URLs.
- Extraction: Copy the History file from the user profile and open with a SQLite viewer.
- Interpretation: Timeline of sites visited and durations.
Cache: Stored page resources (HTML, images, scripts).
- Extraction: Export cache folder or use tools like ChromeCacheView.
- Interpretation: Reconstruct viewed pages and download artifacts.
Cookies: Key–value pairs storing session tokens and preferences.
- Extraction: Copy Cookies SQLite file and inspect with browser dev tools or scripts.
- Interpretation: Identify logged-in services, active sessions and session expiry.

Real-World Example: In a 2016 child-exploitation case, browser cache recovered thumbnail images of illicit material, providing timestamps that matched download logs and led to conviction.

Describe three common methods (dictionary attack, brute-force, rainbow-table). For each, outline the basic process, a tool you might use, and one drawback. Name one preventive control against each technique.

Dictionary Attack
- Process: Hash each word from a wordlist (e.g., rockyou.txt) and compare to stolen hashes.
- Tool: Hashcat
- Drawback: Fails against passwords not in the list.
- Preventive Control: Enforce complex, random passphrases not found in dictionaries.
Brute-Force Attack
- Process: Try every possible character combination up to a certain length.
- Tool: John the Ripper
- Drawback: Exponentially slow as password length increases.
- Preventive Control: Implement account lockout or rate-limiting after failed attempts.
Rainbow-Table Attack
- Process: Use precomputed tables of hashes to reverse common passwords instantly.
- Tool: OphCrack
- Drawback: Large storage requirements; ineffective against salted hashes.
- Preventive Control: Salt all password hashes (unique per user) before storage.

Define:

Steganography: The practice of hiding secret data within ordinary files (images, audio, video) so the presence of the hidden message is not obvious.
Email header: The metadata section at the top of an email that records routing and origin details (e.g., “Received” hops, “From”/“To” fields, timestamps).
Forensic artifact: Any digital trace or file leftover—logs, registry entries, deleted fragments—that can be used to reconstruct user or system activity.
Swap file (pagefile): A disk-based file (e.g. pagefile.sys) where the operating system moves inactive RAM pages to free physical memory; may contain fragments of running processes.
Prefetch file: A Windows cache file (.pf) that logs application launch parameters and timestamps to speed start-up; also used to infer program execution history.
Packet capture (PCAP): A saved record of raw network packets captured on an interface, containing headers and payloads for each packet.
DNS cache: A temporary store of recently resolved domain-to-IP mappings on a host, speeding up name lookups and revealing recent browsing targets.
MAC address: A unique hardware identifier (48-bit) burned into a network interface controller, used for local network frame delivery.
RAM dump: A bit-for-bit snapshot of volatile system memory, capturing running processes, open files and encryption keys before shutdown.
Registry key: A node in the Windows Registry database that holds configuration data and settings for the OS, applications or user accounts.
DD image: A raw bit-for-bit copy of storage media (created with the dd utility) capturing every sector, including unallocated space.
Master Boot Record (MBR): The first 512 bytes of a disk containing the bootloader code and partition table for up to four primary partitions.
Partition table: A data structure (in the MBR or GPT) listing each partition’s start/end sectors, type and size.
FTK Imager: Forensic software that creates disk images (E01, AFF, raw), previews data and verifies integrity via hashes.
Full-Disk Encryption (FDE): Encrypting an entire drive at rest, requiring a key at boot to decrypt and access any data.
IoT Forensics: Techniques for collecting and analyzing data from Internet-of-Things devices (cameras, sensors, wearables) with diverse OS and storage.
Social-Media Artifact: Extracted data from platforms (posts, messages, metadata) that serve as evidence of user activity.
Volatility Plugin: A module for the Volatility memory-forensics framework (e.g., pslist, netscan) that extracts specific artifacts from RAM dumps.
CloudTrail Log: AWS service log recording API calls (who, what, when, where) for cloud-based forensic reconstruction.
Forensic Readiness Policy: Organizational directive ensuring systems, staff and processes are prepared to capture, preserve and analyze digital evidence on demand.
Forensic Soundness: Following methods that guarantee digital evidence remains unchanged, verifiable and legally defensible from collection through analysis.
Standard Operating Procedure (SOP): Written, step-by-step instructions enforcing consistent forensic processes, tool usage and documentation.
Incident Response: A structured approach to detect, contain, eradicate and recover from security incidents while preserving evidence.
Daubert Standard: U.S. legal rule requiring scientific evidence to be testable, peer-reviewed, have known error rates and be generally accepted.
File Signature: A fixed byte pattern (magic number) at the start of a file that identifies its true format (e.g., 89 50 4E 47 for PNG).
Extension Mismatch: When a file’s extension (e.g., .jpg) does not match its signature (e.g., 25 50 44 46 for PDF), indicating possible tampering or concealment.
Hypervisor: Software layer (Type 1 or 2) that creates and manages virtual machines by abstracting physical hardware.
Syslog: Standard protocol and file format for collecting system and application log messages on Unix/Linux devices.
Web-Server Access Log: Sequential records of every HTTP request (client IP, timestamp, method, URL, status) made to a web server.
Evidence Locker: Secure, access-controlled repository (physical or digital) where collected evidence is stored along with audit trails.
Write-Once Read-Many (WORM): Storage technology that allows data to be written once and prevents any modification or deletion, ensuring evidence integrity.
Data Breach: Unauthorized access to sensitive data, often leading to data theft or exposure of personal information.
Data Exfiltration: Unauthorized transfer of data from a system or network, often by attackers to steal sensitive information.
Data Loss Prevention (DLP): Security strategy and tools to prevent unauthorized data access, transfer or leakage.
Digital Forensics: The process of collecting, preserving, analyzing, and presenting electronic evidence in a manner that is legally acceptable.
Digital Evidence: Any data stored or transmitted in digital form that can be used in a legal investigation.
Digital Footprint: The trail of data left by users on digital services, including social media, websites visited, and online transactions.
Digital Signature: A cryptographic method to verify the authenticity and integrity of digital messages or documents.
Digital Watermarking: A technique to embed information into digital content (images, audio) for copyright protection or tracking.

