Question 1

What is a primary purpose of Windows Event Logs in forensic investigations?

Accepted Answer

To provide timestamps of system events

Answer

To manage system updates

Answer

To maintain backup copies of files

Answer

To store user password hashes

Question 2

Which Windows feature allows forensic investigators to access previous versions of files?

Accepted Answer

Previous Versions

Answer

Disk Cleanup

Answer

System Restore

Answer

File History

Question 3

What file system artifact is essential for analyzing recently accessed files in Windows?

Accepted Answer

User Assist registry key

Answer

Prefetch folder

Answer

Recycle Bin

Answer

Pagefile

Question 4

Which tool is commonly used for analyzing memory dumps in Windows forensics?

Accepted Answer

Volatility

Answer

EnCase

Answer

Wireshark

Answer

FTK Imager

Question 5

What is the significance of the Windows Pagefile in forensic investigations?

Accepted Answer

It can contain remnants of deleted data

Answer

It manages device drivers

Answer

It stores user preferences

Answer

It holds installation files

Question 6

Which of the following artifacts can be analyzed to determine the last shutdown time of a Windows system?

Accepted Answer

System event log

Answer

Windows registry

Answer

Prefetch files

Answer

Recovery partition

Question 7

What is the primary function of the Windows Prefetch feature?

Accepted Answer

To speed up application launch times

Answer

To backup system files

Answer

To clean temporary files

Answer

To monitor user activity

Question 8

Which of the following tools is specifically designed for analyzing NTFS file systems in a forensic context?

Accepted Answer

FTK Imager

Answer

Resource Hacker

Answer

Windows Event Viewer

Answer

Process Explorer

Question 9

In Windows forensics, what does the term 'Artifacts' refer to?

Accepted Answer

Residual data left by user activity

Answer

Support files for applications

Answer

Physical hardware components

Answer

Backup disk images

Question 10

What role does the Windows Registry play in digital forensics?

Accepted Answer

Stores configuration settings and user preferences

Answer

Creates system backups

Answer

Manages application installations

Answer

Maintains a file index

Question 11

Which Windows artifact provides information about user folder navigation and opened directories?

Accepted Answer

Shellbags

Answer

$MFT

Answer

$UsnJrnl

Answer

Prefetch

Question 12

What registry key provides evidence of USB devices connected to a Windows system?

Accepted Answer

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

Answer

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

Answer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Answer

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Shell

Question 13

Which event ID should be reviewed to confirm the creation of a new user account in the Security log?

Accepted Answer

4720

Answer

4624

Answer

4670

Answer

1102

Question 14

Which command would you use to list all available Volume Shadow Copies on a suspect system?

Accepted Answer

vssadmin list shadows

Answer

wmic volume get shadowcopyid

Answer

sc query vss

Answer

net share

Question 15

What is the primary purpose of the Amcache.hve file in forensic analysis?

Accepted Answer

To track application execution data, including file metadata and execution counts

Answer

To log user logins

Answer

To record system errors

Answer

To store browser history

Question 16

Which forensic artifact can help confirm the execution of a malicious executable configured as a scheduled task?

Accepted Answer

C:\Windows\Tasks\ and Event Log ID 106

Answer

Registry RunOnce key

Answer

$Recycle.Bin

Answer

Prefetch entries

Question 17

Which artifact is most useful to decode and view the original PowerShell commands after finding evidence of a Base64-encoded script execution?

Accepted Answer

PowerShell Operational Log

Answer

Amcache.hve

Answer

ConsoleHost_history.txt

Answer

SRUM Database

Question 18

Which source provides the most reliable evidence of file access timestamps for files copied to an external drive?

Accepted Answer

$MFT (attribute 0x30)

Answer

$LogFile

Answer

Event Logs

Answer

Prefetch

Question 19

Which of the following event IDs relates specifically to successfully logging in to a Windows system?

