Access Data Applied Decryption Exam, Exams of Technology

This certification focuses on practical decryption techniques used in forensic investigations. Topics include password recovery, encryption fundamentals, cryptographic analysis, and lawful decryption methodologies. Candidates demonstrate the ability to access protected data while maintaining forensic integrity.

Typology: Exams

2025/2026

Available from 01/23/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 89

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Access Data Applied Decryption Exam
**Question 1.** Which file header most reliably identifies a VeraCrypt volume?
A) 0x4D5A
B) “VeraCrypt” ASCII string
C) “TRUE” ASCII string
D) “BITLOCKER” ASCII string
**Answer:** B
**Explanation:** VeraCrypt writes the ASCII string “VeraCrypt” at the beginning of its volume
header, enabling easy identification.
**Question 2.** A forensic analyst observes high entropy (≈7.9 bits/byte) across a file. Which
conclusion is most appropriate?
A) The file is definitely compressed.
B) The file is likely encrypted or compressed.
C) The file contains plain text.
D) The file is corrupted.
**Answer:** B
**Explanation:** High entropy suggests randomness typical of both encryption and
compression; additional analysis is needed to differentiate.
**Question 3.** Which of the following is a characteristic of symmetric encryption?
A) Separate public and private keys.
B) Same key used for encryption and decryption.
C) Keys are derived from passwords only.
D) It cannot be used for bulk data.
**Answer:** B
**Explanation:** Symmetric algorithms (e.g., AES) use a single shared secret key for both
operations.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59

Partial preview of the text

Download Access Data Applied Decryption Exam and more Exams Technology in PDF only on Docsity!

Question 1. Which file header most reliably identifies a VeraCrypt volume? A) 0x4D5A B) “VeraCrypt” ASCII string C) “TRUE” ASCII string D) “BITLOCKER” ASCII string Answer: B Explanation: VeraCrypt writes the ASCII string “VeraCrypt” at the beginning of its volume header, enabling easy identification. Question 2. A forensic analyst observes high entropy (≈7.9 bits/byte) across a file. Which conclusion is most appropriate? A) The file is definitely compressed. B) The file is likely encrypted or compressed. C) The file contains plain text. D) The file is corrupted. Answer: B Explanation: High entropy suggests randomness typical of both encryption and compression; additional analysis is needed to differentiate. Question 3. Which of the following is a characteristic of symmetric encryption? A) Separate public and private keys. B) Same key used for encryption and decryption. C) Keys are derived from passwords only. D) It cannot be used for bulk data. Answer: B Explanation: Symmetric algorithms (e.g., AES) use a single shared secret key for both operations.

Question 4. In forensic contexts, why is SHA‑256 preferred over MD5 for integrity verification? A) SHA‑256 is faster. B) MD5 cannot hash files larger than 2 GB. C) SHA‑256 provides a larger hash space, reducing collision risk. D) MD5 is not supported by Windows. Answer: C Explanation: SHA‑ 256 ’s 256‑bit output makes collisions astronomically unlikely compared to MD5’s 128‑bit output. Question 5. What is the primary purpose of salting a password before hashing? A) To increase the hash size. B) To make each hash unique even for identical passwords. C) To speed up brute‑force attacks. D) To encrypt the password. Answer: B Explanation: A random salt prevents attackers from using pre‑computed tables (rainbow tables) against multiple instances of the same password. Question 6. Which key‑stretching algorithm is specifically designed to be memory‑hard, thwarting GPU attacks? A) PBKDF B) SHA‑ 1 C) Scrypt D) MD Answer: C

D) ZIP archive (.zip) Answer: C Explanation: PRTK handles document and archive formats; BitLocker volumes require DNA or specialized tools. Question 10. In PRTK, the Biographical Dictionary generates candidate passwords based on which data source? A) System registry keys B) User‑provided personal information (names, dates, pets) C) Random character strings D) Pre‑computed hash tables Answer: B Explanation: The Biographical Dictionary leverages known personal details to craft realistic password guesses. Question 11. Which permutation rule would transform “password” into “P@55w0rd”? A) Uppercase only B) Leet speak substitution C) Reverse string D) Append numeric suffix Answer: B Explanation: Leet speak replaces letters with similar‑looking symbols/numbers (e.g., a→@, s→5, o→0). Question 12. What is the main computational drawback of applying multiple complex rules (uppercase, leet, prefix, suffix) to a dictionary in PRTK? A) It reduces the key space.

B) It increases the number of generated candidates exponentially. C) It disables multithreading. D) It causes hash collisions. Answer: B Explanation: Each rule multiplies the candidate count, leading to exponential growth and longer processing times. Question 13. Which component of AccessData DNA is responsible for allocating work units to client machines? A) DNA Worker B) DNA Manager C) DNA Scheduler D) DNA Dispatcher Answer: B Explanation: The DNA Manager coordinates tasks and assigns them to connected Workers. Question 14. In a DNA deployment, what is the effect of setting a higher “Task Priority” for a specific volume? A) It reduces the encryption strength. B) It allocates more CPU cores on each worker to that task. C) It ensures the task is processed before lower‑priority jobs. D) It disables network traffic throttling. Answer: C Explanation: Higher priority tasks are scheduled ahead of others, receiving resources first. Question 15. Which file type benefits most from DNA’s distributed key‑space attacks rather than PRTK’s single‑machine approach?

