Chapter 5 — Exercises
Twenty-six problems spanning the whole method — the four phases, write-blocking and imaging, hashing, chain of custody, legal authority, and the recovery-vs-forensics judgment call. The mix is concept checks, hands-on labs (read the tool output, calculate and verify a hash, build a timeline, write a finding), and judgment questions about authority and scope. Work the hands-on items on a practice image or a disposable drive you own — never on real evidence or data you do not own (practice images and a lab build are in Appendix J). (answer in Appendix) marks problems with a worked solution in Answers to Selected Exercises. ⭐ marks a stretch problem. Aim to justify every answer the way you would on the stand: concretely, in plain language, with the specifics written down.
Group A — The method, the phases, and the scientific method
5.1 Name the four phases of the forensic process as this book frames them, in order, and in one sentence each say what each phase accomplishes. Then map them onto (a) the NIST SP 800-86 names and (b) the four ACPO principles. Finally, explain the one thing the chapter's process diagram shows running underneath all four phases, and why it is not a fifth phase. (answer in Appendix)
5.2 Two people sit at the same broken laptop. The first plugs the drive into a running Windows desktop, browses to a file, and copies it to a thumb drive. The second photographs the device, removes the drive through a write-blocker, images it, hashes source and copy, logs every handoff, and works on a copy of the copy. Both "find" the same file. (a) State the single question that decides whether either person's work was worth anything. (b) Explain why the first person cannot answer it and the second can. (c) The chapter says the difference is not talent, tools, or intelligence — name what it actually is, in one word. (d) The first person's file is described as "indistinguishable from something they could have planted, corrupted, or fabricated." Explain why indistinguishable — not "definitely tampered with" — is enough for an attorney to get the evidence excluded.
5.3 ⭐ The chapter calls the forensic process "the scientific method applied to a hard drive." (a) Walk a single investigation through the steps observe → question → hypothesis → test → analyze → conclude → report, inventing a plausible IP-theft scenario. (b) Explain what "test for disconfirmation" means and why an examiner who seeks only confirming evidence "is not doing science." (c) Name the legal standard that turns this scientific framing into a courtroom requirement, and list the five things it asks of a technique.
Group B — Phase 1: Identification
5.4 You arrive at a small business to investigate suspected data theft. In the room: two desktops, a laptop (powered on, screen showing a logged-in session), an external USB drive, a digital camera with an SD card, a networked file server with a four-disk array, and a smartphone on the desk. (a) Produce an evidence-source inventory and, for each item, record the precise identity fields the chapter requires. (b) Name two categories of data source that have no physical presence in the room but must still appear on your identification list. (c) Which single device forces a decision you cannot postpone, and what is that decision? (d) Rewrite the description "a black laptop" into a sentence you could defend in a deposition six months later, inventing plausible make/model/serial/capacity/condition fields — and explain why each field earns its place. (answer in Appendix)
5.5 A machine arrives at your bench powered on. (a) State the order of volatility from most to least ephemeral, and explain why it creates genuine tension with ACPO Principle 1 ("change nothing"). (b) Which ACPO principle authorizes the documented exception that lets you capture RAM anyway? (c) Give one concrete reason that pulling the power on a running, full-disk-encrypted machine can be the single worst thing you could do — and name the two later chapters that own this workflow. (d) Name three categories of evidence that exist in RAM and nowhere on disk, and for each, give a one-line example of a case it could make or break.
5.6 ⭐ A 256 GB drive reports only about 170 GB of user-addressable sectors. (a) Name the two ATA mechanisms that let a drive hide capacity from the operating system, and say what each was originally designed for. (b) Why does a naïve copy that "trusts the drive's reported size" miss this hidden region entirely? (c) On a practice drive (never on evidence), write the hdparm query that reveals an HPA and describe what the max sectors = X/Y output tells you. (d) In one sentence, explain why the word "identification" has to include all the sectors, not just the ones the OS admits to.
