
















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The Computer Forensics Digital and Mobile Certificate Exam validates comprehensive knowledge across digital and mobile forensic domains. It covers computer forensics, mobile device analysis, evidence handling, investigative methodologies, reporting, and legal considerations. This certification prepares professionals for multidisciplinary forensic roles in law enforcement, corporate investigations, and cybersecurity.
Typology: Exams
1 / 88
This page cannot be seen from the preview
Don't miss anything!

















































































Question 1. Which phase of the digital forensic process is primarily concerned with establishing the legal authority to examine a device? A) Identification B) Collection C) Preservation D) Acquisition of a warrant Answer: D Explanation: Acquiring a warrant is part of establishing legal authority, which occurs before collection and preservation. Question 2. The Federal Rules of Evidence (FRE) rule that most directly addresses the admissibility of electronic evidence is: A) Rule 401 – Relevance B) Rule 702 – Expert Testimony C) Rule 901 – Authentication D) Rule 404 – Character Evidence Answer: C Explanation: Rule 901 requires that evidence be authenticated before it can be admitted, which is critical for electronic data. Question 3. In a chain‑of‑custody log, the term “custodian” refers to: A) The person who originally created the data B) The forensic analyst who examines the evidence C) The individual responsible for the evidence at a given time D) The court officer who seals the evidence Answer: C
Explanation: The custodian is anyone who has physical or logical control of the evidence during its lifecycle. Question 4. Which of the following best describes forensic readiness? A) The ability to recover deleted files after an incident B) Policies and technical controls that enable rapid, reliable evidence collection C) Encryption of all corporate data to prevent tampering D) Training staff to recognize phishing attacks Answer: B Explanation: Forensic readiness is about preparing an organization to collect and preserve evidence efficiently when an incident occurs. Question 5. A solid‑state drive (SSD) stores data using: A) Magnetic platters and read/write heads B. Magnetic tape reels C) NAND flash memory cells D) Optical discs Answer: C Explanation: SSDs rely on NAND flash memory rather than magnetic components. Question 6. Which file system uses a Master File Table (MFT) to keep track of file metadata? A) FAT B) NTFS C) ext D) HFS+
Answer: A Explanation: Hex 4A corresponds to the ASCII character ‘J’. Question 10. Little‑endian byte order stores the least significant byte: A) At the highest memory address B) At the lowest memory address C) In the middle of the word D) In a separate register Answer: B Explanation: Little‑endian places the least significant byte first (lowest address). Question 11. Which imaging method is most appropriate when a suspect’s computer is powered on and volatile data must be captured? A) Physical bit‑stream imaging only B) Logical imaging of selected partitions C) Live acquisition of RAM followed by physical imaging D) No imaging; only screenshots are needed Answer: C Explanation: Live acquisition captures volatile RAM, then a physical image preserves the rest of the data. Question 12. A write‑blocker is used to: A) Encrypt the evidence before transport B) Prevent any write commands to the source media C) Speed up data transfer rates D) Duplicate the evidence onto a USB drive
Answer: B Explanation: Write‑blockers ensure the original media remains untouched during acquisition. Question 13. The hash algorithm SHA‑256 produces a digest that is: A) 128 bits long B) 160 bits long C) 256 bits long D) Variable length depending on input size Answer: C Explanation: SHA‑256 always generates a 256‑bit hash value. Question 14. Which of the following is a primary purpose of the National Software Reference Library (NSRL)? A) To store encrypted passwords for law enforcement B) To provide hash values of known software for identification of benign files C) To host forensic training videos D) To catalog hardware serial numbers Answer: B Explanation: NSRL contains hash signatures of known files to aid in filtering evidence. Question 15. When analyzing a Windows registry hive, the SAM file primarily contains: A) System startup programs B) User account password hashes C) Network configuration settings D) Installed application list