Accepted Answer

4624

Answer

1102

Answer

4670

Answer

4720

Question 20

What is the purpose of the $UsnJrnl in Windows forensics?

Accepted Answer

To track file system changes and provide a history of actions on files

Answer

To manage user permissions

Answer

To log user logins

Answer

To store deleted files

Question 21

What is the primary purpose of the Master File Table (MFT) in NTFS?

Accepted Answer

To store metadata about every file and directory on the volume

Answer

To manage file permissions

Answer

To provide user access to the file system

Answer

To handle file system journaling

Question 22

What is the function of the Change Journal ($UsnJrnl) in NTFS?

Accepted Answer

To record changes to files and directories for tracking purposes

Answer

To provide a backup of deleted files

Answer

To store file metadata

Answer

To compress file data

Question 23

What is a key characteristic of Alternate Data Streams (ADS) in NTFS?

Accepted Answer

They allow additional data to be stored with a file without affecting its primary data

Answer

They increase the size of the primary file

Answer

They encrypt file data for security

Answer

They are used to store deleted files

Question 24

What is the role of Volume Shadow Copies in NTFS?

Accepted Answer

To create backup copies of files at different points in time

Answer

To optimize file allocation

Answer

To encrypt files for security

Answer

To monitor file access events

Question 25

In NTFS, what information does the $LogFile contain?

Accepted Answer

Records of transactions for the file system operations

Answer

User access permissions

Answer

Deleted file recovery metadata

Answer

File content data blocks

Question 26

What is slack space in the context of file system forensics?

Accepted Answer

The unused space in a filesystem cluster that can contain remnants of previously deleted files

Answer

The space needed for file fragmentation

Answer

The area used to store alternate streams

Answer

The space allocated for file permissions

Question 27

What does the process of file carving entail in digital forensics?

Accepted Answer

Recovering files from unallocated space based on their file signatures

Answer

Encrypting files for security

Answer

Restoring Snapshot copies

Answer

Identifying compressed files

Question 28

What is the significance of the Master File Table (MFT) record's headers in NTFS?

Accepted Answer

They provide vital information about the file, such as its location, size, and attributes

Answer

They store file data directly

Answer

They include user permissions and access rights

Answer

They record shadow copies of the file

Question 29

Which component of NTFS is primarily used to recover from unexpected shutdowns or crashes?

Accepted Answer

$LogFile

Answer

$MFT

Answer

$UsnJrnl

Answer

the $LogFile records changes to the file system, enabling recovery of incomplete transactions during sudden failures.

Answer

$Volume

Answer

explained

Question 30

What is the primary purpose of the $UsnJrnl in NTFS?

Accepted Answer

To track changes made to files and directories on the volume

Answer

To encrypt file data for security

Answer

To store backup copies of files

Answer

To manage file permissions and access controls

Question 31

Which of the following browser artifacts is not typically associated with user privacy data in forensic investigations?

Accepted Answer

IndexedDB usage analysis

Answer

Cookies

Answer

Saved passwords

Answer

Browser cache history

Question 32

What type of data is tracked by the ADS (Alternate Data Streams) in Windows during file downloads?

Accepted Answer

Zone.Identifier

Answer

Cookie expiration

Answer

User-Agent string

Answer

Cache duration

Question 33

Which browser feature allows for the automatic filling of user details in online forms?

Accepted Answer

Autofill data

Answer

Download history

Answer

DNS cache

Answer

IndexedDB

Question 34

In forensic analysis, which type of storage artifact is primarily used to persist data on the client side for web applications?

Accepted Answer

LocalStorage

Answer

Browser cache

Answer

DNS cache

Answer

Cookies

Question 35

Which of the following is an example of a cloud service that may leave usage traces in forensic investigations?

Accepted Answer

Google Drive

Answer

Notepad

Answer

Paint

Answer

Calculator

Question 36

What information can be extracted from the DNS cache during forensic investigations?

