ControlF Demystifying Hex Data DHD Exam, Exams of Technology

The ControlF Demystifying Hex Data (DHD) Exam is designed to build deep foundational understanding of hexadecimal data interpretation for digital forensics professionals. It covers number systems, byte and bit-level data representation, file signatures, data structures, endianness, and manual hex analysis techniques. Candidates learn how to interpret raw binary data to identify artifacts, reconstruct files, and validate forensic findings when automated tools are insufficient.

Typology: Exams

2025/2026

Available from 01/23/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 82

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
ControlF Demystifying Hex Data DHD Exam
**Question 1. Which hexadecimal value represents the decimal number 255?**
A) 0xFA
B) 0xFF
C) 0x7F
D) 0xC8
Answer: B
Explanation: 0xFF in hexadecimal equals 15×16 + 15 = 255 in decimal.
**Question 2. In a littleendian system, how is the 32bit value 0x12345678 stored in memory
(lowest address first)?**
A) 12 34 56 78
B) 78 56 34 12
C) 34 12 78 56
D) 56 78 12 34
Answer: B
Explanation: Littleendian stores the leastsignificant byte first, so the order is 78 5634 12.
**Question 3. A nibble consists of how many bits?**
A) 2
B) 4
C) 8
D) 16
Answer: B
Explanation: A nibble is half a byte, i.e., 4 bits.
**Question 4. Which binary pattern corresponds to the ASCII character ‘A’?**
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52

Partial preview of the text

Download ControlF Demystifying Hex Data DHD Exam and more Exams Technology in PDF only on Docsity!

Question 1. Which hexadecimal value represents the decimal number 255? A) 0xFA B) 0xFF C) 0x7F D) 0xC Answer: B Explanation: 0xFF in hexadecimal equals 15×16 + 15 = 255 in decimal. Question 2. In a little‑endian system, how is the 32‑bit value 0x12345678 stored in memory (lowest address first)? A) 12 34 56 78 B) 78 56 34 12 C) 34 12 78 56 D) 56 78 12 34 Answer: B Explanation: Little‑endian stores the least‑significant byte first, so the order is 78 56 34 12. Question 3. A nibble consists of how many bits? A) 2 B) 4 C) 8 D) 16 Answer: B Explanation: A nibble is half a byte, i.e., 4 bits. Question 4. Which binary pattern corresponds to the ASCII character ‘A’?

A) 01000001

B) 01000010

C) 01100001

D) 01100010

Answer: A Explanation: ASCII ‘A’ has decimal 65, which is 01000001 in binary. Question 5. What does the Byte Order Mark (BOM) 0xEF 0xBB 0xBF indicate? A) UTF‑16LE encoding B) UTF‑8 encoding C) UTF‑32BE encoding D) No encoding, just a null terminator Answer: B Explanation: The sequence EF BB BF is the UTF‑8 BOM, used to signal UTF‑8 text. Question 6. Which of the following is a valid UTF‑16LE byte order for the character ‘Ω’ (U+03A9)? A) 0x03 0xA B) 0xA9 0x C) 0x00 0x03 0xA9 0x D) 0xA9 0x00 0x03 0x Answer: B Explanation: UTF‑16LE stores the low‑order byte first, so U+03A9 becomes A9 03. Question 7. The base64 string “SGVsbG8=” decodes to which ASCII text? A) Hello

C) application/zip D) text/plain Answer: C Explanation: “PK\x03\x04” is the ZIP file signature; MIME type is application/zip. Question 11. When carving a PDF from raw data, which sequence marks the end of the file? A) 0x00 0x00 0x00 0x B) %%EOF C) D) \xFF\xD Answer: B Explanation: PDF files terminate with the literal “%%EOF”. Question 12. In forensic carving, slack space refers to: A) Unused bytes at the end of a file cluster B) Data that has been overwritten C) Deleted file entries in the MFT D) The space between two allocated clusters Answer: A Explanation: Slack space is the leftover bytes in the last allocated cluster that are not part of the file’s logical size. Question 13. Which hash algorithm is most vulnerable to collision attacks? A) SHA‑ 256 B) MD C) SHA‑ 1

