Certified Digital Forensic Analyst Exam, Exams of Technology

The Certified Digital Forensic Analyst Exam evaluates competencies in digital evidence collection, preservation, analysis, and reporting. It covers computer forensics, mobile forensics, network forensics, legal considerations, chain of custody, and incident investigation techniques. The exam prepares professionals to support legal, regulatory, and corporate investigations.

Typology: Exams

2025/2026

Available from 01/23/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 75

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Certified Digital Forensic Analyst Exam
**Question 1.** Which phase of the forensic process involves creating a detailed, chronological
record of how evidence was handled?
A) Collection
B) Examination
C) Analysis
D) Reporting
Answer: A
Explanation: The Collection phase includes documenting the chain of custody, ensuring
evidence integrity from the moment of acquisition.
**Question 2.** The principle that requires the original form of evidence to be presented in
court is known as:
A) Hearsay rule
B) Best Evidence rule
C) Authentication rule
D) Exclusionary rule
Answer: B
Explanation: The Best Evidence rule mandates that the original piece of evidence, or a reliable
duplicate, be produced.
**Question 3.** Under the Fourth Amendment, a search of a computer requires:
A) No warrant if the data is public
B) A warrant unless exigent circumstances exist
C) Only user consent
D) A subpoena at all times
Answer: B
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b

Partial preview of the text

Download Certified Digital Forensic Analyst Exam and more Exams Technology in PDF only on Docsity!

Question 1. Which phase of the forensic process involves creating a detailed, chronological record of how evidence was handled? A) Collection B) Examination C) Analysis D) Reporting Answer: A Explanation: The Collection phase includes documenting the chain of custody, ensuring evidence integrity from the moment of acquisition. Question 2. The principle that requires the original form of evidence to be presented in court is known as: A) Hearsay rule B) Best Evidence rule C) Authentication rule D) Exclusionary rule Answer: B Explanation: The Best Evidence rule mandates that the original piece of evidence, or a reliable duplicate, be produced. Question 3. Under the Fourth Amendment, a search of a computer requires: A) No warrant if the data is public B) A warrant unless exigent circumstances exist C) Only user consent D) A subpoena at all times Answer: B

Explanation: The Fourth Amendment protects against unreasonable searches; a warrant is generally required unless an exception applies. Question 4. Which law specifically governs the interception of electronic communications in the United States? A) GDPR B) HIPAA C) ECPA D) CFAA Answer: C Explanation: The Electronic Communications Privacy Act (ECPA) regulates government and private access to electronic communications. Question 5. In digital forensics, “timestomping” refers to: A) Altering file timestamps to hide activity B) Deleting log files C) Encrypting timestamps D) Compressing time‑sensitive data Answer: A Explanation: Timestomping is an anti‑forensic technique that modifies MACB timestamps to mislead investigators. Question 6. The primary difference between incident response and forensic investigation is: A) Incident response focuses on evidence preservation, forensics on system restoration B) Incident response is live containment; forensics is deep‑dive analysis after containment C) Incident response requires a court order; forensics does not

D) It is compatible with older operating systems Answer: C Explanation: SHA‑256 provides stronger collision resistance, making it more reliable for integrity verification. Question 10. According to the Order of Volatility, which data source should be collected first? A) Hard drive partitions B) RAM C) Registry hives D) Browser cache Answer: B Explanation: Volatile data like RAM is lost on power‑off, so it must be captured before any other evidence. Question 11. Live acquisition of an encrypted volume is typically performed to: A) Bypass the need for a password B) Capture the decrypted data in memory C) Clone the encrypted partition directly D) Reset the encryption key Answer: B Explanation: By acquiring memory while the system is running, investigators can retrieve decrypted data residing in RAM. Question 12. Which of the following is a software‑based write‑blocker? A) Tableau Forensic Bridge B) WriteProtect™ hardware dongle

C) FTK Imager’s “Read‑Only” mode D) Magnet AXIOM hardware device Answer: C Explanation: FTK Imager can mount drives in a read‑only mode, acting as a software write‑blocker. Question 13. The registry hive that stores user-specific environment variables and recently opened files is: A) SYSTEM B) SOFTWARE C) SAM D) NTUSER.DAT Answer: D Explanation: NTUSER.DAT contains per‑user settings, including recent file lists and environment variables. Question 14. In the Windows Registry, the “Run” key is used to: A) Store installed drivers B) Log user login times C) Persist malicious executables at startup D) Record deleted files Answer: C Explanation: The “Run” key under HKLM or HKCU is commonly abused to execute programs automatically on boot. Question 15. A LNK file primarily provides evidence of: A) Network connections

