MFA Certified Forensics Analyst Exam, Exams of Technology

The MFA Certified Forensics Analyst Exam validates comprehensive digital forensics knowledge across multiple platforms. Topics include computer, mobile, and network forensics, evidence handling, legal considerations, and expert reporting. This certification is ideal for professionals conducting forensic investigations in law enforcement, corporate, or consulting environments.

Typology: Exams

2025/2026

Available from 01/24/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 97

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
MFA Certified Forensics Analyst Exam
**Question 1.** Which of the following best describes the “order of volatility” concept in digital
forensics?
A) The sequence in which evidence is presented in court
B) The hierarchy of storage media based on ease of acquisition
C) The priority of acquiring data types from most to least volatile
D) The order in which hash values are calculated
**Answer:** C
**Explanation:** The order of volatility dictates that investigators collect the most volatile data
(e.g., RAM, CPU registers) before less volatile data (e.g., hard disks) to preserve the freshest
state of the system.
**Question 2.** The Best Evidence Rule primarily requires that:
A) All evidence be presented in its original, unaltered form
B) Evidence be authenticated by a qualified expert
C) Only digital evidence is admissible in federal courts
D) Evidence must be stored in a secure, climatecontrolled facility
**Answer:** A
**Explanation:** The Best Evidence Rule mandates that the original, unaltered evidence be
submitted unless a valid reason exists for using a duplicate.
**Question 3.** Which hash algorithm is considered most resistant to collision attacks for
forensic integrity verification?
A) MD5
B) SHA1
C) SHA256
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61

Partial preview of the text

Download MFA Certified Forensics Analyst Exam and more Exams Technology in PDF only on Docsity!

Question 1. Which of the following best describes the “order of volatility” concept in digital forensics? A) The sequence in which evidence is presented in court B) The hierarchy of storage media based on ease of acquisition C) The priority of acquiring data types from most to least volatile D) The order in which hash values are calculated Answer: C Explanation: The order of volatility dictates that investigators collect the most volatile data (e.g., RAM, CPU registers) before less volatile data (e.g., hard disks) to preserve the freshest state of the system. Question 2. The Best Evidence Rule primarily requires that: A) All evidence be presented in its original, unaltered form B) Evidence be authenticated by a qualified expert C) Only digital evidence is admissible in federal courts D) Evidence must be stored in a secure, climate‑controlled facility Answer: A Explanation: The Best Evidence Rule mandates that the original, unaltered evidence be submitted unless a valid reason exists for using a duplicate. Question 3. Which hash algorithm is considered most resistant to collision attacks for forensic integrity verification? A) MD B) SHA‑ 1 C) SHA‑ 256

D) CRC

Answer: C Explanation: SHA‑256 provides a higher security level and is currently recommended for verifying forensic images, whereas MD5 and SHA‑1 are vulnerable to collisions. Question 4. In a chain‑of‑custody log, the “custodian” field records: A) The name of the hardware device storing the evidence B) The forensic analyst who performed the imaging C) The person who currently has physical or logical control of the evidence D) The court case number associated with the evidence Answer: C Explanation: The custodian is the individual responsible for the evidence at each transfer point, ensuring accountability. Question 5. When creating a forensic image of a live Windows system, which of the following must be avoided to preserve data integrity? A) Using a write‑blocker on the source drive B) Running the imaging tool with administrative privileges C) Mounting the target storage as a network share D) Enabling the “shadow copy” service during acquisition Answer: D Explanation: Enabling Volume Shadow Copy can alter the source file system, potentially modifying timestamps and data, which compromises integrity.

Answer: C Explanation: Orphaned files have data clusters that are allocated but not linked to any active MFT entry, making them recoverable via forensic carving. Question 9. Which NTFS feature allows a file to contain multiple streams of data, often used by malware to hide payloads? A) Junction points B) Alternate Data Streams (ADS) C) Reparse points D) Symbolic links Answer: B Explanation: ADS lets a file have additional named streams (e.g., “filename:secret”) that are invisible to standard file explorers. Question 10. The primary purpose of the $BITMAP file in NTFS is to: A) Store file names in a compressed format B) Track which clusters on the volume are allocated or free C) Record the last known location of deleted files D) Maintain a log of all file system changes Answer: B Explanation: $BITMAP is a bitmap where each bit represents the allocation status of a cluster, essential for space management.

