Chapter 30 — Quiz

14 questions: 10 multiple choice, 2 true/false, 2 short answer. Answers and a scoring band are at the bottom. Commit to an answer before you check — the goal is to know not just what detects concealment but what the detection can and cannot carry.


Multiple choice

Q1. On a hard drive manufactured in the last two decades, how many overwrite passes are required to make the original data unrecoverable? - A) 35 passes (the Gutmann sequence) - B) A single pass - C) 3 passes (DoD 5220.22-M) - D) 7 passes

Q2. Why is a software multi-pass overwrite both unnecessary and unreliable on a solid-state drive? - A) SSDs spin too fast to overwrite a sector precisely - B) The flash translation layer (FTL) remaps logical writes to different physical NAND cells, so the original cells may be left intact - C) SSDs silently ignore all write commands - D) The drive's encryption prevents any overwrite from taking effect

Q3. Which single artifact most directly proves that CCLEANER64.EXE executed on a system, rather than merely being present? - A) The Amcache.hve entry (with its SHA-1) - B) Prefetch (CCLEANER64.EXE-A1B2C3D4.pf) - C) ShimCache (AppCompatCache) - D) The SOFTWARE\Piriform\CCleaner registry key

Q4. A file's $STANDARD_INFORMATION` Created time reads 2022-02-11; its `$FILE_NAME Created time reads 2024-03-15. Which is authoritative, and what does the conflict indicate? - A) $SI is authoritative; the 2024 value was forged - B) $FN` is kernel-maintained and authoritative; the 2022 `$SI value was forged (timestomping) - C) Both are equally trustworthy; pick the average - D) The older timestamp is always the correct creation time

Q5. Which event ID does Windows write to record that the Security event log was cleared? - A) 104 - B) 4624 - C) 1102 - D) 7045

Q6. A file's timestamp carries a sub-second fraction of exactly .0000000 while genuine timestamps on the same volume show real fractions like .4471902. This most strongly suggests: - A) The file is encrypted - B) The timestamp was written by a tool at whole-second granularity — a timestomping tell - C) The disk has a failing sector - D) The system clock was never set

Q7. The stream report.docx:Zone.Identifier:$DATA is best described as: - A) A hidden encrypted payload riding in an alternate data stream - B) A benign "mark-of-the-web" recording the file's download security zone — often useful to an examiner - C) A reliable sign of timestomping - D) An artifact created by a free-space wipe

Q8. Which of the following would not typically produce a high-entropy reading near 8.0 bits/byte? - A) An AES-encrypted container - B) A single random-overwrite wipe - C) An English-language text document - D) A compressed ZIP payload stream

Q9. Two ATA features can hide sectors from the operating system. Which one reduces the reported capacity even below the area hidden by the other? - A) The HPA hides capacity below the DCO - B) The DCO (Device Configuration Overlay) reduces reported capacity even below the HPA - C) They are two names for the same feature - D) Neither actually changes reported capacity

Q10. "The absence of an expected artifact is itself a finding" is admissible and persuasive only when: - A) A tool prints the absence automatically - B) The absence is corroborated and the innocent alternative explanations are addressed and excluded - C) Never — absence can never be evidence - D) Always, with no qualification needed

True / False

Q11. On a modern hard drive, a single overwrite pass is sufficient to make the original data unrecoverable, and the elaborate multi-pass DoD/Gutmann schemes add no security on current media. (True / False)

Q12. A high Shannon-entropy reading (~8.0 bits/byte), by itself, proves that a region of disk is encrypted. (True / False)

Short answer

Q13. State the chapter's central paradox in one or two sentences, and give one concrete example of an anti-forensic act that creates dated evidence of itself.

Q14. Name the two NTFS timestamp attributes that timestomping detection compares, say which is user-settable and which is kernel-maintained, and name one additional source you would cite to corroborate a contradiction between them.

---

Answer key

Q1 — B. A single overwrite pass destroys the original data on modern HDDs; the Wright/Kleiman/Sundhar (2008) study found per-bit magnetic recovery near 56% (coin-flip), and NIST SP 800-88 Rev. 1 treats a single overwrite ("Clear") as adequate. The 3-pass DoD and 35-pass Gutmann schemes are obsolete folklore on current media.

