Chapter 36 — Exercises

Twenty-nine problems in seven groups (A–G), mixing concept checks, hands-on labs (drive The Sleuth Kit down its layers to recover a file, read a bulk_extractor histogram, build a triple-tool verification, calculate and verify a SHA-256, write the methodology memo), and judgment questions about choosing tools by case type, budget, and court. Hands-on labs assume a practice image and the toolset (The Sleuth Kit, Autopsy, the Eric Zimmerman suite, Volatility, xxd/certutil) from Appendix J — Practice Images and Lab Setup, and the full per-tool catalog in Appendix C — Tool Reference. (answer in Appendix) = worked solution in Answers to Selected. ⭐ = stretch. Every command here runs against a verified working copy, never the original.


Group A — Reading the toolbox by layer, not by brand

36.1 A newcomer asks you, in good faith, "What's the single best forensic tool I should learn?" (a) Explain in two or three sentences why the question is wrong, using the hospital-instrument analogy from the chapter. (b) Reframe it into the right question. (c) State which of the book's six recurring themes this lesson is wearing, and why anchoring skill to a method rather than a brand gives a career a longer shelf life than anchoring it to any one product. (answer in Appendix)

36.2 For each piece of evidence below, name the class of tool you reach for and one leading example (open-source where one exists), plus the chapter that owns its deep treatment: (a) a 1-TB NTFS disk image, (b) a 16-GiB RAM capture, (c) a pcapng network capture, (d) a locked iPhone, (e) a suspect cloud-storage account. The point of the exercise is that the brand changes per evidence type — no single application reads all five.

36.3 ⭐ Reconstruct the forensic pipeline from the chapter (acquire+preserve → analyze the disk → analyze the volatile/mobile/cloud → the deep end → report+defend) and place each of these tools at its correct stage: dcfldd, Volatility, MFTECmd, Wireshark, Cellebrite UFED, Ghidra, hashdeep, Chainalysis, the report template in Appendix F. Then state the chapter's observation about why most stages have both an open-source and a commercial option — and what that redundancy makes possible later in the chapter.


Group B — The Sleuth Kit: driving the layers

36.4 TSK names each tool for the file-system layer it reads. Match the command to its layer and to what it returns: mmls, fsstat, fls, istat, icat, blkls. Layers: media/volume, file-system metadata-as-a-whole, file-name (incl. deleted), metadata/inode, data-unit/block. For fls, state what the * in its output means in plain language. (answer in Appendix)

36.5 Lab — recover a deleted file by inode. Using the IP-theft image from the chapter (anchor case #2), mmls reports the Windows volume begins at sector 1,024,000 and fls shows a deleted entry client_export_FINAL.xlsx at MFT entry 5830 with a non-resident $DATA attribute 128-3. (a) Compute the byte offset of the start of that partition (sector size 512). (b) Write the exact icat command (with the -o offset in sectors) that recovers the file's bytes to ./out/client_export_FINAL.xlsx. (c) Explain why istat showing the data runs still listed (clusters 3,808,891 onward) is what tells you, before you even run icat, that the recovery will succeed — and tie that to the book's first theme.

36.6 Calculate and verify. After the recovery in 36.5 you run xxd ./out/client_export_FINAL.xlsx | head -1 and the first four bytes are 50 4b 03 04. (a) Decode that magic number — what container format is it, and why is it the correct signature for a genuine .xlsx? (b) Name the appendix that adjudicates header-vs-extension questions. (c) State, in one sentence, the discipline this cheap check enforces: what would first-four-bytes of 00 00 00 00 or random data have told you instead?

36.7Lab — when the metadata is gone too. The MFT entry for a second deleted file has been overwritten, so fls/icat cannot find it. (a) Write the blkls command that extracts only the unallocated space of the volume at offset 1,024,000 to unalloc.bin. (b) Name the chapter and the two carvers you would feed unalloc.bin to next. (c) Contrast tsk_recover -e with icat: when does the bulk-export tool save you time, and what does it not do that file-by-file icat does? (d) State the dual-lens point: the same icat/blkls parse serves a 💾 recovery technician restoring a client's file and a 🔍 examiner building a court exhibit — what is the only difference between the two uses?


