Chapter 37 — Exercises
A mix of concept checks, spec-and-capacity calculations, hands-on labs (validate a tool with a known-answer carve, calculate and verify a hash, build an evidence-access timeline, write an SOP and a validation log), and judgment calls — because a lab is a set of decisions long before it is a pile of hardware. (answer in Appendix) = worked solution in Answers. ⭐ = stretch. Where a lab references a practice image, see Appendix J — Practice Images and Lab Setup. Do every hands-on exercise only on hardware and data you own — practice images, disposable media, public datasets — never on real evidence. Building the habit of touching only what you are allowed to touch is itself the first thing the budget lab teaches.
Group A — The four properties and the four labs
37.1 The chapter claims a folding table in a spare bedroom and a national law-enforcement unit "are both forensic labs, and the principles that make them trustworthy are identical." Name the four properties every lab is built to deliver, and for each, name the one subsystem (workstation, storage, network, documentation, or evidence locker) that most directly serves it. Then explain, in three or four sentences, why "a forensic lab is not defined by its price tag" is a statement about discipline, not a feel-good slogan — and what, concretely, the budget lab and the national lab differ in if not in principle. (answer in Appendix)
37.2 Reproduce the four kinds of lab (law-enforcement/government, corporate/in-house, data-recovery bench, home/learning) and, for each, state its "currency" — the thing it optimizes for — in five words or fewer. Then explain why the corporate lab that caught the insider (anchor #2) was built for civil defensibility while the lab that worked the court case (anchor #4) was built for criminal admissibility, and what single phrase from the chapter captures the rule that decides how many layers of formal proof a given lab wraps around the same four properties.
37.3 (Judgment.) A solo career-changer tells you they are going to "do it right from day one" and build a $200,000 lab with a clean room, a walk-in evidence vault, and ISO/IEC 17025 accreditation before taking a single case. Using theme five (know your limitations) and the chapter's "build to your mission" principle, explain why this is a mistake, not a virtue — and what they should build instead, including the role of a referral relationship.
37.4 ⭐ The chapter says the lab is "the book's whole worldview made into a physical place." Pick three of the book's six recurring themes (deleted ≠ destroyed; the original is sacred; every action leaves a trace; technology changes, principles don't; know your limitations; the human cost is real) and, for each, point to one specific physical or procedural feature of the lab that exists because of it. Aim for precision: not "documentation matters" but "the write-blocker validation log exists because every action leaves a trace — including the trace of which firmware refused which write on which date."
Group B — The forensic workstation
37.5 Explain why a forensic analysis workstation is built around high core count and maximum RAM rather than a fast GPU, by reference to the actual shape of the workload. List at least five forensic or recovery operations that are "embarrassingly parallel," and explain what that phrase means for how an indexing run scales from 4 cores to 32. Then state the one workload for which a GPU genuinely earns its place, and why. (answer in Appendix)
37.6 (Calculate / reason.) You are hashing a 4 TB forensic image — roughly 4 × 10¹² bytes — on a workstation with non-ECC RAM. (a) Explain, in terms of theme two and theme three, why a single silent bit-flip in RAM during that hash is a catastrophe and not a rounding error. (b) State what ECC (error-correcting) memory does about it. (c) Explain why the same instinct that makes you hash everything ("I want to prove the bytes are unchanged") is the instinct that should make you insist on ECC. (d) ⭐ Why is ECC support a reason to choose a workstation/server CPU class (Threadripper/EPYC/Xeon-W) over a consumer desktop CPU?
37.7 It is "a myth that Volatility loads an entire memory image into RAM." If that myth is false, justify the chapter's advice to buy maximum RAM anyway. Enumerate the four real sources of RAM pressure on a forensic workstation, and for each give a one-sentence reason. Then state the chapter's practical floor for a dedicated analysis box, the threshold at which 256 GB+ is justified, and the realistic minimum for a starter/field machine.
37.8 (Spec / write the report.) Write a one-paragraph purchase justification you could hand to a budget-holder for a 32-core, 256 GB ECC analysis workstation with a three-tier storage layout and one cracking GPU, explaining in plain business language why each major line item maps to throughput, integrity, or capability — and why the cheaper "gaming PC with a big GPU and 16 GB of RAM" is a false economy for casework. Keep it to the language a non-technical approver understands.
37.9 ⭐ Many labs separate the acquisition/imaging station from the analysis station. Explain the two distinct reasons the chapter gives for the split, and then explain why this separation also has a security benefit: what does keeping "the machine that touches evidence devices" lean and tightly controlled buy you that a single do-everything box cannot?