Group C — Phase 2: Preservation (write-blocking and imaging)
5.7 A colleague insists that "you can't change a drive just by looking at it." (a) List at least five specific writes a running Windows system may perform on an NTFS drive the instant it is attached — before anyone clicks a file. (b) Explain, in terms of the disk's hash, why each of those background writes is fatal to your ability to prove the evidence is unaltered. (c) The chapter says the defense against this "is not carefulness" — what is it instead, and why is hardware better than discipline here? (answer in Appendix)
5.8 Compare hardware and software write-blocking across four dimensions, one or two sentences each: (a) independence from the host OS; (b) independent validation and testability (name the NIST program); (c) how simple the claim is that you must defend on the stand; (d) reliance on correct configuration under time pressure. Conclude with which you would use for evidence and a one-sentence justification a juror could follow. Then write the two blockdev commands that set and confirm a Linux software read-only backstop, and explain why it is a backstop, not a substitute.
5.9 Using the chapter's "logical copy vs. physical image" diagram as your model: (a) explain why an ordinary backup of a drive that is "90% empty" misses exactly the data an investigation needs, citing the theme deleted ≠ destroyed from Chapter 1. (b) Define a forensic image in one sentence that distinguishes it sharply from a backup. (c) A sector on a 512-byte drive is sector 8,401,920. Give its byte offset (show the arithmetic from Chapter 2). (d) Why does a physical image capture that sector regardless of whether any file points to it? (e) A junior colleague says, "I used robocopy to copy every file off the drive, so I have everything." Explain in one sentence why "I have everything" is precisely backwards, and name one side effect that single copy operation had on the source that could itself destroy evidence.
5.10 ⭐ You receive an evidence image as case.E01 with a sidecar case.E01.sha256. (a) Distinguish raw/dd, E01, and AFF4 in one sentence each, and say when you would reach for each. (b) The single most-confused point in this chapter: explain the difference between the hash stored inside an E01 and the result of running sha256sum case.E01 on the container file. Which one proves transfer integrity, and which one is the acquisition (bitstream) hash your tool re-verifies on load? (c) Why are these two different numbers doing two different jobs, and why must you record both?
Group D — Hashing (calculate and verify)
5.11 Reproduce the chapter's real test vectors with any hashing tool. (a) Confirm that MD5("abc") = 900150983cd24fb0d6963f7d28e17f72 and SHA-256("abc") = ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad. (b) Now hash "abd" (change only the last letter) and quantify, roughly, how many of the output hex digits changed — name the property you just demonstrated. (c) Confirm that the SHA-256 of an empty input is e3b0c442…7852b855 and the MD5 of an empty input is d41d8cd9…ecf8427e, and explain why memorizing these "constant" digests is a useful triage skill. (answer in Appendix)
5.12 Under cross-examination the defense asks: "Examiner, isn't MD5 broken — two different files can share a hash — so your matching hash doesn't actually prove the image is the original, does it?" (a) Define a collision precisely. (b) Give the two-part honest answer the chapter prescribes (what a crafted collision actually requires, and why dual-hashing defeats the concern). (c) State the modern best-practice acquisition recipe in one sentence. (d) The attorney follows up: "But MD5 is deprecated — isn't using it at all reckless?" Explain why MD5 still earns a place in an acquisition (think accidental change and legacy hash sets) even though no one relies on it alone for tamper resistance.
5.13 ⭐ A matching hash proves the image equals the source. (a) State precisely what a matching hash does not prove — name at least three separate questions it cannot answer. (b) Explain the category error in the sentence "the hash matches, therefore the suspect did it." (c) Which book theme does this exercise embody, and why is conceding the limits of a hash more persuasive in court than overstating them?
5.14 Read this acquisition-tool output and answer the questions.
device size: 976773168 sectors (probed), 500,107,862,016 bytes
sector size: 512 bytes (probed)
input results for device `/dev/sdb':
976773168 sectors in
0 bad sectors replaced by zeros
md5: 7a1f9c3e5b2d8f4a6c0e1b3d5f7a9c2e
sha256: a3f5c9d2b8e14f6079c2d5a8b1e4f7c0d3a6b9e2c5f8a1d4b7e0c3f6a9d2b5e8
(a) Verify the capacity arithmetic (sectors × sector size) and convert to GiB. (b) Which two algorithms did this acquisition compute, and why two? (c) The hash recorded here is the hash of what — the source device, or the image file? (d) Write the single follow-up command (same tool family) you would run to prove the written image matches the source, and state the result you must see before you analyze anything.
