Quiz: Digital Forensics for Defenders

Twenty-six self-check questions: multiple choice, true/false-with-justification, and short answer. Several are tagged with the certification domain they map to — [Sec+] for CompTIA Security+ and [CISSP] for (ISC)² CISSP. Answer before opening the key. For true/false items, a correct justification matters more than the verdict.

Multiple Choice

1. [Sec+] You arrive at a live, compromised workstation that is not actively destroying data. Per the order of volatility, which should you collect first? - A. A bit-for-bit image of the hard disk - B. The contents of RAM (running processes, network connections) - C. The Windows registry hives - D. The backup tapes for that machine

2. [Sec+] The primary purpose of a write blocker during acquisition is to: - A. Speed up the imaging process - B. Compress the image to save storage - C. Permit reads of the evidence drive while blocking all writes to it - D. Encrypt the resulting image

3. [CISSP] A forensic disk image differs from copying the suspicious files because the image: - A. Is smaller and easier to store - B. Captures the entire device bit-for-bit, including deleted files and slack/unallocated space - C. Automatically removes malware during copying - D. Only includes files modified in the last 30 days

4. [Sec+] You hash the source drive and the image and the two SHA-256 values match. This proves: - A. The drive contains no malware - B. The image is a perfect, unaltered copy of the source - C. The chain of custody is complete - D. The attacker did not use anti-forensics

5. [CISSP] The documented, unbroken record of everyone who handled a piece of evidence, when, and why is the: - A. Order of volatility - B. Legal hold - C. Chain of custody - D. Root-cause analysis

6. [Sec+] Which Windows artifact is the strongest evidence that a specific executable actually ran (not merely that it existed on disk)? - A. A registry Run key - B. The $MFT entry for the file - C. A Prefetch (.pf) file - D. The file's NTFS permissions

7. [Sec+] Windows Event ID 1102 in the Security log most directly indicates: - A. A successful logon - B. A new service was installed - C. The audit (Security) log was cleared - D. A failed password attempt

8. [CISSP] On an NTFS volume, the index of every file and directory — including timestamps and often entries for deleted files — is the: - A. Registry - B. $MFT (Master File Table) - C. Prefetch cache - D. Page file

9. The single most reliable architectural defense against an attacker who clears local logs is: - A. Using a longer, more complex administrator password - B. Forwarding logs off-host to append-only, tamper-resistant storage before an incident - C. Disabling the Security log so it cannot be cleared - D. Running antivirus more frequently

10. [Sec+] Altering a file's timestamps to disguise when it was created or modified is called: - A. Steganography - B. Timestomping - C. Sinkholing - D. Tokenization

11. When merging events from multiple sources into one timeline, the two most important normalization steps are: - A. Sorting alphabetically and removing duplicates - B. Converting all timestamps to a common time zone (UTC) and accounting for clock skew - C. Compressing the logs and encrypting them - D. Translating all events into the same human language

12. [CISSP] A directive to preserve all potentially relevant data once litigation is anticipated — after which deleting that data (even routine log rotation) can constitute spoliation — is a: - A. Chain of custody - B. Legal hold - C. Containment order - D. Risk acceptance

13. [Sec+] Indicator scoping (pivoting on indicators across the environment) primarily answers which question? - A. Is the evidence admissible in court? - B. How far did the compromise actually spread? - C. Which hashing algorithm should we use? - D. What is the residual risk after the fix?

14. Why is pulling the power on a live, un-captured system usually the wrong default action? - A. It corrupts the hard disk beyond recovery - B. It destroys all volatile evidence (RAM, network connections, injected code) that lives only in memory - C. It violates the chain of custody automatically - D. It alerts the attacker that they have been detected

15. [CISSP] The determination of the underlying failure that made an incident possible — whose fix prevents recurrence of the whole class of incident — is: - A. Indicator scoping - B. Containment - C. Root-cause analysis - D. Timeline analysis

True / False — justify your answer

16. [Sec+] MD5 is cryptographically broken, so it has no legitimate use in forensics.

17. Because the attacker cleared the local Windows Security log, no activity that occurred before the clearing can ever be reconstructed.

18. [CISSP] You should perform your analysis directly on the original evidence drive to be sure you are looking at the real data.

19. Containment (Chapter 24) and forensic preservation always point to the same action.

20. A vulnerability scanner reporting that a file exists on disk is equivalent to proving that the file was executed.

Short Answer

21. [Sec+] State the order of volatility for the first four categories of evidence (most to least volatile), and name the one acquisition mistake the ordering most exists to prevent.

22. A backup service account logs on over the network at 02:14, a service is installed pointing at an executable in C:\Windows\Temp at 02:15, and the Security log is cleared at 03:02. Name the most suspicious element of each of these three facts.

23. [CISSP] Explain, in two or three sentences, why a multi-source timeline can reconstruct activity that a single tampered source has hidden. Reference the idea of independent, off-host evidence.

24. Give two reasons a defender performs forensics at all (beyond curiosity), and tie each to a real business or regulatory consequence.

25. [Sec+] You find a file that appears in Prefetch (it ran) but is no longer present on disk. What do you conclude, and what is this an example of?

26. ⭐ (synthesis) In one paragraph, explain the chapter's claim that "forensics is won or lost before the incident." What specific architectural decisions, made in advance, determine whether a future investigation succeeds?