D) SHA‑ 3

Answer: B Explanation: MD5 is considered broken and prone to collisions. Question 14. To locate a 16‑byte GUID in a binary image, which regular expression pattern (hex‑aware) would be appropriate? A) /[0-9a-fA-F]{32}/ B) /[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}/ C) /(?i)[0-9a-f]{8}(?:[0-9a-f]{4}){3}[0-9a-f]{12}/ D) /[A-F0-9]{16}/ Answer: C Explanation: GUIDs are 32 hex digits often expressed without hyphens; the pattern matches 8 ‑ 4 ‑ 4 ‑ 4 ‑12 hex groups case‑insensitively. Question 15. Which GREP quantifier matches “zero or more” occurrences? A) + B)? C) * D) {1,} Answer: C Explanation: The asterisk (*) denotes “zero or more” repetitions. Question 16. A regular expression “\b[0-9]{4}-[0-9]{2}-[0-9]{2}\b” is most suitable for searching: A) IPv4 addresses B) MAC addresses C) Dates in YYYY‑MM‑DD format

C) UTF‑ 16

D) ISO‑ 8859 ‑ 1

Answer: C Explanation: UTF‑16 uses 2‑byte (or 4‑byte surrogate) units and may start with a BOM (FE FF or FF FE). Question 20. The hexadecimal sequence “25 50 44 46” corresponds to which file type? A) PDF B) PNG C) ZIP D) JPEG Answer: A Explanation: PDF files start with the ASCII string “%PDF”, which is 25 50 44 46 in hex. Question 21. When converting the binary string “11010110” to hexadecimal, the result is: A) 0xD B) 0xB C) 0x5A D) 0x6D Answer: A Explanation: 1101 0110 groups into D (1101) and 6 (0110) → 0xD6. Question 22. Which of the following best describes a “fragmented” file in a raw disk image? A) All its clusters are contiguous. B) Its data blocks appear in non‑sequential order. C) It has a missing header.

D) It is stored in the swap partition. Answer: B Explanation: Fragmentation means the file’s logical blocks are scattered across the disk, making carving harder. Question 23. To locate a MAC address pattern in a hex dump, which regular expression is appropriate? A) /([0-9A-F]{2}:){5}[0-9A-F]{2}/i B) /\b\d{3}.\d{3}.\d{3}\b/ C) /[0-9]{4}-[0-9]{4}-[0-9]{4}/ D) /[A-F0-9]{12}/ Answer: A Explanation: MAC addresses are six octets separated by colons; the pattern matches that format case‑insensitively. Question 24. The Unicode code point U+00E9 corresponds to which character? A) é B) è C) ê D) ë Answer: A Explanation: U+00E9 is the Latin small letter e with acute (é). Question 25. Which hex value is used as the EOF marker for a ZIP file’s central directory? A) 0x504B B) 0x504B C) 0x504B

Answer: C Explanation: “==” padding means the encoded data had two missing bytes, so the original data length was not a multiple of 3; two padding characters indicate one original byte of data in the final quantum. Question 29. Which of the following is the correct representation of the decimal number 1024 in hexadecimal? A) 0x B) 0x C) 0x D) 0x Answer: B Explanation: 1024 decimal equals 0x400 (4 × 256). Question 30. The first four bytes of a Windows executable (PE) are “MZ”. What is the hex representation of “MZ”? A) 4D 5A B) 5A 4D C) 50 45 D) 45 50 Answer: A Explanation: ‘M’ = 0x4D, ‘Z’ = 0x5A. Question 31. Which regular expression will match a credit‑card number formatted as “ 1234 ‑ 5678 ‑ 9012 ‑ 3456 ”? A) /\b\d{4}-\d{4}-\d{4}-\d{4}\b/ B) /\b\d{4}\s\d{4}\s\d{4}\s\d{4}\b/

C) /[0-9]{16}/

D) /\b\d{4}.\d{4}.\d{4}.\d{4}\b/ Answer: A Explanation: The pattern captures four groups of four digits separated by hyphens. Question 32. In a hex editor, the term “offset” most accurately refers to: A) The physical sector number on disk B) The distance in bytes from the start of the file/image C) The number of bits in a byte D) The checksum of a block Answer: B Explanation: Offset is the byte index relative to the beginning of the data set. Question 33. Which of the following is NOT a valid UTF‑8 byte sequence starter? A) 0xC B) 0xE C) 0xF D) 0x Answer: D Explanation: Bytes 0x80‑0xBF are continuation bytes, not valid start bytes. Question 34. The hexadecimal signature “D0 CF 11 E0 A1 B1 1A E1” identifies which file format? A) Microsoft Office binary (OLE) B) PDF C) PNG

Answer: A Explanation: ‘t’=0x74, ‘e’=0x65, ‘s’=0x73, ‘t’=0x74. Question 38. In a forensic context, the term “slack” most commonly refers to: A) Unallocated disk space after the partition table B) The unused portion of a cluster after a file’s logical end C) The space between two partitions D) The free space shown by the OS Answer: B Explanation: Slack is the leftover bytes in the last allocated cluster that are not part of the file’s actual data. Question 39. Which regular expression anchor asserts the start of a line? A) $ B) \b C) ^ D) \A Answer: C Explanation: ^ matches the beginning of a line in most regex engines. Question 40. The hexadecimal pattern “FF E0 00 10” is most likely part of which structure? A) JPEG SOI marker B) Windows PE optional header magic C) BMP file header D) MP3 frame header Answer: B

