

























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The MFA Certified Forensics Analyst Exam validates comprehensive digital forensics knowledge across multiple platforms. Topics include computer, mobile, and network forensics, evidence handling, legal considerations, and expert reporting. This certification is ideal for professionals conducting forensic investigations in law enforcement, corporate, or consulting environments.
Typology: Exams
1 / 97
This page cannot be seen from the preview
Don't miss anything!


























































































Question 1. Which of the following best describes the “order of volatility” concept in digital forensics? A) The sequence in which evidence is presented in court B) The hierarchy of storage media based on ease of acquisition C) The priority of acquiring data types from most to least volatile D) The order in which hash values are calculated Answer: C Explanation: The order of volatility dictates that investigators collect the most volatile data (e.g., RAM, CPU registers) before less volatile data (e.g., hard disks) to preserve the freshest state of the system. Question 2. The Best Evidence Rule primarily requires that: A) All evidence be presented in its original, unaltered form B) Evidence be authenticated by a qualified expert C) Only digital evidence is admissible in federal courts D) Evidence must be stored in a secure, climate‑controlled facility Answer: A Explanation: The Best Evidence Rule mandates that the original, unaltered evidence be submitted unless a valid reason exists for using a duplicate. Question 3. Which hash algorithm is considered most resistant to collision attacks for forensic integrity verification? A) MD B) SHA‑ 1 C) SHA‑ 256
Answer: C Explanation: SHA‑256 provides a higher security level and is currently recommended for verifying forensic images, whereas MD5 and SHA‑1 are vulnerable to collisions. Question 4. In a chain‑of‑custody log, the “custodian” field records: A) The name of the hardware device storing the evidence B) The forensic analyst who performed the imaging C) The person who currently has physical or logical control of the evidence D) The court case number associated with the evidence Answer: C Explanation: The custodian is the individual responsible for the evidence at each transfer point, ensuring accountability. Question 5. When creating a forensic image of a live Windows system, which of the following must be avoided to preserve data integrity? A) Using a write‑blocker on the source drive B) Running the imaging tool with administrative privileges C) Mounting the target storage as a network share D) Enabling the “shadow copy” service during acquisition Answer: D Explanation: Enabling Volume Shadow Copy can alter the source file system, potentially modifying timestamps and data, which compromises integrity.
Answer: C Explanation: Orphaned files have data clusters that are allocated but not linked to any active MFT entry, making them recoverable via forensic carving. Question 9. Which NTFS feature allows a file to contain multiple streams of data, often used by malware to hide payloads? A) Junction points B) Alternate Data Streams (ADS) C) Reparse points D) Symbolic links Answer: B Explanation: ADS lets a file have additional named streams (e.g., “filename:secret”) that are invisible to standard file explorers. Question 10. The primary purpose of the $BITMAP file in NTFS is to: A) Store file names in a compressed format B) Track which clusters on the volume are allocated or free C) Record the last known location of deleted files D) Maintain a log of all file system changes Answer: B Explanation: $BITMAP is a bitmap where each bit represents the allocation status of a cluster, essential for space management.