Answer: C Explanation: LNK files contain timestamps for creation, modification, and access, useful in timeline analysis. Question 19. ShellBags artifacts are primarily used to: A) Recover encrypted passwords B) Reconstruct folder view settings and the presence of external drives C) Identify installed browser plugins D) Analyze Wi‑Fi network keys Answer: B Explanation: ShellBags store view settings for folders and can indicate the existence of removable media. Question 20. Jump Lists in Windows 7+ are stored in: A) %AppData%\Microsoft\Windows\Recent B) %LocalAppData%\Microsoft\Windows\JumpLists C) %SystemRoot%\System32\jump.lst D) %UserProfile%\Documents\JumpLists Answer: B Explanation: Jump Lists are kept in the LocalAppData path under Microsoft\Windows\JumpLists. Question 21. Which browser stores its browsing history in an SQLite database named “History”? A) Internet Explorer B) Google Chrome C) Mozilla Firefox
D) Safari Answer: B Explanation: Chrome uses an SQLite file called “History” to record browsing data. Question 22. The default location for Firefox’s cookies.sqlite file is: A) C:\Users<user>\AppData\Roaming\Mozilla\Firefox\Profiles<profile>\cookies.sqlite B) C:\Program Files\Mozilla Firefox\cookies.sqlite C) C:\Windows\System32\cookies.sqlite D) C:\Users<user>\AppData\Local\Firefox\cookies.sqlite Answer: A Explanation: Firefox stores user profile data, including cookies, in the Roaming AppData directory. Question 23. In Outlook PST files, the “Deleted Items” folder is stored as: A) A separate .dbx file B) A hidden sub‑folder within the PST structure C) Plain text in the Inbox folder D) An encrypted XML file Answer: B Explanation: PST files contain multiple folder structures, including a hidden “Deleted Items” node. Question 24. File carving relies on: A) File system metadata only B) Known file signatures (headers/footers) and size heuristics C) Encryption keys stored in the registry
C) Physical extraction D) Cloud‑only extraction Answer: C Explanation: Physical extraction copies the entire flash memory, capturing all data, including deleted remnants. Question 28. A logical extraction on Android typically obtains data from: A) The raw NAND flash image B) The /data partition only via ADB commands C) Application databases accessed through the Android Debug Bridge (ADB) APIs D. The bootloader firmware Answer: C Explanation: Logical extraction uses Android APIs to pull data like contacts, messages, and app databases. Question 29. The SQLite database “mmssms.db” on Android stores: A) Wi‑Fi passwords B) SMS and MMS messages C) Installed app list D) GPS coordinates of calls Answer: B Explanation: “mmssms.db” contains tables for SMS and MMS message metadata and contents. Question 30. In iOS, the “Locationd” daemon logs: A) Application crash reports B) GPS and Wi‑Fi based location data for apps
C) Battery usage statistics D) Keyboard input logs Answer: B Explanation: Locationd records location events used by apps and system services. Question 31. Which of the following file types commonly contains EXIF metadata with GPS coordinates? A) .txt B) .pdf C) .jpg D) .docx Answer: C Explanation: JPEG images store EXIF metadata, which can include GPS latitude and longitude. Question 32. A forensic analyst wants to verify that a captured RAM image has not been altered after acquisition. Which technique should be used? A) Re‑hash the image with the same algorithm and compare to the original hash B) Run a checksum on the source computer’s hard drive C) Compare file timestamps on the image file D) Open the image in a hex editor and look for anomalies Answer: A Explanation: Re‑hashing ensures the image’s integrity by confirming the hash matches the original. Question 33. Which hash algorithm is considered broken for collision resistance and should not be used for evidence verification?
A) Data stored on SSDs B) Information that is lost when power is removed, such as RAM contents C) Encrypted files on a hard drive D) Data that is stored in the cloud Answer: B Explanation: Volatile data resides in memory and disappears when the system loses power. Question 37. Which Windows registry key holds the list of recently opened documents for the current user? A) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run B) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs C) HKEY_USERS.DEFAULT\Control Panel\Desktop D) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services Answer: B Explanation: The RecentDocs subkey tracks recently accessed files per user. Question 38. In Android, the “/system/app” directory typically contains: A) User‑installed third‑party apps B) Pre‑installed system applications in APK format C) Temporary cache files D) Encrypted user data Answer: B Explanation: System apps are stored as APKs in the /system/app folder. Question 39. Which of the following best describes a “sandbox” in mobile OS security?
