Chapter 36 — Quiz
14 questions: 10 multiple choice, 2 true/false, 2 short answer. Answers and a scoring band at the bottom. Commit to an answer before you look — and notice that almost every question rewards understanding what a tool does over knowing its brand.
Multiple choice
Q1. A newcomer asks you, in good faith, "What's the best forensic tool?" What is the best answer? - A) EnCase, because it has the most case law behind it. - B) Autopsy, because it is free and built on The Sleuth Kit. - C) The question is wrong: there is no best tool, only the right instrument for the evidence, the question, the budget, and the court — like asking a surgeon for "the best medical device." - D) Whichever tool is newest, because it supports the most recent artifacts.
Q2. In The Sleuth Kit, which command outputs the contents of a file by its inode / MFT entry — the step that actually recovers a deleted file once fls and istat have located it?
- A) mmls
- B) fls
- C) icat
- D) blkls
Q3. In fls output, a deleted entry is marked with a *. What does that asterisk actually mean about the file?
- A) The file's content has been securely wiped and cannot be recovered.
- B) The file system still holds a name/metadata record for the file even though the user deleted it; if its data runs have not been overwritten, the content is recoverable (deleted ≠ destroyed).
- C) The file is encrypted.
- D) The file is a system file that should not be touched.
Q4. You hand two registry tools the same SYSTEM hive. Registry Explorer (which replays .LOG1/.LOG2 transaction logs) reports a USB device's first-connection time; a tool that reads only the raw hive reports nothing for that device. The most likely explanation is:
- A) One tool is fabricating data.
- B) The hive is "dirty" — a recent change still sits in the unmerged transaction logs, which Registry Explorer replayed and the raw-hive reader did not.
- C) USB devices are never recorded in the SYSTEM hive.
- D) The raw-hive reader is more accurate because it does not touch the logs.
Q5. bulk_extractor is described as "file-system-blind." What does that mean, and why is it useful?
- A) It cannot read any file system, so it is obsolete.
- B) It requires the file system to be mounted first.
- C) It streams across the raw bytes of an image regardless of structure — allocated, unallocated, slack, even compressed and nested data — extracting features (emails, URLs, GPS, credit-card numbers, even AES key schedules), which is exactly what you want when structure is damaged, partly encrypted, or too large to walk by hand.
- D) It only works on freshly formatted drives.
Q6. You receive a .raw memory image. Which statement is correct?
- A) Autopsy will analyze it directly.
- B) Volatility will parse the NTFS volume inside it.
- C) Memory is a separate instrument class: Volatility (often paired with MemProcFS and bulk_extractor) reads RAM images, while Autopsy will not read a RAM dump and Volatility will not parse an NTFS volume.
- D) Any disk tool reads a memory image without modification.
Q7. The Expert Witness Format (.E01), later reverse-engineered into the open-source libewf so that nearly every tool can read it, originated with which platform?
- A) FTK
- B) EnCase
- C) X-Ways
- D) Autopsy
Q8. Why is commercial tooling (Cellebrite, Magnet, MSAB) least optional for mobile devices? - A) Phones contain no useful evidence. - B) Open-source tools are not legally permitted for phones. - C) Locked bootloaders, encryption-by-default, secure enclaves, and app data formats that change weekly demand continuous, funded exploitation and parsing research that no volunteer project can sustain. - D) Phones cannot be imaged at all.
Q9. Which NIST program publishes written specifications for categories of forensic tools and test reports for specific products against those specs — the result you cite to speak the language of Daubert admissibility? - A) NSRL (National Software Reference Library) - B) CFReDS (Computer Forensic Reference Data Sets) - C) CFTT (Computer Forensics Tool Testing) - D) NIST SP 800-86
Q10. Why should a verification tool ideally come from a different vendor and codebase, not just a different menu inside the same suite? - A) It is cheaper to license two products. - B) Two tools that share a codebase can share the same bug, so their agreement proves little; independent codebases are unlikely to fail identically, which is what makes their convergence meaningful. - C) Courts forbid using the same suite twice. - D) Different vendors are always more accurate than open-source tools.
True/False
Q11. A $15,000 commercial suite is, by virtue of its price and "industry standard" reputation, already validated and does not need independent validation before you rely on its output in court. (True / False)
Q12. Recovery tooling and forensic tooling are interchangeable: a casual consumer undelete utility, run without a write-blocker or acquisition hash, produces evidence as defensible as a full forensic workflow. (True / False)
Short answer
Q13. On cross-examination, the answer "the software found it" loses. In two or three sentences, explain why the tool's word is not enough, and give the shape of the sentence that wins instead.
