











































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Exam prep focused on encryption concepts, password recovery, decryption workflows, forensic access methods, and protected evidence analysis techniques.
Typology: Exams
1 / 51
This page cannot be seen from the preview
Don't miss anything!












































Question 1. Which of the following file header signatures most reliably indicates a TrueCrypt volume? A) 0x4D5A B) 0x504B C) 0x D) 0x425A Answer: C Explanation: TrueCrypt volumes begin with the ASCII string “TRUE” (hex 54 52 55 45), making 0x54525545 the characteristic header. Question 2. In forensic entropy analysis, a value above 7.5 bits per byte most likely suggests what? A) Plain text data B) Compressed data only C) Encrypted or highly compressed data D) Low-resolution image data Answer: C Explanation: High entropy (>7.5 bits/byte) is typical of encrypted or strongly compressed data because the byte distribution approaches uniform randomness. Question 3. Which cryptographic concept describes the use of a single key for both encryption and decryption? A) Asymmetric encryption B) Symmetric encryption C) Hashing D) Digital signing Answer: B Explanation: Symmetric encryption employs the same secret key for both encrypting and decrypting data.
Question 4. SHA-256 produces a digest of what length? A) 128 bits B) 160 bits C) 224 bits D) 256 bits Answer: D Explanation: As the name implies, SHA-256 outputs a 256-bit (32-byte) hash value. Question 5. Which of the following is a purpose of salting a password before hashing? A) Increase the hash length B) Prevent identical passwords from producing identical hashes C) Convert the password to a symmetric key D) Enable reversible encryption Answer: B Explanation: Adding a unique salt makes each hash unique even if two users have the same password, thwarting rainbow-table attacks. **Question 6. PBKDF2 primarily improves password cracking resistance by: ** A) Using asymmetric key pairs B) Applying multiple hash iterations C) Compressing the password string D) Storing passwords in plain text Answer: B Explanation: PBKDF2 stretches passwords by repeatedly hashing them, increasing computational cost for attackers. Question 7. When configuring AccessData PRTK, which file type must be imported first to create a new attack profile? A) .prtkproj
B) p@ssw0rd C) Password! D) passw0rd# Answer: B Explanation: LeetSpeak replaces letters with similar-looking symbols; “a” → “@”, “o” → “ 0 ”, yielding “p@ssw0rd”. Question 11. Which of the following permutations adds a four-digit year suffix to each dictionary entry? A) Uppercase rule B) Prefix rule C) Suffix rule D) Reversal rule Answer: C Explanation: A suffix rule appends characters (e.g., a year) after the base word. **Question 12. In AccessData DNA, a “Worker” node is responsible for: ** A) Storing recovered passwords permanently B) Executing a portion of the key-space attack and reporting progress C) Generating dictionary files for PRTK D) Encrypting forensic images before analysis Answer: B Explanation: DNA Workers perform distributed cracking tasks and send status updates to the DNA Manager. Question 13. Which file format is most efficiently processed by DNA rather than PRTK due to its large key-space requirement? A) Encrypted PDF with 40-bit RC B) BitLocker-encrypted full-disk image (AES-256)
C) ZIP archive protected with a 6-character password D) Office document encrypted with SHA-1 hash Answer: B Explanation: BitLocker uses a 256-bit AES key; DNA’s parallel processing is needed for such massive key spaces. Question 14. When configuring DNA Manager, what is the purpose of the “Task Priority” setting? A) To dictate the order in which workers receive key-space chunks B) To encrypt the results before storage C) To limit the number of concurrent workers D) To select which hash algorithm to use Answer: A Explanation: Task priority determines which jobs are assigned first to available workers, optimizing resource allocation. Question 15. Which of the following FTK filters isolates files that are likely encrypted? A) “File Size > 1 GB” B) “File Extension = .exe” C) “Encryption = True” D) “Modified Date > 01- 01 - 2020 ” Answer: C Explanation: FTK’s “Encryption” filter flags items recognized as encrypted by internal heuristics. Question 16. To export encrypted files from FTK to PRTK, which FTK feature is used? A) Case Export Wizard B) File Viewer → Save As
B) Include the password, attack method, and tool version in the case notes C) Delete all logs to protect the investigator’s workflow D) Mark the file as “unverified” to avoid legal challenges Answer: B Explanation: Documentation of the password, methodology, and tool version ensures reproducibility and evidentiary integrity. Question 20. A known-plaintext attack is most effective against which type of encryption? A) One-time pad with truly random keys B) Stream ciphers that reuse keystreams C) RSA with proper padding D) AES-GCM with unique IVs Answer: B Explanation: Reused keystreams in stream ciphers allow attackers to XOR known plaintext with ciphertext to recover the keystream. **Question 21. Rainbow tables are pre-computed for which cryptographic operation? ** A) Symmetric key generation B) Hash inversion (finding inputs for a given hash) C) Asymmetric key pair creation D) Digital signature verification Answer: B Explanation: Rainbow tables map hash outputs back to possible inputs, speeding up password cracking for unsalted hashes. Question 22. Which of the following mobile backup encryption schemes uses a user-derived key that is PBKDF2-stretched with 10,000 iterations? A) iOS iTunes backup (unencrypted)