Group C — The open-source bench

36.8 Autopsy's Hash Lookup ingest module can load two very different kinds of hash set. (a) Explain the exclude use of the NSRL/RDS and the flag use of a known-bad set, and why each saves examiner time in opposite directions. (b) In the child-exploitation context (anchor case #4), name the two known-file hash databases mentioned in the chapter and state the welfare purpose — handled clinically — that hash-based identification serves beyond mere efficiency. (c) Which chapter owns the full ethics, mandatory-reporting, and examiner-wellbeing treatment? (answer in Appendix)

36.9 Lab — read the histogram. You run bulk_extractor -o bx_out mha-laptop.E01 and head -3 bx_out/email_histogram.txt returns:

n=412   j.okafor@meridianhealth.example
n=37    jay.okafor.personal@rival-corp.example
n=29    legal@rival-corp.example

(a) Explain what the n= count represents and why ranking features by frequency floats the most relevant address to the top. (b) Which two lines, read together, generate a lead worth pursuing, and what is that lead? (c) bulk_extractor is described as "file-system-blind." Explain what that means and why it is the complement to both carving (Ch.7) and file-system analysis — i.e., when does ignoring the file system entirely become an advantage? (d) Name the one bulk_extractor output file that, run over a memory image, can hand you a full-disk-encryption key.

36.10 Match each Eric Zimmerman parser to the single artifact it turns into CSV: MFTECmd, PECmd, LECmd, AmcacheParser, SBECmd, RBCmd, EvtxECmd. Artifacts: Prefetch (program execution), $MFT`, LNK shortcuts, ShellBags (folder access incl. removable), `Amcache.hve` (presence + SHA-1), `$Recycle.Bin $I records, Windows event logs. Then name the EZ tool you load all of their CSV output into, and the one thing you do there (filter/tag/pin) to turn millions of rows into a handful of exhibits.

36.11 Registry Explorer "replays" .LOG1/.LOG2 transaction logs against a hive before showing you its contents. (a) Explain what a "dirty" hive is and what would happen if a tool (or a careless extraction that grabbed SYSTEM but not its logs) showed you the hive without replaying the logs. (b) Why does this make "which tool, and did you give it the transaction logs?" a fair cross-examination question? (c) Name the open-source registry tool you would pair with Registry Explorer for a dual-tool registry check.

36.12Lab — a zero-dollar toolkit. A budget-constrained nonprofit hands you a Windows laptop image and a RAM capture and asks for a competent examination with no commercial software. Build the toolchain: name the open-source tool for (a) file-system + deleted files, (b) Windows artifacts (USB history, execution, shortcuts), (c) the super-timeline, (d) memory (processes + network + injection), (e) feature/PII sweep, and (f) the preconfigured Linux distribution that ships all of the above preinstalled. Then state the chapter's liberating conclusion about budget and basic capability in one sentence.


Group D — The commercial platforms and choosing among them

36.13 Match each commercial platform to the single phrase that best captures its signature strength: EnCase, FTK/Exterro, Magnet AXIOM, Cellebrite, X-Ways Forensics. Phrases: "indexed full-text search at terabyte scale," "the long-standing courtroom standard with decades of case law," "the mobile leader where commercial tooling is least optional," "artifact breadth with the Connections graph and AXIOM Cyber for cloud/remote," "the fast, lightweight, low-cost power-user's scalpel." Then name the evidence-file format EnCase spawned that the open-source world reverse-engineered into libewf so everything could read it. (answer in Appendix)

36.14 A budget-conscious newcomer asks why anyone pays thousands per seat when the open-source stack is so good. Give the chapter's four-part honest answer (integration, support, research cadence, defensibility-by-familiarity), and then state the crucial caveat: which one thing do the commercial tools not buy you that the open-source tools lack? Phrase that caveat as a single sentence you could say to the newcomer.

36.15 Sketch the budget progression from the chapter as four tiers — solo/≈$0, small lab/first paid license, growing lab/regular mobile work, established lab/enterprise+litigation — and for each name the representative purchase and the one-line reason it is the right next dollar. State explicitly which tier is usually the first expensive purchase, and why mobile is the category hardest to do for free.