Q14. Most mature labs run both open-source and commercial tools "deliberately." In two or three sentences, explain that posture and give one concrete reason dual-tool verification is stronger when the second tool is an independent open-source program.
---
Answer key
Q1 — C. There is no best instrument, only the right one for the evidence, the question, the budget, and the court. Anchoring your skill to a method rather than a brand is what gives a career a longer shelf life than any product (theme four: technology changes, principles don't).
Q2 — C. icat outputs a file by its inode/MFT-entry address (e.g., icat -o 1024000 image.E01 5830-128-3). mmls reads the partition table, fls lists names, and blkls extracts unallocated space — each names the layer it reads.
Q3 — B. The pointer was removed from the active directory listing, but the name/metadata record survives. As long as the data runs are not overwritten, the content is recoverable — the cleanest demonstration of deleted ≠ destroyed.
Q4 — B. A hive copied from a live or imaged system is often "dirty": recent changes sit in .LOG1/.LOG2 not yet merged. Registry Explorer replays them to show the current state; a raw-hive reader (or an extraction that grabbed SYSTEM but not its logs) shows a stale view. This is exactly why "which tool, and did you give it the transaction logs?" is a fair cross-examination question.
Q5 — C. bulk_extractor ignores file-system structure and mines content from the raw bytes, which is the complement to carving (Ch.7) and file-system analysis: when structure is damaged, partly encrypted, or simply huge, ignoring it is the advantage. Its aes_keys.txt, run over a memory image, can even hand you a full-disk-encryption key.
Q6 — C. Memory analysis is its own instrument class. Volatility reads RAM images and exposes the live state the disk never holds; it will not parse an NTFS volume, and Autopsy will not open a RAM dump. Matching the tool class to the evidence type is the first selection decision.
Q7 — B. EnCase (originally Guidance Software, now OpenText) created the Expert Witness Format. It became so ubiquitous that the open-source world reverse-engineered it into libewf so everything could read .E01.
Q8 — C. Mobile is the part of the field where commercial tooling is least optional, because keeping up with locked devices and weekly app-format churn requires continuous, funded research. Free parsers exist (iLEAPP/ALEAPP) but are largely parse-only once you already have an extraction.
Q9 — C. CFTT writes specifications for tool categories (disk imaging, write-blocking, deleted-file recovery, string search, graphic-file carving, media preparation, mobile acquisition) and publishes product test reports. CFReDS supplies reference images with known ground truth; the NSRL supplies known-file hash sets.
Q10 — B. Independent codebases are unlikely to contain the same defect, so when they agree your finding is robust; when two views from one engine agree, they may merely be repeating one bug. This is why labs deliberately pair an open-source tool with a commercial one for the second check.
Q11 — False. Price and popularity are not correctness. A fifteen-thousand-dollar platform can carry a parsing bug, and a free tool can be more correct on a given artifact. Every tool needs validation (CFTT/CFReDS, known-answer testing), and you must re-validate after major version upgrades because new versions introduce new bugs.
Q12 — False. Recovery tooling optimizes for getting bytes back fast; forensic tooling and forensic discipline optimize for proving the bytes are unaltered and attributable. Running a casual recovery tool without ceremony on evidence headed for court can taint the case — see Case Study 2.
Q13 — Model answer. The tool does not testify; you do — and "the software found it" cannot be defended because it does not explain what artifact was parsed or why the result is true. The winning sentence names the mechanism and corroborates it: "the MFT still held a record pointing to un-overwritten data runs; I recovered the content with TSK's icat, confirmed it independently with X-Ways, validated the file signature, and both tools produced the same SHA-256."
Q14 — Model answer. The mature posture is "both, deliberately": commercial platforms for integration, scale, support, and currency (especially mobile and cloud), and the open-source stack kept sharp for budget, transparency, and the second-tool check. Dual-tool verification is stronger when the second tool is open-source because its source can be read, cited, and defended line by line — "I reproduced it with The Sleuth Kit, whose code is public" is something no closed product can match — and because an independently written codebase is unlikely to repeat the first tool's bug.
Scoring: 13–14 correct — you can choose tools by the case and defend every one of them; you are ready to give the toolkit a home in Chapter 37. 10–12 — solid; revisit "Open source vs. commercial" and "Validate your tools." 7–9 — you have the catalog but not yet the judgment; re-read "Choosing the right tool for the job" and "Dual-tool verification," then work the labs in exercises.md. Below 7 — re-read the chapter before moving on; in this field, a tool you cannot validate or explain is a finding you cannot defend.