Group E — Chain of custody and legal authorization
5.15 Build the chain-of-custody log for the following events, then identify the gap a defense attorney would attack.
14 Mar, 10:05 — Investigator R. seizes a laptop and photographs the scene. 14 Mar, 12:30 — R. books it into the evidence room with Custodian S. 15 Mar, 08:40 — Examiner T. signs it out for imaging. 15 Mar, 13:10 — imaging complete; T. verifies hashes. 16 Mar, 17:00 — Custodian S. records the item back on the shelf.
Lay the log out in the column format from the chapter (Date/Time, Released by, Received by, Purpose, Signature(s)). Then (a) state in one sentence what the cross-examiner asks about; (b) name the maxim the gap violates; (c) write the corrective entry that should have existed; (d) explain why the defense does not have to prove tampering to benefit from the gap. (answer in Appendix)
5.16 For each scenario, name the lawful basis (search warrant, consent, corporate authority, subpoena/court order, or exigent circumstances) and state the scope limit it imposes: (a) law enforcement searches a seized phone under a document describing the offense and the items to be seized; (b) a roommate offers to let you examine the suspect's locked, password-protected laptop; (c) an employer asks you to examine a company-owned laptop with a signed acceptable-use policy and a monitoring login banner; (d) a civil litigant seeks emails from the opposing party's server in discovery; (e) the device's owner says "go ahead, but only look at the email folder." For (b), explain why the offer is a problem. (f) The corporate scenario in (c) is a bring-your-own-device (BYOD) laptop the employee personally owns, with company email installed alongside the employee's private data. Explain why this badly complicates corporate authority, and state where the answer must come from — improvised after the incident, or written before it.
5.17 ⭐ Scope discipline and the plain-view problem. (a) Explain why a digital "plain view" is harder than a physical one — why finding "obvious" contraband on a disk may itself require a search. (b) A warrant authorizes a search for evidence of financial fraud; mid-examination you encounter what appears to be evidence of an unrelated crime. State the disciplined four-step response the chapter prescribes. (c) Describe the one situation where "stop and escalate" is not merely good practice but a legal and moral imperative, keeping your answer strictly procedural — name the duty and the chapter that owns the full treatment.
5.18 "Method and law are not separate worlds." (a) Explain how Federal Rule of Evidence 1001–1003 (the "best evidence" rules) treats a verified forensic image. (b) Explain what FRE 902(14) lets you do, and identify exactly which artifact from Phase 2 makes it possible. (c) In one sentence, state why a flawless image with a perfect chain of custody can still be worthless — what can the method never manufacture? (d) The chapter argues the method is how you meet the law, not bureaucracy bolted on afterward. Pick any one element of the process — write-blocking, the source hash, the chain of custody, or scope discipline — and name the specific legal standard or rule it satisfies.
Group F — Recovery vs. forensics judgment
5.19 For each job, decide whether you would run the recovery workflow, the forensic workflow, or start in recovery and be ready to upgrade — and justify in two sentences: (a) a client's reformatted drive holding ten years of family photographs, no dispute, no court; (b) a corporate IP-theft matter headed for litigation; (c) "my external drive won't mount" — until the client mentions it belongs to a business partner they are now suing; (d) a small business hit by ransomware that intends to file an insurance claim and may refer the matter to law enforcement. For each, name which of the table rows (imaging, write-blocking, hashing, chain of custody, authorization, documentation) changes. (answer in Appendix)
5.20 Re-read the chapter's War Story. (a) Describe what the shop destroyed and what survived when a routine recovery turned into a criminal matter. (b) The chapter says you "cannot manufacture a chain you didn't keep, but you can start one the instant you realize you need it." Write the honest chain-of-custody entry that documents the transition from recovery to forensic handling — what does it candidly record? (c) State the one-line policy the shop adopted, and explain why "it costs an hour; it can save a case" is the entire argument. (d) Identify which two of the book's six recurring themes the War Story is said to teach "the hard way," and connect each to a specific thing the shop did wrong.
5.21 ⭐ Reproduce the recovery-vs-forensics comparison table from memory across all nine rows (Goal, Image the source?, Write-blocking, Hashing, Chain of custody, Legal authorization, Documentation, Speed vs. rigor, Deliverable). Then write a short paragraph defending the chapter's claim that the divergence "is about consequences, not about care" — i.e., that a good recovery technician and a good examiner share a foundation and differ mainly in how much legal machinery rides on top.