36.16 ⭐ Three matters land on your bench, all involving a single computer disk: (i) a grieving client needs ten years of family photos off an accidentally reformatted drive (anchor #1); (ii) a corporate IP-theft case headed for civil litigation (anchor #2); (iii) a criminal prosecution (anchor #4). (a) For each, name the toolchain and the ceremony (write-blocking, hashing, chain of custody, dual-tool verification, court-familiar tools) it does or does not require. (b) Explain why the same disk yields three different toolchains. (c) Identify the decisive branch most beginners skip, and state what goes wrong if you over-engineer (i) or under-document (ii).

36.17 Distinguish recovery tooling from forensic tooling in one or two sentences each, then explain the concrete harm in the chapter's warning: what specifically can go wrong if you use a casual recovery tool, without ceremony, on evidence that later turns out to be headed for court?


Group E — Validate your tools: trust, then verify

36.18 Distinguish the three NIST programs by what each one gives you: CFTT, CFReDS, and the NSRL. (a) For each, state in one sentence what it is and how you use it. (b) Which one publishes test reports for specific products against a written specification, making it the program you cite to speak the language of Daubert admissibility? (c) Name two of the CFTT tool categories (e.g., disk imaging, write-blocking, deleted-file recovery, string search, graphic-file carving, media preparation/wiping, mobile acquisition). (answer in Appendix)

36.19 Lab — validate a deleted-file-recovery tool. Following the chapter's "Try This," you download a CFReDS image with a documented set of deleted files. (a) Write the three things you must confirm to call the tool validated: about recall (did it find what is provably there), about fabrication (did it invent anything), and about agreement (what must two tools produce). (b) Why is "the carver recovered 40 files" meaningless without the ground truth telling you how many are actually recoverable? (c) State the chapter's two blunt one-liners about validation that you would write at the bottom of your log.

36.20 ISO/IEC 17025 requires documented validation of methods and tools, and SWGDE publishes validation-testing guidelines. (a) Explain why, in an accredited lab, tool validation is "not optional; it is auditable." (b) Why must you re-validate a tool after a major version upgrade rather than trusting the prior validation? (c) Tie this to a common mistake from the chapter: what does "skipping validation because the tool is famous or expensive" get wrong about the relationship between price/popularity and correctness?

36.21Design a validation test. You rely on a registry parser to report USB device serials and first-connection times. Design a repeatable CFReDS-style validation: (a) describe the known input you would prepare (include the detail about dirty hives and transaction logs that makes this test non-trivial), (b) the known-correct output you would check against, (c) the failure mode the test is specifically designed to catch (hint: the chapter's "feed the tool everything it needs" mistake), and (d) what you record in the validation log so the test is reproducible by someone else.


Group F — Dual-tool verification

36.22 State the dual-tool verification rule for a load-bearing finding, then complete the logic table: when two independent tools AGREE, what do you do? When they DISAGREE, what do you do, and why is a conflict described as "information, not a nuisance"? Finally, explain why the second tool ideally comes from a different vendor and codebase rather than just a different menu in the same suite. (answer in Appendix)

36.23 Lab — one artifact, three tools. Reproduce the chapter's triple-tool verification on the deleted client_export_FINAL.xlsx. (a) Recover it three ways — TSK icat, Autopsy Extract File, and X-Ways Recover/Copy — into three folders. (b) Compute the SHA-256 of each recovered file. (c) The chapter's expected result is that all three equal a1f3c9e7b2...d41. State precisely what a match across three independent codebases, two of them open to inspection, lets you say on the stand that "the software told me" never could. (d) What will a defense expert running their own fourth tool produce, and why is that exactly the position you want to be in?

36.24 Calculate and verify — write the check. (a) Write the two-line PowerShell idiom (using Get-FileHash -Algorithm SHA256) that compares the same file recovered by two tools and prints AGREE or CONFLICT. (b) The chapter's Python dualcheck harness compares directories of recovered files by hashing each by name and reports AGREE, CONFLICT, or MISSING. Explain what a MISSING result (a file present in one tool's output but not the other's) tells you, and why it is also something to investigate, not ignore. (c) State the standing rule both snippets embody: against what do you run these checks, and against what do you never run them?