B) Android “Full-Disk Encryption” (FDE) default C) iOS encrypted backup (iTunes) D) Samsung Knox container Answer: C Explanation: iTunes encrypted backups derive a key from the user’s password using PBKDF2 with 10,000 iterations. Question 23. When attempting to decrypt a Dropbox Vault file, which initial step is recommended? A) Extract the RSA private key from the local client config B) Capture the network traffic during a sync operation C) Locate the vault’s master key stored in the user’s profile SQLite DB D) Brute-force the 8-character password directly on the file Answer: C Explanation: Dropbox Vault stores a master key in a local SQLite database; retrieving it is the first step before attempting password cracking. Question 24. Which hash algorithm is considered broken for integrity verification and should not be used in forensic hash sets? A) SHA- 256 B) SHA- 1 C) SHA- 384 D) SHA- 3 Answer: B Explanation: SHA-1 has known collision vulnerabilities and is deprecated for forensic integrity purposes. **Question 25. In the context of AccessData DNA, “key-space segmentation” refers to: ** A) Dividing the password list into alphabetical groups
C) Reverse, then add “123” D) Prefix “!$#”, suffix “123” Answer: A Explanation: The rule that capitalizes the first character and appends “123”! yields “Admin123”!. Question 29. In forensic practice, why is it important to preserve the original encrypted file’s hash before attempting decryption? A) To speed up the cracking process B) To verify that the file has not been altered during analysis C) To generate the decryption key automatically D) To embed the hash into the final report Answer: B Explanation: Recording the hash ensures the evidence’s integrity remains provable throughout the decryption attempt. Question 30. Which of the following describes the primary advantage of using a distributed network like DNA over a single workstation for password recovery? A) Ability to use proprietary Windows-only tools B) Reduction of memory usage on each node C) Linear scaling of key-space coverage with added workers D) Automatic generation of password hints Answer: C Explanation: Adding more workers expands the searchable key-space proportionally, accelerating brute-force attacks. Question 31. When analyzing an encrypted PDF, which property in the PDF header indicates the encryption filter used? A) /EncryptDictionary B) /Length
C) /Filter /Standard D) /ID Answer: C Explanation: The /Filter entry set to /Standard specifies that the PDF uses the standard security handler (RC4 or AES). Question 32. Which of the following is NOT a typical component of a PRTK attack profile? A) Dictionary source B) Rule set C) GPU acceleration flag D) Network port number Answer: D Explanation: Attack profiles define dictionaries, rules, and hardware options; they do not include network ports. **Question 33. In the context of forensic decryption, “key stretching” primarily aims to: ** A) Reduce the size of the key file B) Increase the time required to test each password guess C) Convert a symmetric key into an asymmetric pair D) Enable reversible encryption of evidence files Answer: B Explanation: Key stretching applies many hash iterations to make each password trial computationally expensive. Question 34. Which of the following best describes a “salt” in cryptographic hashing? A) A secret key used for encryption B) Random data concatenated to the password before hashing C) The final hash output truncated to 128 bits
D) The amount of RAM currently free on the worker Answer: B Explanation: Worker Health reflects successful task completion rates, helping administrators identify underperforming nodes. Question 38. Which file type is most likely to contain an embedded BitLocker recovery key in its metadata? A) .evtx (Windows Event Log) B) .xml export from the BitLocker Management console C) .bcd (Boot Configuration Data) D) .vhdx (Virtual Hard Disk) Answer: B Explanation: Exported BitLocker reports often embed the recovery key in XML format for administrative purposes. Question 39. Which of the following is a recommended method for verifying that a recovered password actually decrypts the target file? A) Compare the password length to the key size B) Re-run the decryption and check for a known file header (e.g., “%PDF”) C) Ensure the password contains at least one special character D) Hash the password and compare to the file’s stored hash Answer: B Explanation: Successful decryption should reproduce recognizable file signatures, confirming the password’s validity. Question 40. In the context of cloud-based encrypted storage, which protocol is commonly used to negotiate encryption keys for client-side encryption? A) SMB B) TLS 1. C) OAuth 2.