Q2 — B. The FTL remaps logical block addresses to physical NAND for wear-leveling, so an "overwrite" of an LBA may land on a different physical cell, leaving the original contents intact until garbage collection. Correct SSD sanitization is controller-level (ATA Secure Erase or crypto-erase), not software passes.

Q3 — B. Prefetch proves execution (with a run count and last-run times). Amcache and ShimCache prove presence; the registry key proves the tool was installed/configured. Bind the run to a user with UserAssist.

Q4 — B. $FILE_NAME` is kernel-maintained and hidden from the ordinary user-mode API, so it keeps the truth; `$STANDARD_INFORMATION is what Explorer shows and what any timestomping utility can set. A file cannot be born before its own name record — the 2022 $SI is forged.

Q5 — C. Clearing the Security log writes event 1102 ("the audit log was cleared"), recording the SID/account and time. Clearing any other log writes event 104 to the System log.

Q6 — B. Genuine FILETIMEs carry effectively random 100-ns sub-second fractions; an all-zero fraction is the fingerprint of a tool (classically Metasploit timestomp) that sets whole-second granularity. It is a supporting tell, weaker than the $SI`-older-than-`$FN impossibility.

Q7 — B. :Zone.Identifier is the ubiquitous mark-of-the-web that Windows attaches to downloaded files to record their security zone (and sometimes the source URL). It is benign and often useful; the anomaly is a large, non-Zone.Identifier named stream on an innocuous file.

Q8 — C. English text sits around 4.0–4.5 bits/byte. Ciphertext and random-wiped data approach 8.0 with no structure; compressed payloads are also high. (Note the disambiguation problem: high entropy alone cannot tell encrypted from random-wiped from compressed.)

Q9 — B. The Host Protected Area (HPA) reserves sectors at the end of the disk; the Device Configuration Overlay (DCO) reduces the reported capacity even further, below the HPA. Detect with hdparm -N (HPA) and hdparm --dco-identify (DCO) at acquisition time.

Q10 — B. Negative evidence is admissible and powerful, but only when corroborated (e.g., a dated absence aligned with a wiping tool's own execution) and when innocent explanations (TRIM, privacy mode, disabled Prefetch, a repurposed disk) are addressed. Otherwise "I cannot rule out wiping" must not harden into "they wiped it."

Q11 — True. A single overwrite suffices on modern HDDs; multi-pass standards target magnetic encodings (MFM/RLL) of 1990s-era drives and provide no additional security today (NIST SP 800-88 Rev. 1).

Q12 — False. Random-wiped space and compressed data also approach 8.0 bits/byte. Entropy locates candidates; you confirm encryption with the container application's artifacts (registry, prefetch, Amcache, a "recently mounted volumes" MRU) or a recoverable header/key.

Q13. The paradox: almost every anti-forensic act leaves its own trace, so the attempt to hide evidence becomes evidence — and the conspicuous, dated absence of an expected artifact is itself a finding. Example: clearing the Security log writes event 1102 naming who cleared it and when; or running CCleaner writes a Prefetch record (run count, last-run time) the cleaner cannot erase.

Q14. $STANDARD_INFORMATION` (`$SI, type 0x10) is user-settable (Explorer shows it; any timestomping tool can set it); $FILE_NAME` (`$FN, type 0x30) is kernel-maintained and hidden from the user-mode API. Corroborate a contradiction with any of: the USN change journal ($J`), the `$LogFile, MFT-record sequence ordering, or an independent clock (LNK/Jump List, Prefetch, event logs).

Scoring: 13–14 — courtroom-ready; you can detect each concealment technique and state what the detection cannot carry. 10–12 — solid; revisit timestomping ($SI vs $FN) and the entropy ambiguity. 7–9 — re-read "Secure deletion," "Timestomping," and "The meta-method," then redo Groups A, C, and G in the exercises. Below 7 — re-read the chapter index and rebuild the anchor concealment timeline before moving on to Chapter 31.