Question 11. Which Windows artifact provides evidence that a program was executed, even if the executable has been deleted? A) $MFT record B) Prefetch file (.pf) C) $LogFile entry D) USN Journal Answer: B Explanation: Prefetch files are created when an executable runs and retain metadata (e.g., timestamp, execution count) even after the program is removed. Question 12. The Shimcache (also known as Application Compatibility Cache) stores: A) A list of recently opened documents B) Executable file paths and their last execution timestamps C) Network connection histories for each process D) Registry keys related to installed services Answer: B Explanation: Shimcache records executable paths and last run times, useful for correlating execution activity across reboots. Question 13. Which registry hive contains information about USB device connections? A) SYSTEM B) SOFTWARE C) SAM D) NTUSER.DAT

A) pstree B) netscan C) filescan D) hivelist Answer: B Explanation: The “netscan” plugin parses memory structures to reveal TCP/UDP sockets, listening ports, and associated processes. Question 17. The presence of a “LSA Secrets” entry named “NL$KM” in a memory dump indicates: A) An encrypted BitLocker recovery key B) The stored NTLM hash of the local Administrator account C) The Kerberos master key used for ticket decryption D) A cached Wi‑Fi password Answer: C Explanation: “NL$KM” stores the Kerberos Master Key, which can be leveraged to decrypt Kerberos tickets found in memory. Question 18. Which of the following is a common indicator of a rootkit residing in kernel mode? A) Unusual entries in the prefetch folder B) Modified System Service Descriptor Table (SSDT) addresses C) Excessive entries in the UserAssist key D) Presence of hidden files in the $RECYCLE.BIN

Answer: B Explanation: Rootkits often hook the SSDT to intercept system calls, a hallmark of kernel‑mode malicious activity. Question 19. When constructing a “super timeline,” the investigator must first: A) Normalize all timestamps to UTC B) Remove duplicate entries from the event sources C) Convert all timestamps to the Windows FILETIME format D) Generate MD5 hashes for each log file Answer: A Explanation: Normalizing timestamps (e.g., to UTC) ensures that events from multiple sources can be accurately correlated. Question 20. Time‑zone skew in a forensic timeline can be corrected by: A) Adding the system’s BIOS clock offset to all timestamps B) Subtracting the UTC offset recorded in the registry’s “TimeZoneInformation” key C) Multiplying each timestamp by the system’s clock frequency D) Re‑hashing the event logs after adjustment Answer: B Explanation: The “TimeZoneInformation” key contains the bias (in minutes) required to convert local time to UTC, allowing proper alignment of events. Question 21. Which Windows artifact can reveal the exact path a user navigated to a folder, even if the folder was never opened in Explorer? A) ShellBags

Question 24. In memory forensics, the “malfind” plugin is primarily used to: A) Locate hidden or injected code sections within processes B) Enumerate loaded kernel modules C) Extract stored passwords from LSASS.exe D) Identify active network sockets Answer: A Explanation: “malfind” scans process memory for executable regions with suspicious characteristics, such as being writable and executable. Question 25. Which of the following BEST describes a “resident” file in NTFS? A) A file whose $DATA attribute is stored entirely within the MFT record B) A file that is currently open by a process C) A file that has been compressed using NTFS compression D) A file that resides on a secondary partition Answer: A Explanation: Resident files keep their data within the MFT entry, eliminating the need for external clusters. Question 26. The “Amcache.hve” hive is most useful for: A) Determining which executables have been run on the system B) Identifying installed drivers and their timestamps C) Recovering deleted registry keys D) Mapping network shares accessed by the user Answer: B

Explanation: Amcache stores metadata about installed programs and drivers, including file hashes and install dates. Question 27. Which Windows event ID corresponds to a successful logon (interactive) in the Security log? A) 4624 B) 4625 C) 4663 D) 4776 Answer: A Explanation: Event ID 4624 indicates a successful logon, while 4625 denotes a failed attempt. Question 28. When analyzing a memory image for Kerberos tickets, the “klist” command is used to: A) Display ticket caches in a live system, not in a memory dump B) Extract ticket structures from a memory image via Volatility’s “kerberos” plugin C) List all stored passwords in LSASS.exe D) Enumerate active network connections Answer: B Explanation: Volatility’s “kerberos” (or “klist”) plugin parses memory to reveal Kerberos tickets, their lifetimes, and associated user accounts. Question 29. The “$LogFile” in NTFS is primarily used for: A) Storing user passwords

Explanation: Write blockers prevent any write operations to the original media, preserving its pristine state. Question 32. Which Windows registry key stores the list of services configured to start automatically? A) HKLM\SYSTEM\CurrentControlSet\Services B) HKCU\Software\Microsoft\Windows\CurrentVersion\Run C) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce D) HKLM\SECURITY\Policy Answer: A Explanation: The Services key under CurrentControlSet contains subkeys for each service, including startup type information. Question 33. The “$Recycle.Bin” folder on an NTFS volume is used to: A) Store temporary system files created during boot B) Hold files deleted by the user until they are permanently removed C) Keep a log of all file system changes D) Archive old system restore points Answer: B Explanation: When a user deletes a file, it is moved to $Recycle.Bin, preserving it until the user empties the recycle bin. Question 34. Which of the following file system structures is most commonly used by forensic tools to recover deleted files on NTFS? A) $MFT mirror

