ControlF Python Scripting 1 PS1 Exam, Exams of Technology

The ControlF Python Scripting 1 Exam validates the ability to use Python for forensic automation and data analysis. It covers Python fundamentals, file parsing, artifact extraction, log analysis, and basic scripting for investigative workflows. This certification enables forensic professionals to enhance efficiency and customize analysis processes.

Typology: Exams

2025/2026

Available from 01/23/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 87

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
ControlF Python Scripting 1 PS1 Exam
**Question 1.** Which Python keyword is used to handle exceptions that may occur while
opening a forensic image file?
A) catch
B) try
C) raise
D) finally
Answer: B
Explanation: The `try` keyword begins a block where exceptions can be caught; it is paired with
`except` to handle errors such as fileopen failures.
**Question 2.** In Python, which statement correctly opens a file named “disk.img” for binary
reading without truncating it?
A) open('disk.img', 'w')
B) open('disk.img', 'rb')
C) open('disk.img', 'r+')
D) open('disk.img', 'bw')
Answer: B
Explanation: The mode `'rb'` opens the file in binary readonly mode, preserving the original
data.
**Question 3.** What is the result of the expression `type(b'ABC')` in Python 3?
A) `<class 'str'>`
B) `<class 'bytes'>`
C) `<class 'bytearray'>`
D) `<class 'list'>`
Answer: B
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57

Partial preview of the text

Download ControlF Python Scripting 1 PS1 Exam and more Exams Technology in PDF only on Docsity!

Question 1. Which Python keyword is used to handle exceptions that may occur while opening a forensic image file? A) catch B) try C) raise D) finally Answer: B Explanation: The try keyword begins a block where exceptions can be caught; it is paired with except to handle errors such as file‑open failures. Question 2. In Python, which statement correctly opens a file named “disk.img” for binary reading without truncating it? A) open('disk.img', 'w') B) open('disk.img', 'rb') C) open('disk.img', 'r+') D) open('disk.img', 'bw') Answer: B Explanation: The mode 'rb' opens the file in binary read‑only mode, preserving the original data. Question 3. What is the result of the expression type(b'ABC') in Python 3? A) <class 'str'> B) <class 'bytes'> C) <class 'bytearray'> D) <class 'list'> Answer: B

Explanation: A literal prefixed with b creates a bytes object; type() confirms it as <class 'bytes'>. Question 4. Which of the following best describes Python’s “off‑side rule”? A) Variables must be declared before use. B) Indentation determines block structure. C) All functions must be defined at the top of a script. D) Statements end with a semicolon. Answer: B Explanation: Python uses indentation (the off‑side rule) to define the scope of loops, functions, and conditionals. Question 5. Given data = b'\x01\x00\x00\x00', which struct.unpack format string correctly interprets it as a little‑endian unsigned 32‑bit integer? A) '>I' B) '<I' C) '!I' D) 'I' Answer: B Explanation: < denotes little‑endian; I is a 4‑byte unsigned integer. struct.unpack('<I', data) returns (1,). Question 6. Which Python built‑in function converts the integer 255 to its hexadecimal string representation? A) hex(255) B) int(255, 16) C) format(255, 'hex')

C) Email addresses D) Credit card numbers Answer: B Explanation: The pattern looks for six groups of two hex digits separated by : or -, the typical MAC address format. Question 10. Which Python statement correctly converts a Windows FILETIME (number of 100 ‑nanosecond intervals since Jan 1 1601) stored in variable ft to a Python datetime object? A) datetime.fromtimestamp(ft / 1e7 - 11644473600) B) datetime.utcfromtimestamp(ft / 1e7) C) datetime.fromtimestamp(ft / 1e7) D) datetime.fromtimestamp(ft) Answer: A Explanation: FILETIME must be divided by 10,000,000 to get seconds, then subtract the offset between 1601 and 1970 (11644473600 seconds). Question 11. Which sqlite3 method is used to retrieve column names from a cursor after executing a SELECT query? A) cursor.description B) cursor.columns() C) cursor.field_names() D) cursor.get_names() Answer: A Explanation: cursor.description returns a sequence of 7‑item tuples; the first element of each tuple is the column name. Question 12. In Python, which of the following constructs will correctly ensure that a file is closed automatically after processing, even if an exception occurs?