Question 18. In FTK, which filter isolates files that exhibit encryption characteristics? A) “Compressed Files” filter B) “Encrypted Files” filter in the Overview tab C) “Executable Files” filter D) “Deleted Files” filter Answer: B Explanation: FTK’s “Encrypted Files” filter lists items with high entropy or known encryption signatures. Question 19. To export selected encrypted files from FTK to PRTK, which action is required? A) Right‑click → Export → Export to PRTK B) Use the “Send to PRTK” button in the FTK toolbar C) Drag and drop files onto the PRTK window D) Choose “File → Export → External Tool” and select PRTK as the target Answer: D Explanation: FTK allows configuring external tools; selecting PRTK as the export target sends the files for analysis. Question 20. Which registry hive typically contains the EFS recovery certificate needed to decrypt EFS‑protected files? A) SYSTEM B) SAM C) NTUSER.DAT D) SOFTWARE Answer: C Explanation: NTUSER.DAT stores per‑user EFS certificates and private keys.

Question 21. When extracting EFS keys from a Windows system, which file must be paired with the user’s password hash to reconstruct the private key? A) SYSTEM hive B) SECURITY hive C) NTUSER.DAT D) SAM hive Answer: D Explanation: The SAM hive holds the user’s password hash; combining it with the encrypted private key in NTUSER.DAT enables decryption of the EFS key. Question 22. In a forensic report, how should recovered passwords be presented to maintain evidentiary integrity? A) List them in plain text without context. B) Include the password, source file, and method of recovery. C) Only mention that passwords were recovered. D) Encrypt the passwords before inclusion. Answer: B Explanation: Documenting the password, its origin, and the recovery technique ensures transparency and admissibility. Question 23. Which attack leverages knowledge of a fragment of the original plaintext to reduce the key‑space? A) Brute‑force attack B) Dictionary attack C) Known‑plaintext attack D) Side‑channel attack

C) The device’s lock screen PIN/password D) The phone’s serial number Answer: C Explanation: Android FDE derives the encryption key from the lock screen credential; without it, the data remains inaccessible. Question 27. Which cloud storage service provides a “Vault” feature that encrypts files client‑side before upload? A) OneDrive B) Dropbox C) Google Drive D. iCloud Drive Answer: B Explanation: Dropbox Vault encrypts files locally before they are transferred to the cloud. Question 28. In a forensic examination of a OneDrive account, which artifact is most likely to reveal the encryption key for a client‑side encrypted file? A) The file’s metadata in the cloud B) The user’s local sync folder containing the unencrypted key file C) The SharePoint log files D) The Azure AD token Answer: B Explanation: Client‑side encryption requires the key to be stored locally; the sync folder often contains the key or its wrapper. Question 29. Which of the following best describes a “key‑space” in brute‑force terminology?

A) The set of possible passwords of a given length and character set B) The encryption algorithm used C) The memory allocated for hashing D) The network bandwidth for distributed attacks Answer: A Explanation: Key‑space defines all possible combinations that must be tried during a brute‑force attempt. Question 30. When using DNA to perform a distributed attack on a 128‑bit AES key, which factor most dramatically reduces the time to success? A) Reducing the key‑space by applying known‑plaintext constraints B) Increasing the number of workers from 10 to 20 C) Switching from AES‑128 to AES‑ 256 D) Using a slower hash algorithm Answer: A Explanation: Shrinking the key‑space (e.g., via known‑plaintext) decreases the total candidates, yielding greater time savings than merely adding workers. Question 31. Which PRTK feature allows the analyst to pause and resume a long‑running attack without losing progress? A) Auto‑save profiles B) Checkpointing C) Real‑time logging D) Thread pooling Answer: B Explanation: Checkpointing records the current state, enabling later continuation.

Question 35. Which of the following best explains why salted hashes defeat rainbow tables? A) Salts increase the hash length. B) Salts cause each password to hash to a unique value, requiring a separate table per salt. C) Salts are encrypted before hashing. D) Salts are only used with asymmetric encryption. Answer: B Explanation: A unique salt per password means pre‑computed tables cannot be reused across different salted hashes. Question 36. In DNA, what is the purpose of the “Worker Heartbeat” signal? A) To synchronize encryption keys between workers B) To report the worker’s status and resource usage to the Manager C) To trigger password recovery on the manager side D) To encrypt the communication channel Answer: B Explanation: Heartbeat messages let the Manager monitor worker health and performance. Question 37. Which FTK feature can automatically flag files that match known encrypted container signatures? A) File Signature Analysis B) Keyword Search C) Timeline View D) Email Extraction Answer: A

