Chapter 15 — Quiz

14 questions: 10 multiple choice, 2 true/false, 2 short answer. Answers and rationale at the bottom. No peeking until you have committed to an answer — guessing then checking teaches less than deciding then checking.


Multiple choice

Q1. According to RFC 3227's order of volatility, which of the following is the most volatile? - A) Deleted files in disk unallocated space - B) The ARP cache - C) CPU registers and L1/L2/L3 cache - D) An archival tape backup

Q2. The chapter recommends imaging memory before running other live-response tools. The primary reason is that: - A) The memory image is smaller than a disk image - B) Every command you run allocates pages and can evict the attacker's data from RAM before your imager reaches it - C) netstat is unreliable on compromised hosts - D) Disk imaging is always faster than memory imaging

Q3. Which document is the canonical source of the order of volatility? - A) RFC 3227, "Guidelines for Evidence Collection and Archiving" - B) RFC 1918, "Address Allocation for Private Internets" - C) RFC 2616, "Hypertext Transfer Protocol" - D) RFC 791, "Internet Protocol"

Q4. You power off a seized laptop whose BitLocker volume was unlocked at the time, and there is no escrowed recovery key. The most likely result is: - A) Faster, cleaner imaging at the lab - B) The volume re-locks; your lawfully seized drive is now an unreadable field of ciphertext - C) Nothing changes; BitLocker keys persist across power cycles - D) A shutdown-triggered wiper is guaranteed to run

Q5. "Smearing" in a live disk or memory image refers to the fact that: - A) The hash collides with another image - B) The image is a non-reproducible composite captured over minutes-to-hours while the system kept changing - C) The drive has unreadable bad sectors - D) The image was compressed and lost data

Q6. A SHA-256 hash computed on a live image immediately after acquisition proves: - A) The image is a bit-for-bit copy of the original source - B) Integrity of the evidence file from the moment of acquisition forward - C) That the system was not compromised - D) Nothing of forensic value

Q7. lsof +L1 shows a file with NLINK 0 and the marker (deleted). This indicates a file that is: - A) Corrupted beyond recovery - B) Deleted from the directory but still held open by a running process — and therefore fully recoverable via /proc - C) Encrypted with a key in the TPM - D) Stored on a hidden partition

Q8. When you run KAPE against a live subject system, you should run: - A) Modules only, to parse artifacts in place - B) Targets only — collect the artifacts to external media now, and run Modules later on your own workstation - C) Both Targets and Modules, to save a second trip - D) Neither; KAPE cannot read locked system files

Q9. You see a process named svchost.exe making an outbound HTTPS connection to a bare IP in a hosting range. The detail that actually exposes it as malicious is: - A) The process name - B) Its non-standard parent process (PPID) and its full command line - C) Its file size - D) Its desktop icon

Q10. A rootkit installs a trojaned netstat that omits the C2 connection. The technique most likely to expose the hidden connection is: - A) Rebooting the host - B) The cross-view difference — enumerating the same data with trusted/kernel-level tools and diffing against the subject's tools - C) Running an antivirus scan - D) Reinstalling netstat from the subject's package manager


True/False

Q11. On a host you suspect is compromised, a graceful shutdown is always safer than pulling the plug. (True / False)

Q12. The act of capturing physical memory itself alters the memory of the system you are imaging. (True / False)


Short answer

Q13. State the two-clock problem in one or two sentences, and name exactly what you record — and when — to solve it.

Q14. You arrive at a running, logged-in workstation. An EDR alert shows an active data upload in progress, and you do not yet know whether the disk is encrypted. In two or three sentences, state your first two actions and the reason for each.

---

Answer key

Q1 — C. Registers and CPU cache live for nanoseconds and are effectively uncapturable; everything else on the list outlives them. Disk unallocated space (A) is near the bottom — it persists for years until overwritten.

Q2 — B. Memory is the highest-value, most fragile artifact, and every tool you run pollutes it; capture it first, then reconstruct process and network state from the image (Volatility's pslist/netscan) afterward.

Q3 — A. RFC 3227 §2.1 (February 2002) is the twenty-plus-year-old standard that still governs live-response collection order. The others are unrelated networking RFCs.

Q4 — B. While booted and unlocked, the OS holds the volume key in RAM; power-off purges it and the volume re-locks. Without an escrowed key, the seized drive is ciphertext — the single most expensive modern live-response error.

Q5 — B. A live image is a long-exposure photograph of a moving subject: sectors captured minutes apart from a system still writing to itself, representing no single point in time and never reproducible to the same hash.

Q6 — B. With a moving original, equality cannot be proven; the hash instead seals the evidence file against alteration from acquisition forward. Stating this distinction proactively is the mark of an examiner who understands the method.

Q7 — B. When a process holds a file open and the file is unlinked, the OS keeps the data intact until the last handle closes; NLINK 0 + (deleted) is the signature, and you recover it from /proc/<pid>/fd/ (or /proc/<pid>/exe).

Q8 — B. Targets collect; Modules parse. You collect on the subject and parse later on your workstation — running parsers on the evidence is unnecessary execution on the subject.

Q9 — B. A malicious process named after a legitimate one is invisible by name; the tell is lineage (e.g., a parent that should never spawn it) plus the command line. Capture PID, PPID, command line, and image path — not just names.

Q10 — B. The cross-view difference is the canonical rootkit-detection move: anything present in the trusted/low-level view but missing from the subject's view is being actively hidden — the discrepancy is the evidence (theme three: the absence of a trace is itself a trace).

Q11 — False. A graceful shutdown runs code — including a possible shutdown-triggered wiper on a compromised host. For a suspected compromise the forensic default leans toward pulling the plug after volatile capture, or, increasingly, not shutting down at all.

Q12 — True. The imager runs on the subject's CPU, allocates its own memory, and loads a driver, overwriting some of the very memory it reads. This is the smearing principle and why a memory capture is never reproducible — physics, not negligence.

Q13 — Two-clock problem. Every timestamp you record is meaningless unless you know how the subject's clock relates to real time (it may be skewed, in the wrong zone, or deliberately altered). You solve it by recording, as your very first logged action, the subject's system time alongside an authoritative external time (synced phone/NTP) in the same line, and noting the skew.

Q14 — First two actions. (1) Establish and record authority plus the two clocks — the legal/engagement basis for acting live, and subject time vs. trusted time with skew. (2) Isolate via EDR (not power-off) and image memory first — power-off could re-lock an encrypted volume and lose the active connection and any key in RAM; isolation stops the upload while preserving volatile state. (Acceptable variant: a few-second pre-capture netstat/ss to freeze the transient connection before the memory image, if the image will take many minutes.)

Scoring: 13–14 correct — you can run point on a live engagement and defend it. 10–12 — solid; revisit the smear/hash distinction (Q5, Q6) and the encryption power-off trap (Q4). 7–9 — re-read "The order of volatility" and "Capturing volatile data, step by step." 6 or fewer — work the chapter again before attempting the Progressive Project; this material gets used live, at 2 a.m., where there is no answer key.