Group C — Storage tiers, RAID, and integrity
37.10 Reproduce the three-tier storage hierarchy (system/tools, working/scratch, evidence/archive) and, for each tier, give: its medium, the one value it is optimized for, whether it is rebuildable, and whether it may ever hold evidence. Then explain the single cardinal workflow rule that ties the tiers together — where the master image lives, where you work, and what you re-verify before every session — and which book theme it restates. (answer in Appendix)
37.11 (Calculate.) Compute usable capacity for each array, and state the failure tolerance of each: (a) 4 × 4 TB drives in RAID 0; (b) 8 × 16 TB drives in RAID 6; (c) 8 × 16 TB drives in RAID 10; (d) 6 × 8 TB drives in ZFS raidz2. Then explain why RAID 0 is acceptable for Tier 2 scratch but never for Tier 3 evidence, in one sentence, using the words "rebuildable" and "irreplaceable."
37.12 (Judgment.) Explain why a lab building Tier 3 commonly chooses RAID 6 over RAID 5, in terms of what happens during a multi-terabyte array rebuild after a single disk failure. Then explain the additional property a ZFS pool provides that ordinary RAID — of any level — cannot even detect, and why that property ("self-healing" against silent bit rot) is exactly what you want for evidence you must keep defensible for years. Tie this back to theme three.
37.13 (Calculate and verify a hash.) You acquired a master image and recorded its hash at acquisition (per Chapter 14):
SHA-256(CASE-2026-0142_master.E01) = 4e1d8b9a...c8e (full value in case file)
You copy it from Tier 3 to your Tier 2 scratch to begin work. (a) Write the exact hashdeep or Get-FileHash command you run on the working copy before you touch it, and state precisely what a match proves and what a mismatch tells you to do. (b) Explain why you re-verify "before every session," not just once. (c) ⭐ The image lives on a ZFS read-only snapshot; the working copy lives on RAID 0 scratch. Explain how each storage choice serves a different one of the four lab properties, and why neither alone is sufficient. (answer in Appendix)
37.14 (Judgment — redundancy is not backup.) A new examiner says, "Our evidence is safe — it's on a RAID 6 array that tolerates two drive failures." List four distinct events that RAID 6 does not protect against, and state the principle (with its memorable shorthand and the three numbers) that closes the gap. Then connect this to anchor #3 (the ransomware recovery): what lesson did a business learn the hard way that your evidence store must never have to learn?
Group D — Write-blockers, duplicators, and validation logs
37.15 (Concept / interface matrix.) A drive arrives that is an M.2 NVMe SSD. Your bench has a SATA hardware write-blocker and a USB write-blocker on the shelf. Explain why neither will protect this source, naming the physical interface NVMe actually speaks (and the chapter/where this distinction was drawn). Then list the realistic interface matrix a lab must cover, and name the two vendors whose multi-interface forensic bridges/docks cover the common cases. (answer in Appendix)
37.16 (Write the report — validation log.) You receive a new Tableau T7u NVMe bridge, firmware 2.x, serial T7U-55021, on 2026-07-02. Perform (describe) the validation drill from Chapter 14: hash a scratch disk, attempt a forced write through the blocker, re-hash, confirm identical. Then write the single-row validation-log entry in the chapter's format (date, device/serial, firmware, test result, by-whom). Finally, explain in one sentence why the log records firmware version and not just the model.
37.17 Distinguish, in your own words, a simple write-blocking bridge, a forensic duplicator (e.g., Tableau TX1, Logicube Falcon-NEO, Atola TaskForce), and software write-blocking (blockdev --setro, the Windows WriteProtect registry switch, a no-auto-mount forensic distro). For each, state when a lab reaches for it and one limitation. Then explain why software blocking is "a supplement for triage, not the foundation for evidentiary imaging."
37.18 ⭐ (Judgment / tool tip.) Explain how tying your blocker purchasing to NIST's Computer Forensics Tool Testing (CFTT) program strengthens admissibility, and write the one-sentence answer you would give on the stand to "How do you know this drive was not altered during your examination?" that references both the independent CFTT result and your own in-house validation. Then state the chapter's Limitation: name two situations in which a write-blocker, even when perfectly doing its job, cannot guarantee the device changed nothing on its own (hint: one involves an SSD's own controller).
Group E — Evidence storage, handling, retention
37.19 The chapter calls the evidence room "the chain of custody given walls." State the four non-negotiable properties of an evidence-storage area (single-custodian control; access logging; separation; environmental control), and explain why a safe that "three people can open without a record" is "a chain-of-custody gap with a lock on it." Then explain the relationship between a tamper-evident seal number and the access log. (answer in Appendix)
37.20 (Write the report — evidence record.) A 1 TB Samsung 970 NVMe SSD, serial S3TPNX0M9912, is pulled from a suspect laptop and acquired on 2026-07-05 09:14 by examiner AM using Guymager to E01, dual-hashed, then sealed (seal SB-5120) and stored in vault rack C, shelf 2, bin 4. Write the evidence-management record for this item in the chapter's format (item number 2026-0207-01, description, acquired, hashes [use truncated placeholders], stored/seal, status, retention, disposition). Then state which single field, if blank, would most undermine the item's defensibility, and why.