C) User login credentials D) Network packet captures Answer: B Explanation: Prefetch files store execution metadata for programs, helping verify whether a file was run. Question 19. The Windows Event Log that records successful and failed logon attempts is: A) System log B) Security log C) Application log D) Setup log Answer: B Explanation: The Security log contains logon events, audit successes, and failures. Question 20. Which NTFS attribute stores the actual file content when the file size is less than 1 KB? A) $DATA (non‑resident) B) $INDEX_ROOT C) $STANDARD_INFORMATION D) $DATA (resident) Answer: D Explanation: Small files are stored directly within the $DATA attribute in a resident form. Question 21. In an MFT entry, the $FILE_NAME attribute provides: A) File permissions only B) Timestamps, parent directory reference, and filename C) File hash values

D) Encryption keys Answer: B Explanation: $FILE_NAME includes the long and short names, timestamps, and parent directory reference. Question 22. Data carving relies on: A) File system metadata B) Known file signatures (magic bytes) to locate file boundaries C) Registry keys D) Network traffic logs Answer: B Explanation: Carving scans raw data for header/footer patterns to recover files without relying on file system structures. Question 23. Slack space is defined as: A) Unallocated clusters that have never been written to B) The space between the end of a file and the end of its allocated cluster C) The portion of the MFT that stores metadata D) The area of RAM used for temporary buffers Answer: B Explanation: Slack space contains residual data from previous files that can be examined for hidden information. Question 24. The MACB timestamp model stands for: A) Modified, Accessed, Created, Backed‑up B) Modified, Accessed, Changed, Birth C) Modified, Accessed, Created, Birth

C) Encrypts the message content D) Stores the sender’s password hash Answer: B Explanation: Each “Received” line adds a hop, providing a traceable route for the email. Question 28. The “Message-ID” header is primarily used to: A) Identify the sender’s IP address B) Uniquely identify a specific email message across systems C) Encrypt the email body D) Indicate the email’s priority level Answer: B Explanation: Message‑ID is a globally unique identifier assigned by the originating mail system. Question 29. Which artifact can reveal a user’s social media activity on a Windows machine? A) Prefetch files B) Registry Run keys C) Browser cache and history files D) MFT $STANDARD_INFORMATION attribute Answer: C Explanation: Browser cache, history, and cookies capture URLs and timestamps of social media interactions. Question 30. GDPR primarily affects digital forensics investigations by: A) Requiring all evidence to be encrypted B) Limiting the export of personal data outside the EU without lawful basis C) Mandating the use of SHA‑512 for hashing

D) Prohibiting the use of write‑blockers Answer: B Explanation: GDPR imposes strict rules on processing and transferring personal data, influencing cross‑border evidence handling. Question 31. Which of the following is NOT a valid reason to seize a computer under the Fourth Amendment? A) Search warrant B) Consent of the owner C) Plain view doctrine D) Random spot check without suspicion Answer: D Explanation: Random checks without probable cause or consent violate the Fourth Amendment. Question 32. The “Best Evidence” rule is most closely related to which forensic concept? A) Hash verification of images B) Chain of custody documentation C) Use of original data rather than copies for analysis D) Encryption of evidence files Answer: C Explanation: Best Evidence requires presenting the original or an exact duplicate, emphasizing the need for original data. Question 33. Which hashing algorithm is considered broken for collision resistance and should not be used for forensic verification? A) SHA‑ 256 B) MD

C) Keeping a list of installed software D) Maintaining the list of active network connections Answer: B Explanation: $LogFile contains NTFS transaction records that help restore consistency after unexpected shutdowns. Question 37. Which of the following indicates a file was likely deleted using the “Shift+Delete” shortcut? A) The file is moved to the Recycle Bin folder in the MFT B) The $FILE_NAME attribute’s “IsDeleted” flag is set, but the file’s $DATA remains resident C) The file’s clusters are marked as free in the $Bitmap, and no entry exists in the MFT D) The file’s timestamps are set to zero Answer: C Explanation: “Shift+Delete” bypasses the Recycle Bin, marking clusters as free and removing the MFT entry. Question 38. Which Windows artifact can be used to determine the last time a USB device was connected? A) Prefetch files B) Registry key HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR C) LNK files in the Recent folder D) Event Log – System log with Event ID 2003 Answer: B Explanation: The USBSTOR registry key records device IDs and the “LastWriteTime” indicating last connection. Question 39. The “RecentDocs” registry key stores:

A) Network shares accessed B) List of recently opened documents per user C) System boot configuration D) Installed drivers list Answer: B Explanation: RecentDocs contains MRU (most recently used) entries for documents opened by the user. Question 40. Which file format is most suitable for preserving metadata such as acquisition time, examiner name, and case number alongside the raw image? A) RAW (dd) B) E C) ISO D) VMDK Answer: B Explanation: E01 files embed case‑related metadata within the image file. Question 41. In forensic analysis, “dead acquisition” refers to: A) Capturing data from a powered‑off system using a hardware write‑blocker B) Imaging a live system’s RAM C) Sniffing network traffic in real time D) Extracting data from cloud storage directly Answer: A Explanation: Dead acquisition involves imaging storage media after the system is shut down, ensuring no volatile data is present. Question 42. Which of the following is a common sign of a rootkit in Windows Event Logs?