Group G — Analysis, reporting, and the progressive project
5.22 Analysis "elevates from looking for incriminating things to establishing the truth." (a) Define reproducibility in this context and list four specific things you must record for an action to be reproducible (the chapter names tool versions among them — say why). (b) Explain the duty to seek both inculpatory and exculpatory evidence, and why "your loyalty is to the facts, not to the side that retained you." (c) The chapter calls a single symmetry "the moral center of the discipline" — state it in one sentence. (d) You re-verify the working copy's hash against the master at the start of each analysis session. Explain what specific claim this lets you make months later in court, and why analyzing the master image (or the original) instead would quietly break the chain of integrity.
5.23 Build the timeline (preview lab). You are given four artifacts from the IP-theft case: (i) a registry entry showing a USB mass-storage device first connected 02:14 on the night before resignation; (ii) a link (.lnk) file referencing the customer database on that device; (iii) a $FILE_NAME` MFT timestamp for the database showing creation at 02:17; (iv) a `$STANDARD_INFORMATION timestamp for the same file set, suspiciously, to a date one year earlier. (a) Order these into a simple timeline. (b) State the hypothesis they support. (c) Identify which artifact is evidence of timestomping, and explain why the discrepancy between (iii) and (iv) is itself a trace (theme three). (d) Name one disconfirming check you would run before concluding. (Full timeline technique is Chapter 21.)
5.24 Write the finding (hands-on). Turn this raw note into a single report-quality paragraph that separates facts from opinion, references the evidence, and states a limitation: "USB device VID_0781 attached 02:14; database .lnk created 02:17; no cloud-upload artifacts found; user account = jokafor; cannot determine who was physically at the keyboard." (a) Write the paragraph. (b) Underline (or mark) which sentences are fact and which are opinion. (c) Add the one sentence the chapter says is "more trustworthy than overreaching" when the keyboard-attribution question cannot be answered. (d) State the operating maxim of Phase 4 in five words, and explain why undocumented work "cannot be defended, cannot be reproduced, and cannot be relied upon." (The report is owned by Chapter 26.)
5.25 Progressive project — receive the assignment. You are retained by counsel for Meridian Health Analytics (MHA). A departed engineer, "J. Okafor," allegedly copied a proprietary dataset and source code before leaving for a competitor; this is a civil matter on a company-owned laptop (signed AUP, monitoring banner). You receive mha-laptop.E01 with a sidecar mha-laptop.E01.sha256. (a) Run the transfer-integrity check (sha256sum -c mha-laptop.E01.sha256) and record the container hash as a chain-of-custody entry (template in Appendix F); assign exhibit MHA-2026-001. (b) Load the image read-only into your tool, confirm the tool re-verifies the bitstream (acquisition) hash, and note one deleted-file remnant it lists — the one you will actually recover in Chapter 6. (c) Write the one-page Investigation Plan with its six sections (Objective, Questions/hypotheses including disconfirming checks, Authority and scope with explicit in/out scope, Evidence inventory, Methodology, Tools with versions, Reporting plan). Save the chain entry and the plan to your case folder. (answer in Appendix)
5.26 ⭐ Progressive project — extend the verifier. Model a short Python helper on the chapter's chunked-hashing script that (1) opens the image strictly read-only, (2) streams it through SHA-256 in 1 MiB chunks, (3) compares the result to the expected acquisition value, and (4) appends a one-line chain-of-custody entry (timestamp, examiner, action, result) to a log file. (a) Run it against your working copy and confirm the printed SHA-256 equals your recorded acquisition value. (b) Explain why chunked reading matters for a multi-terabyte image. (c) Point to the single line that guarantees the evidence can never be modified. Add the script to your toolkit (Appendix B).
Self-check. You have mastered this chapter when you can, without notes: list the four phases and map them to NIST and ACPO; explain why even reading an unprotected drive destroys its integrity, and defend write-blocking in one juror-friendly sentence; calculate a byte offset and verify a dual-hash acquisition; build a gap-free chain of custody and spot the gap in someone else's; name the lawful bases for an examination and the scope discipline each imposes; and decide, on any job, whether a recovery could become a case. If a skeptic asks "how do you know you didn't change it, and how do you know it was there before you arrived?" and you can answer both in two calm sentences, you are ready for Chapter 6 — Logical Recovery, where you take the verified image you now know how to make and go hunting inside it.