Pinoy Crim
JurisprudenceLaw EnforcementCriminalisticsCrime DetectionSociology of CrimesCorrectional Admin
Practice Exams

Practice Exam: Criminalistics - Digital Forensics & Cyber Evidence (Set 59)

A 30-question practice exam covering digital evidence, computer forensics, and mobile device examination.

1. In digital forensics, what is the primary purpose of a write blocker?

A.To encrypt the suspect's data for security.
B.To prevent any writes to the storage device being analyzed.
C.To speed up the data acquisition process.
D.To create a backup copy of the evidence.

2. Which of the following best describes the first step in the digital evidence handling process?

A.Analysis
B.Identification and Seizure
C.Preservation
D.Presentation

3. What is meant by the term "chain of custody" in the context of digital evidence?

A.The encryption key used to secure the evidence.
B.The physical cable connecting the evidence to the forensic workstation.
C.A chronological documentation of the handling, transfer, and location of the evidence.
D.The software used to analyze the digital files.

4. What is the process of creating a bit-for-bit copy of a digital storage device called?

A.Backing up
B.Archiving
C.Imaging
D.Cloning

5. Why is it important to document the entire digital forensic process?

A.To create a training manual for new investigators.
B.To bill the client for the hours worked.
C.To ensure the findings are repeatable, verifiable, and admissible in court.
D.To help with the development of new forensic tools.

6. Which term refers to data about data, such as the creation date of a file or the author of a document?

A.Metadata
B.Geodata
C.Paradata
D.Tempdata

7. During evidence acquisition, what is the significance of using a sterile, forensically wiped hard drive to store the forensic image?

A.It makes the imaging process faster.
B.It prevents cross-contamination of data from previous cases.
C.It automatically encrypts the forensic image.
D.It is required by all forensic software.

8. What is the main principle behind the preservation of digital evidence?

A.To make the evidence easily accessible to anyone.
B.To delete irrelevant data from the suspect device.
C.To protect the evidence from any alteration, damage, or contamination.
D.To quickly present the evidence in court.

9. Which of the following is an example of volatile data on a computer system?

A.Files stored on the hard disk drive.
B.Data stored in Random Access Memory (RAM).
C.A saved Microsoft Word document.
D.An operating system's log file.

10. In digital forensics, what does "acquisition" refer to?

A.The process of analyzing the collected data.
B.The process of collecting digital evidence from electronic devices.
C.The process of presenting the findings in a report.
D.The process of interviewing the suspect.

11. What is the primary function of a hash value (e.g., MD5, SHA-256) in computer forensics?

A.To encrypt the contents of a file.
B.To compress large files for storage.
C.To verify the integrity and authenticity of digital evidence.
D.To view the contents of a deleted file.

12. What is "file slack" or "slack space"?

A.Temporary files created by the operating system.
B.The unused space in a disk cluster between the end of a file and the end of the cluster.
C.A type of data compression algorithm.
D.A hidden partition on a hard drive.

13. An investigator is trying to find a file that a suspect deleted. Which area of the hard drive is the most likely place to find remnants of this file?

A.The master boot record.
B.The active file system.
C.Unallocated space.
D.The file allocation table.

14. What type of information can be found in the EXIF data of a digital photograph?

A.The social media account where the photo was posted.
B.The date, time, and camera model used to take the photo.
C.A log of who has viewed the photo.
D.The password to the computer where the photo was stored.

15. An investigator finds a file with a ".dll" extension on a Windows computer. What is the typical purpose of this file type?

A.It is a user-created document.
B.It is a temporary internet file.
C.It is a shared library of code used by other programs.
D.It is a system log file.

16. What is the purpose of analyzing the Windows Registry in a forensic investigation?

A.To recover deleted emails.
B.To track the physical location of the computer.
C.To find information about user activity, connected devices, and installed software.
D.To decrypt encrypted files on the hard drive.

17. Which forensic artifact on a Windows system stores information about recently opened files and applications, often displayed in the Start Menu or taskbar?

A.The Prefetch files.
B.The Pagefile.sys file.
C.The Jump Lists.
D.The Master File Table (MFT).

18. If two files have the exact same SHA-256 hash value, what can be concluded?

A.The files have the same filename.
B.The files were created by the same user.
C.The files are identical in content, bit for bit.
D.The files are of the same type (e.g., both are JPEGs).

19. What is an IMEI number used for in mobile device forensics?

A.To identify the subscriber's account.
B.To uniquely identify the physical mobile device.
C.To identify the Wi-Fi network the phone is connected to.
D.To unlock the user's SIM card.

20. In mobile forensics, what is a "logical acquisition"?

A.Creating a bit-for-bit image of the phone's internal memory.
B.Extracting accessible data from the phone's file system using the manufacturer's API.
C.Placing the phone in a Faraday bag to block signals.
D.Analyzing the phone's RAM content.

21. What crucial piece of information is stored on a SIM card?

A.The phone's GPS location history.
B.The user's social media passwords.
C.The International Mobile Subscriber Identity (IMSI).
D.The phone's hardware serial number (IMEI).

22. An investigator needs to examine GPS data from a suspect's smartphone. Where is this data most likely to be found?

A.Stored on the SIM card.
B.In EXIF data of photos, location-based service app data, and system logs.
C.In the phone's call log records.
D.Encrypted within the phone's IMEI number.

23. What is the purpose of placing a seized mobile phone into a Faraday bag?

A.To charge the phone's battery.
B.To protect the phone from physical damage.
C.To connect the phone to a forensic workstation.
D.To block all incoming and outgoing wireless signals.

24. While examining a smartphone, an investigator finds data related to Facebook, Twitter, and Instagram. This would be classified as what type of evidence?

A.Call detail records.
B.Social media evidence.
C.SIM card data.
D.System log files.

25. An investigator is examining network traffic and sees the IP address 192.168.1.10. What is significant about this type of address?

A.It is a public IP address assigned by an ISP.
B.It is a private, non-routable IP address used for a local network.
C.It is the IP address of a web server on the internet.
D.It is a MAC address, not an IP address.

26. What information is typically found in an email header?

A.The full text of the email message.
B.The sender's password.
C.The path the email took across various servers to reach its destination.
D.A list of all attachments included in the email.

27. A system administrator is reviewing firewall logs after a security breach. What is the primary purpose of these logs?

A.To show which files were downloaded by users.
B.To record all keystrokes typed by users on the network.
C.To show which network connections were allowed or denied into and out of the network.
D.To store backups of all web pages visited by users.

28. What is a major challenge for forensic investigators when dealing with evidence stored in the cloud?

A.Cloud data is always encrypted and cannot be accessed.
B.The data is stored on servers in multiple, often unknown, geographic locations, creating legal and jurisdictional issues.
C.Cloud storage is not compatible with forensic imaging tools.
D.It is impossible to establish a chain of custody for cloud data.

29. In network forensics, what does a DNS log reveal?

A.The content of web pages a user visited.
B.The translation of domain names (e.g., www.google.com) to IP addresses.
C.All the passwords a user has entered into websites.
D.The physical location of a remote server.

30. An investigator seizes a laptop that was used to access a Dropbox account. What is the best way to acquire the data from the Dropbox account?

A.Image the laptop's hard drive, as all Dropbox data is stored there.
B.The data cannot be acquired once the laptop is offline.
C.Serve a legal warrant to Dropbox Inc. to obtain the account's data.
D.Analyze the computer's RAM to find the Dropbox password.