Explanation: FTK’s File Signature Analysis compares file headers against a database, identifying encrypted containers. Question 38. When extracting a BitLocker recovery key from a Windows system, which registry key holds the “Numerical Password” value? A) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BitLocker B) HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\BitLockerRecoveryPassword C) HKEY_USERS.DEFAULT\Control Panel\BitLocker D) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker Answer: B Explanation: The Recovery Password is stored under the Secrets subkey in the SECURITY hive. Question 39. Which of the following is a limitation of using a dictionary attack without rule permutations? A) It can only test passwords up to 6 characters. B) It fails to try variations such as “Password1!” or “P@ssw0rd”. C) It requires a GPU to function. D) It automatically hashes every candidate with SHA‑512. Answer: B Explanation: Without rules, the attack only tests dictionary words exactly as they appear, missing common modifications. Question 40. In a forensic scenario, a suspect’s laptop contains a file encrypted with a 256 ‑bit AES key derived from a passphrase. Which approach offers the greatest chance of recovery? A) Brute‑forcing the entire 256‑bit key space.

Question 43. Which of the following is NOT a typical sign that a file is encrypted rather than merely compressed? A) High entropy close to 8 bits/byte B) Presence of a known compression signature (e.g., “PK” for ZIP) C) Lack of recognizable file headers D) Uniform distribution of byte values Answer: B Explanation: Compression formats have identifiable signatures; their presence indicates compression, not encryption. Question 44. When analyzing a Windows system, which file commonly contains cached domain credentials that may aid decryption of network‑encrypted files? A) SAM B) SYSTEM C) NTDS.dit D) NTUSER.DAT Answer: D Explanation: NTUSER.DAT can store cached credentials and password hints used by network encryption schemes. Question 45. Which of the following best explains why a forensic analyst might prefer a “distributed” attack over a “single‑machine” attack for a large encrypted volume? A) Distributed attacks guarantee success. B) They can leverage multiple CPUs/GPUs to explore the key‑space in parallel, reducing total wall‑clock time. C) Single‑machine attacks are illegal. D) Distributed attacks use less memory per node. Answer: B

Explanation: Parallel processing across many machines accelerates exhaustive key‑space exploration. Question 46. In DNA, what is the effect of enabling “Load Balancing” for worker assignments? A) Workers receive equal numbers of hashes regardless of performance. B) Faster workers are given proportionally more work, optimizing overall throughput. C) Workers are assigned tasks based on geographic location. D) It limits each worker to a fixed CPU usage percentage. Answer: B Explanation: Load balancing dynamically allocates more work to higher‑performance workers. Question 47. Which of the following is a true statement about the “Known‑Plaintext Attack” against a ZIP archive with a password? A) It can recover the password without any knowledge of the file contents. B) Knowing any unencrypted file inside the ZIP can dramatically reduce the key‑space. C) ZIP passwords are stored in clear text, making the attack trivial. D) ZIP uses asymmetric encryption, so known‑plaintext attacks are ineffective. Answer: B Explanation: If part of the original data is known, the attacker can test candidate passwords against that segment, pruning incorrect guesses quickly. Question 48. Which hashing algorithm is considered collision‑resistant enough for forensic integrity verification in 2024? A) MD B) SHA‑ 1 C) SHA‑ 256

B) Dictionary attack using common birthday formats (MMDDYYYY). C) Rainbow table lookup for SHA‑1. D) Known‑plaintext attack using a photo file. Answer: B Explanation: Targeted dictionaries that generate date strings match the likely password pattern, reducing attempts dramatically. Question 52. Which component of AccessData DNA must be installed on each client machine that will perform hashing? A) DNA Manager B) DNA Worker C) DNA Scheduler D) DNA Console Answer: B Explanation: The Worker runs on client machines to perform the actual hash computations. Question 53. Which of the following is a primary reason to prefer PBKDF2 over a single SHA‑256 hash for password‑derived keys? A) PBKDF2 produces longer keys. B) PBKDF2 incorporates a configurable iteration count, slowing attacks. C) PBKDF2 is immune to rainbow tables. D) PBKDF2 uses asymmetric encryption. Answer: B Explanation: The iteration count forces multiple hash rounds, making each guess computationally expensive.

Question 54. In FTK, which view allows the analyst to see the exact byte‑level entropy graph of a file? A) Overview tab B) Hex view C) File Details pane D) Entropy graph in the File Viewer Answer: D Explanation: The File Viewer includes an entropy graph that plots byte‑level randomness. Question 55. Which of the following is a common pitfall when using the Biographical Dictionary without proper data sanitization? A) Generating passwords that are too short. B) Including personally identifiable information (PII) that may violate privacy policies. C) Overloading the GPU. D) Ignoring case sensitivity. Answer: B Explanation: Using real PII in the dictionary can raise legal and ethical concerns; analysts must handle such data responsibly. Question 56. When a forensic analyst extracts a BitLocker recovery key from a domain controller, which Windows service stored it? A) BitLocker Drive Encryption Service B) Active Directory Key Recovery Service (AD KRS) C) Windows Defender D) Credential Manager Answer: B Explanation: AD KRS stores BitLocker recovery passwords for domain‑joined machines.