Answer: B Explanation: TLS 1.3 provides forward secrecy and is used by many cloud services to exchange client-side encryption keys securely. Question 41. Which of the following is a characteristic of a “compressed but not encrypted” file that can be distinguished via entropy testing? A) Entropy consistently above 7.8 bits/byte B) Entropy peaks at the beginning and drops later C) Entropy slightly lower than fully encrypted data, often around 7.0-7.5 bits/byte D) Entropy exactly 8.0 bits/byte Answer: C Explanation: Compression reduces randomness slightly, yielding entropy values modestly lower than the near-uniform distribution of encrypted data. Question 42. Which PRTK feature allows an examiner to pause and resume a long-running attack without losing progress? A) Auto-Save Project B) Checkpoint File C) Real-Time Sync D) Incremental Dictionary Loader Answer: B Explanation: Checkpoint files store the current state of an attack, enabling pause/resume functionality. **Question 43. In forensic analysis, the term “ciphertext only attack” (COA) refers to: ** A) Having access to both plaintext and ciphertext B) Knowing the encryption algorithm and having only the ciphertext C) Possessing the private key but not the public key
D) %UserProfile%\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates Answer: D Explanation: EFS certificates are stored in the user’s certificate store, typically under the SystemCertificates\My\Certificates directory. Question 47. In a distributed cracking scenario, what is the effect of “task stealing” among DNA workers? A) Workers randomly delete each other’s results B) Idle workers request uncompleted key-space chunks from busy workers, improving overall throughput C) Workers exchange encryption keys to speed up decryption D) The manager node reassigns tasks based on CPU temperature Answer: B Explanation: Task stealing allows idle nodes to take over pending work, balancing load and reducing total time. Question 48. Which of the following is a valid reason to prefer a “brute-force” attack over a dictionary attack in a forensic case? A) The suspect is known to use only common words B) The password policy enforces a minimum length of 12 characters with random characters C) The encrypted file uses a known weak hash D) The case budget limits computational resources Answer: B Explanation: When password policies force long, random strings, dictionary attacks are unlikely to succeed, making brute-force necessary. Question 49. Which of these is NOT a typical component of a “key-stretching” algorithm? A) Salt incorporation B) Multiple hash iterations
C) Asymmetric key pair generation D) Memory-hard functions (e.g., scrypt) Answer: C Explanation: Key-stretching focuses on making password hashing slower; it does not involve generating asymmetric key pairs. **Question 50. In the context of iOS backups, the file “Manifest.db” primarily stores: ** A) Encrypted file contents B) Metadata linking file IDs to original filenames C) The user’s password hash D) The device’s UDID Answer: B Explanation: Manifest.db is a SQLite database mapping encrypted blobs to original file paths and metadata. Question 51. Which of the following best describes the purpose of the “Advanced” attack level in PRTK? A) To limit the attack to a single CPU core B) To combine dictionary words with rule-based permutations and brute-force extensions C) To automatically export results to FTK without user interaction D) To disable any logging for stealth operation Answer: B Explanation: Advanced mode expands the candidate space by applying rules and supplemental brute-force, increasing coverage. Question 52. When analyzing a BitLocker-encrypted volume, which piece of information is essential for a successful password-based attack? A) The volume’s GUID B) The TPM-sealed key blob (if present)
C) 0x4C4F434B D) 0x4C4F474F Answer: B Explanation: AFV volumes start with the ASCII string “FLAX” (hex 46 4C 41 58), identifying the encrypted container. Question 56. Which of the following is a primary difference between PBKDF2 and scrypt? A) PBKDF2 uses asymmetric encryption, scrypt does not B) scrypt is designed to be memory-hard, making GPU attacks less efficient C) PBKDF2 produces a 1024-bit output, scrypt produces 256-bit output D) scrypt only works with SHA-256, PBKDF2 works with any hash Answer: B Explanation: scrypt deliberately consumes large amounts of RAM to hinder parallel GPU cracking, unlike PBKDF2. Question 57. In FTK, which view allows an examiner to see the raw byte content of an encrypted file for entropy analysis? A) Timeline View B) Hex Viewer C) Image Viewer D) Text Viewer Answer: B Explanation: The Hex Viewer displays raw bytes, enabling entropy calculations and header inspection. Question 58. When creating a custom wordlist for PRTK, which file format is required? A) .xlsx B) .docx
C) .txt (UTF-8) D) .csv with two columns Answer: C Explanation: PRTK expects plain-text wordlists, typically one candidate per line in UTF-8 encoded .txt files. Question 59. Which of the following attacks would be most effective against a PDF encrypted with a 40-bit RC4 key? A) Rainbow table lookup B) Known-plaintext attack using the PDF header C) Full key-space brute-force (2^40) D) Side-channel timing attack Answer: C Explanation: A 40-bit key space (≈1 trillion keys) is small enough for modern GPUs to brute-force feasibly. Question 60. Which registry hive contains the “BootKey” needed to decrypt the SAM file on Windows? A) SYSTEM B) SOFTWARE C) SECURITY D) NTUSER.DAT Answer: A Explanation: The SYSTEM hive stores the BootKey, which is combined with other values to derive the SAM decryption key. Question 61. In forensic practice, why is it advisable to use a “read-only” mount when investigating encrypted volumes? A) It speeds up hash calculations B) It prevents accidental modification of the evidence file