B) $LogFile C) $Bitmap D) $Secure Answer: C Explanation: $Bitmap indicates which clusters are free; forensic carving tools use this information to locate clusters that may contain deleted file data. Question 35. In memory analysis, the “svcscan” plugin is used to: A) Enumerate services and their status from memory B) Locate hidden DLL injections C) Extract SSL certificates from process memory D) Identify open file handles Answer: A Explanation: “svcscan” parses kernel memory structures to list services, their start type, and associated binaries. Question 36. Which Windows artifact can reveal the last time a user logged onto the system, even after the user profile has been deleted? A) $MFT entry of the user’s profile folder B) HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LogonUI C) The “LastLogon” attribute in the SAM database D) The “System” event log (Event ID 6005) Answer: C

B) The number of times the program has been run C) The exact command‑line arguments used during each execution D) The last execution timestamp Answer: C Explanation: Prefetch files store the executable path, run count, and last run time, but they do not retain command‑line arguments. Question 40. The “shim” mechanism in Windows is primarily used to: A) Provide compatibility fixes for older applications B) Encrypt user data on the hard drive C) Log all network connections in real time D) Store DNS cache entries Answer: A Explanation: Shim (Application Compatibility) layers apply compatibility fixes, and the Shimcache records execution information related to these shims. Question 41. Which of the following is the most common location for the Windows “Prefetch” files? A) C:\Windows\Prefetch B) C:\Windows\System32\Prefetch C) C:\Users%USERNAME%\AppData\Local\Prefetch D) C:\ProgramData\Prefetch Answer: A Explanation: The default directory for prefetch files is C:\Windows\Prefetch.

Question 42. In the context of memory forensics, “orphaned processes” refer to: A) Processes that have terminated but still have remnants in memory B) Processes without a parent process (PPID = 0) C) Processes that are hidden from the task manager but visible in memory dumps D) Processes that have been started by the system account Answer: B Explanation: Orphaned processes have a parent process identifier of 0, indicating they were spawned directly by the kernel, often a sign of stealth techniques. Question 43. Which of the following registry keys is most commonly examined to identify persistence via “Run” entries? A) HKLM\Software\Microsoft\Windows\CurrentVersion\Run B) HKCU\System\CurrentControlSet\Services C) HKLM\System\CurrentControlSet\Control\Lsa D) HKU.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer Answer: A Explanation: The “Run” key under HKLM (and HKCU) lists programs that automatically execute at user logon. Question 44. The forensic term “artifact” is best defined as: A) Any physical evidence collected from a crime scene B) A data object left behind by user or system activity that can be examined during an investigation C) A hardware component that stores encrypted data

Question 47. Which of the following is NOT a standard hashing algorithm used for forensic verification? A) MD B) SHA‑ 256 C) CRC D) SHA‑ 3 Answer: C Explanation: CRC32 is a checksum, not a cryptographic hash, and is not suitable for ensuring forensic integrity. Question 48. The Windows “RecentDocs” registry key stores: A) The list of recently accessed files per user B) The list of recently installed applications C) The list of recently connected USB devices D) The list of recently opened network shares Answer: A Explanation: RecentDocs (under NTUSER.DAT) tracks the most recently opened files, aiding in user activity reconstruction. Question 49. Which of the following best describes “dead‑run” malware? A) Malware that executes only when a specific USB device is attached B) Malware that remains dormant until triggered by a specific event or time C) Malware that self‑destructs after a single execution D) Malware that only operates in virtualized environments

Answer: B Explanation: Dead‑run (or dormant) malware lies inactive until a predefined condition (e.g., a date) triggers execution. Question 50. When examining a Windows memory dump, the “lsass” process is of particular interest because: A) It stores the system’s DNS cache B) It holds credential material such as password hashes and Kerberos tickets C) It manages the Windows Update service D) It logs all USB device insertions Answer: B Explanation: LSASS (Local Security Authority Subsystem Service) maintains authentication data, making it a prime target for credential extraction. Question 51. The “$Secure” file in NTFS primarily stores: A) Security descriptors for files and directories B) Encrypted file contents C) The master file table backup D) The list of recently accessed files Answer: A Explanation: $Secure contains security descriptors (ACLs) that define permissions for objects on the volume. Question 52. Which Windows command can be used to export the contents of a registry hive for offline analysis?