A) f = open('log.txt'); ...; f.close() B) try: f = open('log.txt'); ... finally: f.close() C) with open('log.txt') as f: ... D) Both B and C Answer: D Explanation: Both a try…finally block and a with context manager guarantee that close() runs regardless of errors. Question 13. When carving JPEG files from raw data, which magic byte sequence indicates the start of a JPEG? A) 0x89 0x50 0x4E 0x47 B) 0xFF 0xD8 0xFF C) 0x42 0x4D D) 0x25 0x50 0x44 0x46 Answer: B Explanation: JPEG files begin with the SOI marker FF D8 followed by FF. Question 14. Which Python module provides the csv.writer class for generating comma‑separated value files? A) json B) csv C) pandas D) io Answer: B Explanation: The standard csv module contains writer for creating CSV output.

Question 18. When parsing a SQLite database for a messaging app, you need to extract the content column from the messages table where is_deleted = 0. Which SQL query accomplishes this? A) SELECT * FROM messages WHERE is_deleted = 0; B) SELECT content FROM messages WHERE is_deleted = 0; C) SELECT content FROM messages; D) SELECT content FROM messages WHERE is_deleted; Answer: B Explanation: The query explicitly selects the content field only for rows where is_deleted equals zero. Question 19. Which Python expression correctly concatenates two byte strings a and b? A) a + b B) a. b C) a.concat(b) D) a.append(b) Answer: A Explanation: The + operator joins two bytes objects, producing a new bytes sequence. Question 20. In a forensic script, you need to filter out lines that start with a hash (#) comment from a text log. Which re pattern will match such lines? A) r'^#.*' B) r'#.*$' C) r'\#' D) r'[#]' Answer: A

Explanation: ^ anchors the match at the start of the line; #.* matches a hash followed by any characters. Question 21. Which built‑in Python function can be used to convert a hexadecimal string 'deadbeef' to an integer? A) int('deadbeef', 16) B) hex('deadbeef') C) float('deadbeef') D) ord('deadbeef') Answer: A Explanation: int() with base 16 interprets the string as a hexadecimal number. Question 22. When reading a large forensic image in chunks of 4 KB, which loop structure is most appropriate? A) for i in range(0, len(data), 4096): B) while True: with read(4096) and break on empty bytes C) do … while (not available in Python) D) foreach chunk in image: (syntax error) Answer: B Explanation: Using a while True loop with read(4096) allows processing until read() returns an empty bytes object, indicating EOF. Question 23. Which of the following statements correctly creates a Python dictionary that maps file extensions to MIME types for JPEG and PNG? A) mime = {'jpg': 'image/jpeg', 'png': 'image/png'} B) mime = [('jpg', 'image/jpeg'), ('png', 'image/png')] C) mime = dict('jpg':'image/jpeg', 'png':'image/png')

D) >L

Answer: A Explanation: < sets little‑endian; Q is an unsigned 8‑byte integer. Question 27. Which Python built‑in function can be used to safely evaluate a string containing a Python literal (e.g., a list) without executing arbitrary code? A) eval() B) exec() C) ast.literal_eval() D) compile() Answer: C Explanation: ast.literal_eval() parses literals only, preventing code injection. Question 28. In a forensic script, you need to ensure that a certain block of code runs only on Windows platforms. Which sys attribute provides this information? A) sys.platform == 'win32' B) sys.os == 'Windows' C) sys.version.startswith('Windows') D) sys.environment == 'Windows' Answer: A Explanation: sys.platform returns 'win32' on Windows (both 32‑ and 64‑bit). Question 29. Which re flag makes the pattern case‑insensitive? A) re.MULTILINE B) re.DOTALL C) re.IGNORECASE D) re.VERBOSE

