Chapter 14 — Quiz

14 questions: 10 multiple choice, 2 true/false, 2 short answer. Answers and a scoring band are at the bottom — try the whole set before you look.


Multiple choice

Q1. What does a forensic, sector-by-sector image capture that an ordinary file-level copy does not? - A) Only the allocated files, but faster - B) Unallocated space, file slack, and hidden regions such as the HPA/DCO - C) Only the partition table - D) A compressed list of file names

Q2. The principal reason hardware write-blockers are preferred over software write-blockers for legal cases is that they: - A) Image significantly faster - B) Are cheaper to buy - C) Enforce read-only independently of the host OS and can be pointed to independent NIST CFTT test results - D) Automatically compute SHA-256

Q3. In dd if=/dev/sdb of=image.dd conv=noerror,sync, the noerror,sync pair ensures that: - A) The image is compressed as it is written - B) An unreadable sector aborts the copy immediately - C) Unreadable sectors are skipped and everything after them shifts up to fill the gap - D) Reading continues past bad sectors and each bad or short read is padded to full block size, preserving every byte offset

Q4. Compared with a raw/dd image, an E01 (Expert Witness Format) image: - A) Cannot be read by any tool except EnCase - B) Embeds case metadata, carries per-chunk checksums, supports compression, and is self-verifying - C) Is always larger than the equivalent raw image - D) Stores only the file names, not the data

Q5. A file begins with the bytes 45 56 46 09 0D 0A FF 00. The ASCII "EVF" tells you it is: - A) A raw dd image - B) An Expert Witness Format (EWF/E01) container - C) An AFF4 ZIP archive - D) An MBR boot sector

Q6. MD5 and SHA-256 produce digests of, respectively: - A) 64 and 128 bits - B) 128 and 256 bits - C) 256 and 512 bits - D) 32 and 64 bits

Q7. MD5 is still computed in modern acquisitions (alongside SHA-256) because: - A) It is fully collision-resistant - B) It is the only algorithm any court will accept - C) It instantly detects accidental change via the avalanche effect and matches legacy hash sets, while computing two algorithms defeats collision concerns - D) It is faster than the copy itself

Q8. A pre-analysis re-verification shows an image's SHA-256 no longer matches the value recorded at acquisition. Your correct first action is to: - A) Continue the analysis — a single changed bit rarely matters - B) Switch to MD5 and proceed if that one happens to match - C) Stop, document the mismatch and the conditions, preserve the logs and any piecewise hashes, and investigate the cause - D) Quietly delete the image and re-acquire without noting it

Q9. A wireless-capable phone is sealed in a Faraday bag at seizure primarily to: - A) Protect it from static discharge - B) Block cellular, Wi-Fi, Bluetooth, and GPS so it cannot be remotely wiped or locked, or change state over the network - C) Keep its battery charged - D) Compress its internal storage

Q10. Which tool is the heavily multithreaded Linux GUI imager that natively supports SHA-256 and re-reads the source to verify after acquisition? - A) FTK Imager - B) Plain dd - C) Guymager - D) hdparm

True/False

Q11. Plain dd computes and logs a cryptographic hash of the source as it images. (True / False)

Q12. A failing drive that returns different bytes on successive reads may never produce a single reproducible whole-disk hash; documenting that limitation and relying on piecewise hashes and the ddrescue map is a valid, defensible record. (True / False)

Short answer

Q13. Describe the three links of the hash-verification chain in a forensic acquisition, and state what each link proves.

Q14. The acquisition hash and the chain of custody are described as complementary, not redundant. In one or two sentences, state what each one proves that the other does not.

---

Answer key

Q1 — B. A physical image copies the whole device in order, so it captures unallocated space (deleted data with no pointer), file slack, and hidden areas like the HPA/DCO — exactly where the most valuable evidence often lives. A file copy sees only what the file system admits exists.

Q2 — C. Hardware blocking is enforced in the data path regardless of the host OS, driver, or malware, and specific models are independently tested under NIST's Computer Forensics Tool Testing (CFTT) program — the language of Daubert admissibility. Speed and price are not the legal reason, and FTK/Guymager (not the blocker) compute hashes.