Answer Key

Click to reveal answers and explanations **1. B** — Order of volatility: capture RAM first; it is destroyed by reboot/power-off, while disk and backups survive. *(Acquisition order.)* **2. C** — A write blocker permits reads but blocks all writes, guaranteeing the original is never altered during acquisition. **3. B** — A bit-for-bit image captures the whole device including deleted files and slack/unallocated space; file copies miss those and can alter timestamps. **4. B** — Matching source and image hashes proves the image is a perfect, unaltered copy. It says nothing about malware, custody, or anti-forensics. **5. C** — Chain of custody. (Order of volatility = collection order; legal hold = preservation directive; RCA = underlying cause.) **6. C** — Prefetch (`.pf`) is created as a side effect of execution and records run count and last-run time. Registry/`$MFT` may show existence, not execution. **7. C** — Event ID 1102 records that the Security log was cleared — a classic anti-forensic signal. **8. B** — The `$MFT` (Master File Table) indexes every file/directory on NTFS, with timestamps and often deleted-file entries. **9. B** — Forwarding logs off-host to append-only storage before an incident puts evidence beyond the attacker's reach; clearing the local log cannot touch the forwarded copy. **10. B** — Timestomping. (Steganography hides data in files; sinkholing redirects DNS; tokenization replaces sensitive values.) **11. B** — Normalize all timestamps to UTC and account for clock skew, tagging each source; otherwise events sort out of true order. **12. B** — A legal hold; deleting relevant data after it attaches can be spoliation. **13. B** — Scoping pivots indicators across the environment to determine the full extent of compromise. **14. B** — It destroys volatile evidence (RAM, live connections, injected code) that exists only in memory; capture memory first. **15. C** — Root-cause analysis: the underlying failure whose fix prevents recurrence (e.g., VPN with no MFA), not the proximate symptom. **16. False** — MD5 is broken for *collision resistance* (an adversary can craft collisions), but an MD5 *match* is still a useful integrity check against *accidental* alteration and is common in tooling. The nuance: when integrity might be *adversarially contested*, record SHA-256 (or both). So MD5 is not useless — but it is not sufficient where an adversary could exploit collisions. **17. False** — Other independent sources (the `$MFT`, registry write times, and especially off-host VPN/ SIEM/NetFlow records) are not cleared by erasing the local Security log; merged on one timeline they reconstruct the pre-clearing activity. The clearing itself (Event 1102) is also evidence. **18. False** — Analyze the *image*, never the original. The original is preserved sealed and can be re-hashed to prove it is untouched; analysis can inadvertently alter data, so it is done on a verified copy. **19. False** — They can conflict: containment may want to power off or isolate a machine *now*, which can destroy volatile evidence forensics needs. The resolution is to capture memory first (order of volatility) before containing. **20. False** — Existence on disk is not execution. Proof of execution comes from artifacts like Prefetch/ Amcache. A file can be present and never have run, or have run and been deleted. **21.** Registers/cache → RAM (processes, connections, injected code) → network state (ARP, live connections, routing) → running system/kernel state and temporary data. It most exists to prevent pulling power or rebooting before memory is captured, which would destroy all volatile evidence. **22.** (1) A *backup* service account performing an *interactive/network logon* is abnormal — backup accounts run scheduled jobs, not ad-hoc logons. (2) A legitimate service rarely lives in `C:\Windows\Temp`; that path plus a freshly installed service is a strong persistence/lateral-movement indicator. (3) Clearing the Security log (Event 1102) is a deliberate anti-forensic act indicating intent to hide and marking the time the attacker tried to cover tracks. **23.** A single source can be tampered with (a cleared log), but attackers rarely defeat *all* sources at once; independent, off-host evidence (SIEM-forwarded events, NetFlow, VPN logs) and on-disk artifacts the attacker missed (`$MFT` times) remain. Merging them onto one time axis lets the surviving sources fill the gap the tampering created. **24.** Any two: (a) *Root cause* — without it you will be breached the same way again; drives a permanent fix and updates the risk register. (b) *Scope* — determines the full footprint so eradication is complete; under-scoping leaves the attacker resident. (c) *Proof* — breach notification, cyber-insurance claims, regulatory exams (FFIEC/GLBA/PCI), and litigation all require demonstrable facts about what was accessed. **25.** The file *ran* (Prefetch proves execution) and was then *deleted* from disk — strong evidence of an attacker tool that was used and cleaned up. This is an example of anti-forensics (secure deletion), and the Prefetch/disk discrepancy is its signature — the absence of the file is itself evidence. **26.** Forensics depends on evidence existing when you go looking; an attacker can clear local logs and wipe disks, so the determining factors are decided *before* the incident: centralizing high-value logs off-host into append-only storage, setting retention long enough to cover months-long dwell time, deploying host visibility (EDR with memory capture and fleet-wide indicator search), and synchronizing clocks (NTP) so a timeline is buildable. Those advance decisions — not heroics during the incident — make an investigation possible or impossible.

Topics to review by question

  • Acquisition order / order of volatility: 1, 14, 21
  • Sound acquisition (write blocker, hashing, imaging): 2, 3, 4, 16, 18
  • Chain of custody / legal soundness / legal hold: 5, 12, 18, 24
  • Forensic artifacts (Windows/Linux): 6, 7, 8, 10, 22, 25
  • Anti-forensics & "absence as evidence": 7, 9, 10, 17, 25
  • Timeline analysis: 11, 17, 23
  • Scoping & root-cause analysis: 13, 15, 22, 23, 24
  • Forensic readiness (architecture): 9, 26