Answer: C Explanation: re.IGNORECASE (or re.I) causes matching to ignore case differences. Question 30. When writing a forensic script that outputs findings to a CSV file, which newline handling is recommended on Windows to avoid blank lines? A) open('out.csv', 'w') B) open('out.csv', 'w', newline='') C) open('out.csv', 'wb') D) open('out.csv', 'a') Answer: B Explanation: Passing newline='' prevents the csv module from writing extra carriage returns on Windows. Question 31. Which of the following is the correct way to import the sqlite3 module and create a read‑only connection to a forensic database file named evidence.db? A) sqlite3.connect('evidence.db', uri=True, mode='ro') B) sqlite3.connect('file:evidence.db?mode=ro', uri=True) C) sqlite3.open('evidence.db', readonly=True) D) sqlite3.connect('evidence.db', readonly=True) Answer: B Explanation: Using a URI with mode=ro and uri=True opens the database in read‑only mode, preserving evidence integrity. Question 32. Which Python statement correctly writes the string "Carved file saved" to standard error? A) print("Carved file saved", file=sys.stderr) B) sys.stdout.write("Carved file saved")

B) with tempfile.NamedTemporaryFile() as tmp: C) try: tmp = open(...); finally: os.remove(tmp.name) D) Both B and C Answer: D Explanation: Using a with block automatically closes and removes the temporary file; a try…finally with os.remove also guarantees cleanup. Question 36. When using re.search() to locate a pattern in a large binary blob, which flag should be set to treat the data as a raw byte string? A) re.ASCII B) re.UNICODE C) re.BYTE (does not exist) D) Pass a bytes object to re.search without flags Answer: D Explanation: re.search works on bytes directly; no special flag is required. Using a bytes pattern on a bytes object searches raw binary. Question 37. Which of the following statements about Python’s enumerate() function is TRUE in the context of forensic file processing? A) It returns a list of (index, element) tuples. B) It can be used to obtain both the offset and the byte value when iterating over a bytes object. C) It modifies the original iterable. D) It only works with lists, not with bytes. Answer: B Explanation: enumerate() yields a running index and the item, which is useful for tracking offsets while iterating over a bytes sequence.

Question 38. Which sqlite3 method should be used to execute a parameterized query that selects rows where username equals a variable user? A) cursor.execute("SELECT * FROM users WHERE username = '%s'" % user) B) cursor.execute("SELECT * FROM users WHERE username = ?", (user,)) C) cursor.execute("SELECT * FROM users WHERE username = :user", {'user': user}) D) Both B and C Answer: D Explanation: Both positional (?) and named (:user) placeholders provide safe parameter substitution, preventing SQL injection. Question 39. Which of the following is the correct way to decode a bytes object b'\xe2\x98\x83' using UTF‑8? A) b'\xe2\x98\x83'.decode('utf-8') B) bytes.decode(b'\xe2\x98\x83', 'utf-8') C) str(b'\xe2\x98\x83') D) b'\xe2\x98\x83'.encode('utf-8') Answer: A Explanation: The decode method converts a bytes object to a str using the specified encoding. Question 40. In forensic carving, what does the term “slack space” refer to? A) Unused space at the end of a file system partition. B) The space between the end of a file’s logical data and the end of its allocated cluster. C) The memory buffer used by Python’s io module. D) The space reserved for future file system expansion. Answer: B