Accepted Answer

Recent domain name lookups

Answer

User login credentials

Answer

Installed software versions

Answer

File transfer history

Question 37

Which of the following artifacts can help correlate browsing sessions with potential data exfiltration?

Accepted Answer

Download history

Answer

Bookmark folders

Answer

Extension settings

Answer

Browser themes

Question 38

What browser data is stored in cookies and often used for session management?

Accepted Answer

Session identifiers

Answer

Download locations

Answer

Browser history

Answer

User bookmarks

Question 39

Which browser's feature records the history of web pages visited and can be crucial for forensic investigations?

Accepted Answer

Browser history

Answer

Extension settings

Answer

LocalStorage data

Answer

Autofill data

Question 40

Which of the following is a method for web browsers to store data temporarily to speed up page loading?

Accepted Answer

Cache

Answer

IndexedDB

Answer

Autofill data

Answer

LocalStorage

Question 41

What tool can be used for analyzing live memory snapshots to detect injected code?

Accepted Answer

Volatility

Answer

Wireshark

Answer

Ettercap

Answer

Nmap

Question 42

Which memory artifact is specifically associated with malicious activity in PowerShell?

Accepted Answer

PowerShell Empire process

Answer

cmd.exe process

Answer

explorer.exe process

Answer

notepad.exe process

Question 43

In the context of memory forensics, which method is typically used to extract credentials from RAM?

Accepted Answer

MsecExtract

Answer

TCPView

Answer

Process Explorer

Answer

WinDbg

Question 44

What artifact is crucial for correlating evidence between RAM and disk during forensic analysis?

Accepted Answer

Event logs

Answer

Temporary files

Answer

Installed programs

Answer

Recycle Bin contents

Question 45

Which command is often used in Volatility to list active processes in a memory dump?

Accepted Answer

pslist

Answer

dlllist

Answer

pstree

Answer

consoles

Question 46

Which memory analysis tool is known for its real-time monitoring capabilities, especially for network connections?

Accepted Answer

Rekall

Answer

FTK Imager

Answer

Caine

Answer

Autopsy

Question 47

What type of network-related artifact can be identified in memory analysis?

Accepted Answer

Active sockets

Answer

System logs

Answer

Browser cache

Answer

Installed software

Question 48

Which technique is most effective for identifying malware injection in processes during memory analysis?

Accepted Answer

Code injection detection

Answer

Directory scanning

Answer

File extension analysis

Answer

User account verification

Question 49

What type of evidence can be extracted from memory to analyze user sessions on Remote Desktop Protocol (RDP)?

Accepted Answer

RDP session artifacts

Answer

Network configuration

Answer

Disk partitions

Answer

User profile data

Question 50

What is the primary purpose of capturing live memory in a forensic investigation?

Accepted Answer

To preserve volatile data

Answer

To clean the system of malware

Answer

To create a system image

Answer

To analyze hard drive sectors

Question 51

What is the primary purpose of ransomware?

Accepted Answer

To extort money from victims

Answer

To encrypt data for backup

Answer

To delete files permanently

Answer

To improve system performance

Question 52

Which method is commonly used in malware forensics for identifying malware signatures?

Accepted Answer

Static analysis

Answer

User behavior analysis

Answer

Dynamic analysis

Answer

Network traffic analysis

Question 53

What is the main goal of malware forensics?

Accepted Answer

To understand the behavior and impact of malware

Answer

To remove all software from the system

Answer

To increase system speed

Answer

To create new malware

Question 54

Which of the following is a common indicator of a ransomware infection?

Accepted Answer

Files with unusual extensions or names

Answer

Access to all files without issues

Answer

Increased internet speed

Answer

More available disk space

Question 55

In the context of ransomware, what does the term 'payload' refer to?

Accepted Answer

The malicious code delivered to the target system

Answer

The backup files stored by the affected user

Answer

The user interface of the ransom note

Answer

The method of distribution for the ransomware

Related quizzes

Related quizzes