Question 11. Which Windows artifact provides evidence that a program was executed, even if the executable has been deleted? A) $MFT record B) Prefetch file (.pf) C) $LogFile entry D) USN Journal Answer: B Explanation: Prefetch files are created when an executable runs and retain metadata (e.g., timestamp, execution count) even after the program is removed. Question 12. The Shimcache (also known as Application Compatibility Cache) stores: A) A list of recently opened documents B) Executable file paths and their last execution timestamps C) Network connection histories for each process D) Registry keys related to installed services Answer: B Explanation: Shimcache records executable paths and last run times, useful for correlating execution activity across reboots. Question 13. Which registry hive contains information about USB device connections? A) SYSTEM B) SOFTWARE C) SAM D) NTUSER.DAT
A) pstree B) netscan C) filescan D) hivelist Answer: B Explanation: The “netscan” plugin parses memory structures to reveal TCP/UDP sockets, listening ports, and associated processes. Question 17. The presence of a “LSA Secrets” entry named “NL$KM” in a memory dump indicates: A) An encrypted BitLocker recovery key B) The stored NTLM hash of the local Administrator account C) The Kerberos master key used for ticket decryption D) A cached Wi‑Fi password Answer: C Explanation: “NL$KM” stores the Kerberos Master Key, which can be leveraged to decrypt Kerberos tickets found in memory. Question 18. Which of the following is a common indicator of a rootkit residing in kernel mode? A) Unusual entries in the prefetch folder B) Modified System Service Descriptor Table (SSDT) addresses C) Excessive entries in the UserAssist key D) Presence of hidden files in the $RECYCLE.BIN
Answer: B Explanation: Rootkits often hook the SSDT to intercept system calls, a hallmark of kernel‑mode malicious activity. Question 19. When constructing a “super timeline,” the investigator must first: A) Normalize all timestamps to UTC B) Remove duplicate entries from the event sources C) Convert all timestamps to the Windows FILETIME format D) Generate MD5 hashes for each log file Answer: A Explanation: Normalizing timestamps (e.g., to UTC) ensures that events from multiple sources can be accurately correlated. Question 20. Time‑zone skew in a forensic timeline can be corrected by: A) Adding the system’s BIOS clock offset to all timestamps B) Subtracting the UTC offset recorded in the registry’s “TimeZoneInformation” key C) Multiplying each timestamp by the system’s clock frequency D) Re‑hashing the event logs after adjustment Answer: B Explanation: The “TimeZoneInformation” key contains the bias (in minutes) required to convert local time to UTC, allowing proper alignment of events. Question 21. Which Windows artifact can reveal the exact path a user navigated to a folder, even if the folder was never opened in Explorer? A) ShellBags
Question 24. In memory forensics, the “malfind” plugin is primarily used to: A) Locate hidden or injected code sections within processes B) Enumerate loaded kernel modules C) Extract stored passwords from LSASS.exe D) Identify active network sockets Answer: A Explanation: “malfind” scans process memory for executable regions with suspicious characteristics, such as being writable and executable. Question 25. Which of the following BEST describes a “resident” file in NTFS? A) A file whose $DATA attribute is stored entirely within the MFT record B) A file that is currently open by a process C) A file that has been compressed using NTFS compression D) A file that resides on a secondary partition Answer: A Explanation: Resident files keep their data within the MFT entry, eliminating the need for external clusters. Question 26. The “Amcache.hve” hive is most useful for: A) Determining which executables have been run on the system B) Identifying installed drivers and their timestamps C) Recovering deleted registry keys D) Mapping network shares accessed by the user Answer: B
Explanation: Amcache stores metadata about installed programs and drivers, including file hashes and install dates. Question 27. Which Windows event ID corresponds to a successful logon (interactive) in the Security log? A) 4624 B) 4625 C) 4663 D) 4776 Answer: A Explanation: Event ID 4624 indicates a successful logon, while 4625 denotes a failed attempt. Question 28. When analyzing a memory image for Kerberos tickets, the “klist” command is used to: A) Display ticket caches in a live system, not in a memory dump B) Extract ticket structures from a memory image via Volatility’s “kerberos” plugin C) List all stored passwords in LSASS.exe D) Enumerate active network connections Answer: B Explanation: Volatility’s “kerberos” (or “klist”) plugin parses memory to reveal Kerberos tickets, their lifetimes, and associated user accounts. Question 29. The “$LogFile” in NTFS is primarily used for: A) Storing user passwords
Explanation: Write blockers prevent any write operations to the original media, preserving its pristine state. Question 32. Which Windows registry key stores the list of services configured to start automatically? A) HKLM\SYSTEM\CurrentControlSet\Services B) HKCU\Software\Microsoft\Windows\CurrentVersion\Run C) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce D) HKLM\SECURITY\Policy Answer: A Explanation: The Services key under CurrentControlSet contains subkeys for each service, including startup type information. Question 33. The “$Recycle.Bin” folder on an NTFS volume is used to: A) Store temporary system files created during boot B) Hold files deleted by the user until they are permanently removed C) Keep a log of all file system changes D) Archive old system restore points Answer: B Explanation: When a user deletes a file, it is moved to $Recycle.Bin, preserving it until the user empties the recycle bin. Question 34. Which of the following file system structures is most commonly used by forensic tools to recover deleted files on NTFS? A) $MFT mirror