List and explain five essential fields found on a chain-of-custody form.

Case Number: Links the evidence to a unique investigation ID.
Item Number: Unique identifier for each evidence piece, preventing mix-ups.
Description of Evidence: Brief summary (device type, serial/filename) so anyone can recognize the item.
Date/Time & Location Collected: Records when and where the evidence was seized to establish context and prevent disputes.
Transfer Log (Name, Signature, Date/Time): Chronological record of every person who handled the evidence, proving no unauthorized access or tampering.

Briefly outline the key stages of eDiscovery in a digital investigation and name one tool commonly used at each stage.

Identification: Locate relevant ESI sources (email, file shares).
- Tool: Microsoft Purview eDiscovery
Preservation: Apply legal holds to prevent data alteration.
- Tool: Microsoft Purview Hold
Collection: Acquire targeted data with forensically sound methods.
- Tool: FTK Imager
Processing: Index, de-duplicate and convert files for review.
- Tool: Nuix Workstation
Review: Tag and analyze documents for relevance.
- Tool: Relativity
Production: Export responsive documents in required formats.
- Tool: Relativity

Compare hardware write-blockers with software-based blockers in terms of reliability, cost, and use cases.

Reliability:
- Hardware: Blocks writes at the device interface—OS-agnostic, failsafe.
- Software: Relies on host OS drivers—vulnerable to OS bugs or bypass.
Cost:
- Hardware: $300–$1,500 per unit.
- Software: Often free or included in forensic suites.
Use Cases:
- Hardware: On-site imaging of physical drives, USB, SATA, IDE.
- Software: Remote logical acquisitions or when hardware blockers are unavailable.

Define “forensic readiness” and describe three organizational measures that support it.

Definition: Proactive state in which an organization can efficiently collect, preserve and analyze digital evidence with minimal disruption.
Measures:

Log Retention Policy: Mandate centralized collection and retention of system, network and application logs for a defined period.
Incident Response Playbook: Documented procedures assigning roles, tools and steps for rapid forensic data capture.
Write-Once Storage: Deploy WORM-capable servers or immutable cloud buckets to preserve evidence integrity.

Question on social media forensics.

Scenario: Investigators need to collect and analyze evidence from a user’s social-media accounts. Describe the process of acquiring posts, messages, and metadata from platforms like Facebook or Twitter. Highlight two legal or privacy considerations when gathering this data. Explain how you’d validate authenticity and present your findings in court.

Answer:

Process:

Obtain legal authorization (warrant or user consent).
Use platform APIs or specialized tools (e.g., X1 Social Discovery, Magnet AXIOM) to export posts, messages and metadata (timestamps, geolocation, IP).
Record export method, hash each dataset and store in a forensically sound repository.

Legal/Privacy Considerations:

Platform Terms of Service and user privacy settings may limit data access.
Cross-border data privacy laws (GDPR, local statutes) require proper jurisdictional warrants.

Authenticity & Presentation:
- Validate by comparing API-provided metadata against screenshots and system logs; include hash values.
- Present as chronological transcripts with original metadata fields, annotated in the final report.

Question on memory forensics.

Scenario: A suspect’s computer RAM has been acquired as a dump file.

Outline the steps you’d follow using Volatility (or similar) to analyze that dump.
Identify at least four types of artifacts you’d extract (e.g., running processes, network connections), and explain their investigative value.
Discuss one major challenge in memory forensics and how you’d mitigate it.

Answer:

Volatility Analysis Steps:

Run volatility imageinfo to identify the correct OS profile.
Load image: volatility -f memory.dmp --profile=<profile> pslist for running processes.
netscan or connscan to list network connections.
dlllist to view loaded modules for suspicious DLLs.
cmdscan/consoles to recover command-line history.

Artifacts Extracted & Value:
- Process List: Reveals running or hidden malware processes.
- Network Connections: Identifies active C2 channels or data exfiltration.
- Loaded DLLs: Flags injected or malicious libraries.
- CLI History: Shows attacker’s commands and tools used.
Major Challenge & Mitigation:
- Challenge: Selecting the correct OS profile and symbols; wrong profile breaks plugins.
- Mitigation: Always run imageinfo, verify profile suggestions, and maintain an updated symbol repository or use Rekall as fallback.