36.25The War Story, dissected. A corporate examiner reported "no evidence of data exfiltration" after running a single commercial suite whose version had a bug parsing a newer Windows 11 LNK format — it silently skipped the very shortcuts that proved files were opened from a USB drive. Opposing counsel's expert found them in an afternoon with the open-source LECmd plus plain strings. (a) State the lesson the chapter draws — and the lesson it explicitly says is not the point ("the commercial tool is bad"). (b) At what exact moment would dual-tool verification have caught this, and what would the examiner have seen instead of a wrong conclusion in a signed report? (c) Connect this to theme #3 ("every action leaves a trace") in the chapter's own phrasing about the trace a tool failed to parse.


Group G — Court, judgment, and the progressive project

36.26 Under Daubert, a judge weighs whether a method has been tested, peer-reviewed, has a known error rate, follows standards, and is generally accepted. (a) Explain how the sentence "I used The Sleuth Kit and confirmed with X-Ways; both are widely used, TSK is open for inspection, and CFTT has tested the relevant function" speaks to four of those five factors — map each clause to a factor. (b) Explain why "I used a tool I wrote myself last week and can't fully explain" invites exclusion. (c) State the chapter's claim that choosing court-recognized, validated tools is "not conservatism" — what is it instead? (answer in Appendix)

36.27 Write the report — the methodology memo. Draft a 120–160-word methodology paragraph for the IP-theft matter that a competent cross-examiner could not impeach. Requirements: name every tool with its exact version (e.g., "Autopsy 4.21.0 / The Sleuth Kit 4.12.1; X-Ways 21.x"); state that the relevant function is CFTT-tested or lab-validated; record at least one dual-tool confirmation with the matching SHA-256; specify that all work was performed on a verified working copy whose acquisition hash is logged on the custody form; and reference the appendix that holds the templates. State which two later chapters this memo pre-answers.

36.28 Two examiners describe the same recovery. One writes: "I recovered the deleted spreadsheet." The other writes: "I recovered MFT entry 5830 with TSK icat and confirmed an identical SHA-256 with X-Ways, both current versions, on the verified working copy of mha-laptop.E01; the acquisition hash is logged on the custody form." (a) Which statement is reproducible, and why does reproducibility equal admissibility here? (b) Identify exactly what the first statement omits that the second supplies. (c) Tie this to the book's second theme ("the original is sacred") extended into the analysis phase — what does deriving a conclusion two independent ways protect, beyond the original evidence itself?

36.29Progressive project — choose and validate your case toolkit. Add a toolkit and validation memo to your Forensic Case File. (1) Inventory by question: list your evidence types and, for each question you must answer, name a primary tool and an independent verification tool, justifying each in one line by evidence type, budget, and court expectation. (2) Record validation status: for each primary tool, note CFTT-tested-or-lab-validated, the exact version, and the date last validated against known data (Appendix J); flag any tool with no validation entry. (3) Dual-tool a load-bearing finding: pick your single most important artifact, confirm it with two independent tools, and capture both outputs and their matching hashes (use the harness from the chapter or Get-FileHash); if they conflict, resolve and document it. (4) Write the memo: in half a page record the tools (names + versions), why each was chosen, validation status, and the dual-tool confirmations with hashes. Save the memo and both outputs into the case-file folder and hash the outputs into your worksheet (Appendix F). You will fold this into the master report at Chapter 38 — The Capstone Investigation, where a reviewer's first question is always "what tools, and how do you know they're right?"


Self-check. You have mastered this chapter when, handed any case, you start from the evidence and the question rather than the brand on your desk, and can do five things without overstating any of them: map the matter to the right class of tool and name leading open-source and commercial options in each; drive The Sleuth Kit down its layers (mmlsfsstatflsistaticat) to recover a deleted file by inode and validate its signature; choose a toolkit by case type, budget, and court — and explain the open-source/commercial trade-offs honestly; validate a tool against known data (CFTT/CFReDS/NSRL) and record version and validation status for the chain of custody; and perform dual-tool verification, treating any conflict as information to resolve before it reaches a signed report. If you can put one deleted file through three independent tools, watch the hashes converge, and write the methodology memo that makes the result survive cross-examination, you are ready for Chapter 37 — Building a Forensic Lab, where this toolkit gets a defensible, repeatable home.