A) A physical compartment for the device’s battery B) An isolated execution environment that restricts app permissions C) A cloud‑based backup service D) A hardware encryption module Answer: B Explanation: Sandboxing limits each app’s ability to access system resources and other apps’ data. Question 40. The “adb pull” command is used for: A) Installing applications on an Android device B) Extracting files from the device to a host computer (logical extraction) C) Resetting the device to factory settings D) Flashing a new bootloader Answer: B Explanation: “adb pull” copies files from the device’s file system to the host. Question 41. When analyzing a WhatsApp SQLite database on Android, the table “messages” typically includes a column named “media_url”. This column is used to: A) Store the text of the message B) Reference the location of attached media files on the device C) Record the sender’s phone number D) Indicate the encryption key for the message Answer: B Explanation: “media_url” points to the file path of images, videos, or audio attached to a message.
Question 45. A forensic analyst discovers a hidden partition on a suspect’s HDD. Which tool is most appropriate for enumerating hidden partitions? A) FTK Imager B) DiskPart (list partition) C) Volatility D) Wireshark Answer: B Explanation: DiskPart can list all partitions, including hidden ones, on a disk. Question 46. In the context of mobile forensics, “Jailbreak” on iOS devices primarily enables: A) Automatic data encryption B) Access to the root file system, allowing deeper data extraction C) Remote wiping of the device D) Faster network connectivity Answer: B Explanation: Jailbreaking removes Apple’s restrictions, granting root access for forensic tools. Question 47. Which of the following is NOT a standard artifact extracted from the Android “/data/data/com.android.providers.contacts/databases/contacts2.db” file? A) Contact names and phone numbers B) SMS message bodies C) Email addresses associated with contacts D) Contact group memberships Answer: B
Explanation: SMS messages are stored in “mmssms.db”, not in the contacts database. Question 48. When performing a forensic analysis of a Windows 10 system, the presence of the file “AppCompatCache.hve” is significant because it contains: A) A list of recently installed software updates B) Cached information about executed applications, useful for timeline reconstruction C) User login credentials D) System crash dump data Answer: B Explanation: AppCompatCache (also known as ShimCache) records metadata about executed binaries. Question 49. The “Windows Event Log” files (e.g., System.evtx) are stored in which format? A) Plain text B) XML‑based binary format C) CSV D) SQLite database Answer: B Explanation: EVTX files use a proprietary binary format that can be parsed as XML structures. Question 50. Which of the following best describes the purpose of “Volatility” in digital forensics? A) Imaging hard drives B) Analyzing memory dumps to extract running processes, network connections, and loaded modules C) Encrypting forensic images
D) Recording boot sector information Answer: B Explanation: $LogFile records NTFS transaction logs to ensure file system consistency. Question 54. Which of the following best explains why SSDs present challenges for traditional file carving techniques? A) They use magnetic platters that obscure data B) Wear‑leveling and TRIM may erase deleted data, leaving no residual slack C) They cannot be imaged using hardware write‑blockers D) Their file systems are always encrypted by default Answer: B Explanation: TRIM commands can permanently erase blocks, reducing the amount of recoverable data. Question 55. In iOS, the “MobileInstallation.plist” file provides evidence of: A) Network traffic logs B) Applications that have been installed or removed on the device C) GPS location history D) Encrypted messages in iMessage Answer: B Explanation: MobileInstallation.plist tracks app installation and removal events. Question 56. Which of the following is a recommended practice when handling a seized mobile device to preserve volatile data? A) Immediately power off the device B) Place the device in a Faraday bag to prevent remote wiping before acquisition
C) Connect the device to Wi‑Fi to download forensic tools D) Remove the SIM card before imaging Answer: B Explanation: A Faraday bag blocks wireless signals, preventing remote commands that could alter data. Question 57. The “/proc” filesystem in Linux is useful for forensic analysis because it provides: A) Encrypted backups of user files B) Real‑time information about running processes, memory maps, and system configuration C) A list of installed applications only D) A graphical user interface for system settings Answer: B Explanation: /proc exposes kernel and process data in a virtual file system. Question 58. Which of the following statements about “hash collisions” is true? A) They are impossible with any modern hash algorithm B) Two different inputs can produce the same hash value, potentially undermining evidence integrity C) Collisions only occur with MD5, not SHA‑1 or SHA‑ 256 D) Collisions are desirable for forensic verification Answer: B Explanation: Collisions can occur, especially with weaker algorithms, compromising uniqueness. Question 59. During a live acquisition, which command on a Windows system captures a snapshot of the current network connections?