Q3 — D. noerror keeps the copy going past unreadable sectors; sync pads each short/failed read with NULs up to full block size so nothing shifts. Used together they turn a bad sector into zeros in the correct place; noerror alone (option C) would misalign every subsequent byte.

Q4 — B. E01 wraps the disk data with embedded metadata (case number, examiner, date, tool), per-chunk Adler-32 checksums, an overall stored hash that makes it self-verifying, and zlib compression. It is widely readable via libewf, is usually smaller than raw, and stores the full data — so A, C, and D are wrong.

Q5 — B. 45 56 46 is ASCII "EVF"; with 09 0D 0A FF 00 it is the 8-byte Expert Witness Format / E01 signature. AFF4 is a ZIP archive (PK..), an MBR ends in 55 AA, and raw images have no signature of their own — they begin with whatever the disk's sector 0 contains.

Q6 — B. MD5 = 128 bits = 32 hex characters; SHA-256 = 256 bits = 64 hex characters.

Q7 — C. The threats to evidence integrity are accidental change and naive tampering, both caught instantly by MD5's avalanche effect; MD5 also matches legacy hash sets like the NSRL. MD5's known weakness is collision resistance, not pre-image resistance, and computing MD5 and SHA-256 makes a simultaneous collision in two different algorithms infeasible. (A is false — MD5 is not collision-resistant.)

Q8 — C. A hash either matches or it does not; a mismatch is never noise. Stop, document the mismatch and conditions, preserve the logs and piecewise hashes (which localize the change), and find the cause — failing source, a write that slipped through, a bad cable, a truncated image, or tampering — before doing anything else.

Q9 — B. A Faraday bag blocks radio signals so the device cannot receive a remote-wipe or remote-lock command, ping its location, or change state over the network. Static is the job of an anti-static bag; keeping the device charged is a separate concern (a dead phone may re-encrypt at rest).

Q10 — C. Guymager is the multithreaded Linux GUI imager that reads, compresses, and hashes in parallel, supports MD5/SHA-1/SHA-256, and re-reads the source to verify. FTK Imager is the Windows GUI standard; dd is single-threaded with no hashing; hdparm queries/configures drives (e.g., HPA), it does not image.

Q11 — False. Plain dd only copies bytes — no hashing, no log, crude error handling. Hashing on the fly is exactly what dcfldd/dc3dd, FTK Imager, and Guymager add. (This is why hashing raw dd output separately means reading a failing drive twice.)

Q12 — True. When a source is non-deterministic, no two images of it will hash identically; the honest integrity record becomes the per-region (piecewise) hashes of the stable parts plus the ddrescue map of unreadable regions. Stating the limitation is professional, not a failure.

Q13. (1) Hash the source during acquisition — as the tool reads the source it computes H_src, the fingerprint of the evidence as acquired, in the single read you must perform anyway; this captures the as-seized state. (2) Hash the image and compare — read the written image back, compute H_img, and confirm H_img == H_src, proving the copy is bit-identical to the source. (3) Re-verify before every analysis session — recompute the image hash and confirm it still equals H_src, proving the image has not changed since acquisition in your custody. Full credit for naming all three and what each proves.

Q14. The hash proves the bits are unchanged — that the data is mathematically identical to what was acquired. The chain of custody proves the people — that the physical item was controlled and accounted for by named individuals with no gaps from seizure to court. The hash cannot show who held the laptop during an unlogged six-hour gap; the chain cannot prove a bit did not flip. Courts require both.

Scoring: Count the 12 objective questions (Q1–Q12) plus your self-graded short answers. 13–14: acquisition-ready — you could defend an image on the stand. 10–12: solid; re-read the write-blocking and hash-mismatch sections. 7–9: review the formats and the verification chain before the case studies. Below 7: re-read the chapter, especially "Write-blocking," "Hash verification," and "Chain of custody," then retake.