Explanation: In PE optional header, the magic number is 0x10B (PE32) or 0x20B (PE32+); 0x 00 is part of that structure, but “FF E0” is unrelated. Actually this pattern does not clearly match any; the best answer is B as it appears near the optional header. (Given the options, B is the closest.) Question 41. Which of the following base64 padding patterns is valid? A) “=” only B) “==” only C) Both “=” and “==” D) No padding is ever used Answer: C Explanation: Base64 may end with one ‘=’ (when two bytes of data remain) or ‘==’ (when one byte remains). Question 42. When viewing a raw disk image, the string “PK\x03\x04” appears at offset 0x1A2B0. What does this most likely indicate? A) Start of a PNG file B) Start of a ZIP archive (or embedded file) C) Start of a PDF file D) Start of an executable file Answer: B Explanation: “PK\x03\x04” is the local file header signature for ZIP archives, indicating an embedded ZIP or a compressed file. Question 43. Which of the following is the correct way to represent the binary number 1011 0010 in hexadecimal? A) 0xB B) 0xC

D) 0xF0 0x9F 0x94 0xA Answer: A Explanation: U+03A9 in UTF‑8 is 0xCE 0xA9. Question 47. Which of the following hex values is the first byte of a GZIP file? A) 1F B) 8B C) 42 D) 50 Answer: A Explanation: GZIP files start with the two‑byte magic number 1F 8B; the first byte is 0x1F. Question 48. In forensic carving, a “header‑footer” approach is most effective when: A) The file is heavily fragmented B) The file type has a unique header and a distinct EOF marker C) The file is encrypted D) The file resides in the swap partition Answer: B Explanation: Header‑footer carving works when both start and end signatures are known and the file is contiguous. Question 49. Which regular expression token matches any single hexadecimal digit? A) \h B) \x C) [0-9A-Fa-f] D) \d

Answer: C Explanation: [0-9A-Fa-f] explicitly matches a hex digit; some flavors support \h, but the safest is the character class. Question 50. The magic number “0x7F 45 4C 46” identifies which executable format? A) Windows PE B) ELF (Linux/Unix) C) Mach‑O (macOS) D) DOS MZ Answer: B Explanation: 0x7F followed by “ELF” identifies the ELF executable format. Question 51. Which of the following statements about Unicode Normalization Form C (NFC) is true? A) It decomposes characters into base + combining marks. B) It composes characters to the shortest canonical form. C) It removes all diacritics. D) It is identical to UTF‑8. Answer: B Explanation: NFC composes characters into their precomposed canonical equivalents. Question 52. In a raw image, you locate the sequence “FF D9”. This most likely indicates: A) End of a JPEG file B) Start of a PNG file C) End of a PDF file D) A Windows executable stub Answer: A

D) 1111111100001111

Answer: A Explanation: 65535 = 2^16 − 1, which is sixteen 1’s in binary. Question 56. In a forensic context, the term “unallocated space” refers to: A) Space marked as free in the file system's allocation table B) Space that has been overwritten with zeros C) Space reserved for system files only D) The partition boot sector Answer: A Explanation: Unallocated space is not currently assigned to any file but may contain remnants of deleted data. Question 57. Which of the following hex signatures indicates the start of a Microsoft Word .docx file? A) 50 4B 03 04 B) 25 50 44 46 C) 4D 5A 90 00 D) 42 4D 46 00 Answer: A Explanation: .docx files are ZIP archives; they start with PK\x03\x04. Question 58. Which regular expression quantifier matches “one or more” repetitions? A) * B) + C)? D) {0,1}

Answer: B Explanation: The plus sign (+) denotes “one or more”. Question 59. The Unicode code point U+1F600 corresponds to which emoji? A) (grinning face) B) (crying face) C) (cat) D) (rocket) Answer: A Explanation: U+1F600 is the “grinning face” emoji. Question 60. Which of the following hex bytes is a valid continuation byte in UTF‑8? A) 0xC B) 0xE C) 0x D) 0xF Answer: C Explanation: Continuation bytes have the pattern 10xxxxxx, i.e., values 0x80‑0xBF. Question 61. In a hex editor, the offset 0x0000 often contains the: A) File footer B) File header or magic number C) Checksum D) Random data block Answer: B Explanation: The beginning of a file (offset 0) typically holds its header or magic signature.