B) $LogFile C) $Bitmap D) $Secure Answer: C Explanation: $Bitmap indicates which clusters are free; forensic carving tools use this information to locate clusters that may contain deleted file data. Question 35. In memory analysis, the “svcscan” plugin is used to: A) Enumerate services and their status from memory B) Locate hidden DLL injections C) Extract SSL certificates from process memory D) Identify open file handles Answer: A Explanation: “svcscan” parses kernel memory structures to list services, their start type, and associated binaries. Question 36. Which Windows artifact can reveal the last time a user logged onto the system, even after the user profile has been deleted? A) $MFT entry of the user’s profile folder B) HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LogonUI C) The “LastLogon” attribute in the SAM database D) The “System” event log (Event ID 6005) Answer: C
B) The number of times the program has been run C) The exact command‑line arguments used during each execution D) The last execution timestamp Answer: C Explanation: Prefetch files store the executable path, run count, and last run time, but they do not retain command‑line arguments. Question 40. The “shim” mechanism in Windows is primarily used to: A) Provide compatibility fixes for older applications B) Encrypt user data on the hard drive C) Log all network connections in real time D) Store DNS cache entries Answer: A Explanation: Shim (Application Compatibility) layers apply compatibility fixes, and the Shimcache records execution information related to these shims. Question 41. Which of the following is the most common location for the Windows “Prefetch” files? A) C:\Windows\Prefetch B) C:\Windows\System32\Prefetch C) C:\Users%USERNAME%\AppData\Local\Prefetch D) C:\ProgramData\Prefetch Answer: A Explanation: The default directory for prefetch files is C:\Windows\Prefetch.
Question 42. In the context of memory forensics, “orphaned processes” refer to: A) Processes that have terminated but still have remnants in memory B) Processes without a parent process (PPID = 0) C) Processes that are hidden from the task manager but visible in memory dumps D) Processes that have been started by the system account Answer: B Explanation: Orphaned processes have a parent process identifier of 0, indicating they were spawned directly by the kernel, often a sign of stealth techniques. Question 43. Which of the following registry keys is most commonly examined to identify persistence via “Run” entries? A) HKLM\Software\Microsoft\Windows\CurrentVersion\Run B) HKCU\System\CurrentControlSet\Services C) HKLM\System\CurrentControlSet\Control\Lsa D) HKU.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer Answer: A Explanation: The “Run” key under HKLM (and HKCU) lists programs that automatically execute at user logon. Question 44. The forensic term “artifact” is best defined as: A) Any physical evidence collected from a crime scene B) A data object left behind by user or system activity that can be examined during an investigation C) A hardware component that stores encrypted data
Question 47. Which of the following is NOT a standard hashing algorithm used for forensic verification? A) MD B) SHA‑ 256 C) CRC D) SHA‑ 3 Answer: C Explanation: CRC32 is a checksum, not a cryptographic hash, and is not suitable for ensuring forensic integrity. Question 48. The Windows “RecentDocs” registry key stores: A) The list of recently accessed files per user B) The list of recently installed applications C) The list of recently connected USB devices D) The list of recently opened network shares Answer: A Explanation: RecentDocs (under NTUSER.DAT) tracks the most recently opened files, aiding in user activity reconstruction. Question 49. Which of the following best describes “dead‑run” malware? A) Malware that executes only when a specific USB device is attached B) Malware that remains dormant until triggered by a specific event or time C) Malware that self‑destructs after a single execution D) Malware that only operates in virtualized environments
Answer: B Explanation: Dead‑run (or dormant) malware lies inactive until a predefined condition (e.g., a date) triggers execution. Question 50. When examining a Windows memory dump, the “lsass” process is of particular interest because: A) It stores the system’s DNS cache B) It holds credential material such as password hashes and Kerberos tickets C) It manages the Windows Update service D) It logs all USB device insertions Answer: B Explanation: LSASS (Local Security Authority Subsystem Service) maintains authentication data, making it a prime target for credential extraction. Question 51. The “$Secure” file in NTFS primarily stores: A) Security descriptors for files and directories B) Encrypted file contents C) The master file table backup D) The list of recently accessed files Answer: A Explanation: $Secure contains security descriptors (ACLs) that define permissions for objects on the volume. Question 52. Which Windows command can be used to export the contents of a registry hive for offline analysis?