A) Two different files produce the same hash value, potentially undermining integrity checks B) The hash algorithm fails to run due to insufficient memory C) The hash value is corrupted during transmission D) The hash is encrypted for security Answer: A Explanation: A collision occurs when distinct inputs generate identical hash outputs, compromising verification. Question 46. Which Windows system file contains the list of installed drivers and services? A) %SystemRoot%\System32\drivers\etc\hosts B) %SystemRoot%\System32\drivers\driverstore C) %SystemRoot%\System32\config\SYSTEM (registry hive) D) %SystemRoot%\System32\config\SOFTWARE (registry hive) Answer: C Explanation: The SYSTEM hive stores driver and service configuration data. Question 47. The forensic significance of the “$LogFile” attribute in NTFS is that it: A) Stores user passwords in plaintext B) Provides a record of file system changes that can be used to reconstruct deleted data C) Contains the boot sector of the volume D) Holds the encryption keys for EFS‑protected files Answer: B Explanation: $LogFile’s transaction logs can be parsed to recover file system operations, aiding in reconstruction of deleted files. Question 48. Which of the following is the most reliable way to verify that a forensic image has not been altered after acquisition?

A) Comparing file sizes before and after transfer B) Re‑hashing the image and comparing it to the original hash value recorded at acquisition C) Viewing the image in a hex editor for visual changes D) Checking the timestamp of the image file Answer: B Explanation: Re‑computing the hash and matching it to the original ensures data integrity. Question 49. In a Windows environment, the “Amcache.hve” registry hive is useful for: A) Identifying recently executed programs and their timestamps, even after deletion B) Storing user password hashes C) Logging network traffic details D) Recording DNS cache entries Answer: A Explanation: Amcache.hve tracks executed applications, file paths, and timestamps, providing persistence evidence. Question 50. Which of the following statements about “virtual memory” files (pagefile.sys) is true? A) They contain a complete copy of the system registry B) They may hold fragments of decrypted data from RAM, useful for credential recovery C) They are always encrypted on modern Windows systems D) They are never useful in forensic investigations Answer: B Explanation: Pagefile.sys can contain remnants of data swapped from RAM, including passwords and plaintext fragments. Question 51. The “$Standard_Information” attribute in an MFT entry stores:

Question 54. Which of the following is a characteristic of the AFF (Advanced Forensic Format) image? A) It can only store raw sector data, no metadata B) It supports compression and hashing of individual chunks for integrity verification C) It is a proprietary format only readable by EnCase D) It automatically encrypts the image with a default key Answer: B Explanation: AFF allows optional compression and stores per‑chunk hashes, enhancing integrity checking. Question 55. In the context of GDPR, the “right to be forgotten” impacts forensic investigations by: A) Allowing investigators to delete all personal data after analysis B) Requiring justification before retaining personal data beyond the investigation’s scope C) Mandating the use of pseudonymization during evidence collection D) Preventing the collection of any personal data without explicit consent Answer: B Explanation: GDPR requires that personal data be retained only as long as necessary, so investigators must limit storage and justify retention. Question 56. Which of the following best describes a “volatile” data source? A) Data stored on a magnetic hard drive B) Data that is lost when power is removed, such as RAM C) Data archived on offline tape media D) Data stored in encrypted cloud storage Answer: B

Explanation: Volatile data, like RAM, disappears upon power loss, making timely acquisition critical. Question 57. The “Event ID 4625” in Windows Security logs indicates: A) Successful user logon B) Failed user logon attempt C) System shutdown D) Service start failure Answer: B Explanation: Event ID 4625 records a failed logon, useful for detecting brute‑force attacks. Question 58. Which of the following is NOT a typical artifact found in the Windows Registry for detecting malware persistence? A) Run and RunOnce keys B) Services subkey entries C) Scheduled Tasks under HKLM\Software\Microsoft\Windows\CurrentVersion\Run D) $MFT $FILE_NAME attribute Answer: D Explanation: $MFT is part of the file system, not the registry; persistence mechanisms are stored in registry keys. Question 59. In web browser forensics, the “Cache” folder primarily contains: A) User passwords in plaintext B) Copies of previously viewed web resources (HTML, images, scripts) C) Browser configuration files only D) Encrypted browsing history Answer: B