Answer: D Explanation: os.linesep provides the native line separator, making the log portable across platforms. Question 44. Which Python statement correctly creates a bytearray from a hex string 'deadbeef'? A) bytearray.fromhex('deadbeef') B) bytes.fromhex('deadbeef') C) bytearray('deadbeef', 'utf-8') D) b'\\xdead\\xbeef' Answer: A Explanation: bytearray.fromhex() interprets pairs of hex digits and returns a mutable bytearray. Question 45. Which of the following statements about the hashlib module is most relevant for verifying the integrity of a carved file? A) It provides functions to compute MD5, SHA‑1, SHA‑256, etc. hashes. B) It can encrypt files with AES. C) It compresses data for storage. D) It parses JSON data. Answer: A Explanation: hashlib computes cryptographic hashes, allowing you to compare a file’s hash against a known value for integrity verification. Question 46. In a Python script, you need to pause execution for 2.5 seconds between processing batches of evidence. Which function achieves this? A) time.sleep(2.5) B) os.wait(2.5)

C) threading.pause(2.5) D) time.delay(2500) Answer: A Explanation: time.sleep() suspends execution for the specified number of seconds (float values allowed). Question 47. Which csv module parameter ensures that fields containing commas are properly quoted? A) quotechar='"' (default) B) quoting=csv.QUOTE_NONE C) quoting=csv.QUOTE_ALL D) Both A and C are valid ways to guarantee quoting. Answer: D Explanation: The default quotechar='"' with default quoting (QUOTE_MINIMAL) quotes only when needed; QUOTE_ALL forces quoting of every field. Both achieve correct handling of commas. Question 48. Which Python function can be used to convert a list of integers [72, 101, 108, 108, 111] into a bytes object representing the ASCII string “Hello”? A) bytes([72,101,108,108,111]) B) bytearray([72,101,108,108,111]) C) b''.join([72,101,108,108,111]) D) Both A and B Answer: D Explanation: Both bytes() and bytearray() accept an iterable of integers (0‑255) and produce the corresponding byte sequence.

Explanation: Both listdir and scandir return the immediate contents of a directory; scandir provides iterator objects with more metadata. Question 52. In a forensic script, you need to read a 64‑bit little‑endian integer from offset 0x10 of a binary file. Which code snippet accomplishes this? A) f.seek(0x10); data = f.read(8); value = struct.unpack('<Q', data)[0] B) f.read(8, offset=0x10) C) struct.unpack_from('<Q', f.read(8), 0x10) D) value = int.from_bytes(f.read(8), 'little') Answer: A Explanation: Seeking to the offset, reading 8 bytes, and unpacking with <Q yields the desired integer. Option D would also work after seeking, but A matches the explicit requirement. Question 53. Which of the following re patterns will match a credit card number in the format 1234- 5678 - 9012 - 3456? A) r'\b\d{4}-\d{4}-\d{4}-\d{4}\b' B) r'\d{16}' C) r'\b(?:\d{4}[- ]){3}\d{4}\b' D) Both A and C Answer: D Explanation: Both patterns correctly describe four groups of four digits separated by hyphens (or hyphen/space in C). Question 54. Which sqlite3 connection attribute can be set to enable row objects that behave like dictionaries (allowing column access by name)? A) connection.row_factory = sqlite3.Row B) connection.dict_factory = sqlite3.Row C) cursor.row_factory = sqlite3.Row

D) connection.row_factory = dict Answer: A Explanation: Setting row_factory to sqlite3.Row makes each fetched row support mapping access via column names. Question 55. When converting a Windows FILETIME value to a Python datetime, which constant represents the number of seconds between the Windows epoch (1601‑ 01 ‑01) and the Unix epoch (1970‑ 01 ‑01)? A) 11644473600 B) 86400 C) 31556926 D) 0 Answer: A Explanation: The offset is 11,644,473,600 seconds; subtracting it after converting FILETIME to seconds yields a Unix timestamp. Question 56. Which of the following statements about Python’s memoryview object is TRUE for forensic processing of large files? A) It creates a copy of the underlying data. B) It provides a zero‑copy slice view into a buffer, reducing memory usage. C) It can only be used with bytes objects. D) It automatically compresses the data. Answer: B Explanation: memoryview offers a view onto the original buffer without copying, which is valuable when handling large forensic images. Question 57. Which os function can be used to atomically replace an existing report file with a new version, minimizing the risk of partial writes?