37.21 (Storage of images.) Explain the three properties that protect master forensic images at rest — encrypted, redundant, immutable (WORM) — and for each name a concrete mechanism from the chapter. Then explain the precise division of labor between hashing and WORM: which one detects alteration and which one prevents it, and why a defensible lab wants both rather than either alone.
37.22 (Build the timeline / judgment.) ⭐ During an audit you are handed these out-of-order evidence-room log fragments for item 2026-0207-01:
2026-07-09 16:05 released to AM (purpose: re-image working copy)
2026-07-05 09:14 acquired + sealed (SB-5120) by AM -> vault C/2/4
2026-07-12 11:20 returned to vault by AM -> C/2/4
2026-07-09 16:40 [no entry]
2026-07-07 10:30 released to JQ (purpose: technical review)
2026-07-07 13:15 returned to vault by JQ -> C/2/4
(a) Put the events in chronological order and describe, in one or two sentences, the item's custody story. (b) Identify the gap and explain why "the absence of a trace is itself a trace" makes that blank line a problem a defense attorney can exploit. (c) State exactly what should have been logged at 16:40 on 2026-07-09 to close the gap, and what you do now to remediate an already-broken record.
Group F — Network isolation and the malware sandbox
37.23 Explain why "the most dangerous thing in a forensic lab is not a drive — it is a live sample." Then contrast the two acceptable network postures, air-gap and strict segmentation, stating what each means concretely and the single principle they share ("analysis traffic and production traffic never mix"). Why is the detonation zone drawn as a separate island even from the forensic-analysis zone in the chapter's segmentation diagram? (answer in Appendix)
37.24 (Hands-on lab — build the isolation.) Using a hypervisor you own (VirtualBox, Hyper-V, or KVM), describe the steps to stand up a malware-detonation VM that cannot reach your network: (a) the type of virtual switch/network you create (internal-only / host-only with no forwarding) and why a bridged adapter would be a catastrophic mistake; (b) taking a clean snapshot before any detonation and reverting after; (c) why you give the sample a simulated internet (INETSIM or FakeNet-NG) rather than either real internet or no network at all. Name the two standard analysis VMs (one Windows, one Linux) the chapter cites.
37.25 ⭐ (Judgment — defense in depth.) The chapter's Limitation callout warns that "no isolation is perfect." Give two distinct ways an "isolated" environment has actually been defeated in the real world (one technical, one human), and explain what it means to treat the detonation zone as "expendable and assumed-hostile" — including what you keep off it and how often you rebuild it. Then explain why malware that detects virtualization and refuses to run sometimes pushes a serious lab toward physical, re-imaged "detonation" machines.
Group G — Software, tool validation, accreditation, and the budget lab
37.26 (Hands-on lab — recover from this image, then calculate and verify the hash.) You run a known-answer test to validate a new carver against a NIST CFReDS reference image that contains a documented JPEG. From the recovered file ref_0007.jpg you read the first and last bytes:
0x00000000 FF D8 FF E0 00 10 4A 46 49 46 00 01 01 00 00 48 ......JFIF.....H
...
0x0004B1FE ... FF D9
(a) Confirm the file is a structurally complete JPEG, identifying what FF D8 FF, the ASCII JFIF, and the trailing FF D9 each prove. (b) State the one more test that turns "looks like a JPEG" into "the tool recovered the file faithfully," and write the command that performs it. (c) Write the tool-validation-log row for this result (date, tool/version, function, method, result). (d) ⭐ Explain why this single carve, recorded, is "your Daubert defense" and not merely good housekeeping. (answer in Appendix)
37.27 Define tool validation and explain why it is "the direct, physical link between your software and the Daubert standard." Describe the three validation methods the chapter pairs together — known-answer testing against reference data (name two sources), dual-tool verification, and citing NIST CFTT / vendor results — and explain why a lab deliberately keeps overlapping commercial and open-source tools.
37.28 (Judgment — the version-pinning tension.) You are three weeks into a complex case worked in Autopsy 4.x when a major new version is released with a parser you would love to have. State the forensic tension this creates, and the three professional practices that resolve it (record exact tool+version with every finding; validate a new version before trusting it on casework; pin the toolset for the duration of a case). Explain why "which version produced this finding?" is a question you must always be able to answer, and which book theme that restates.
37.29 (Write the report — SOP + accreditation.) Draft a one-page acquisition SOP of your own, modeled on the chapter's SOP-014, with at least seven numbered steps that enforce: write-blocking with a validated device, dual hashing, verify-after-creation, recording hashes in three places, re-sealing the original, working only on the copy, and a deviation/technical-review rule. Then, in two or three sentences, explain why even an unaccredited corporate or recovery lab "should borrow [the practices accreditation demands] wholesale," and name the standard (and the U.S. body that now accredits to it) that a formally accredited digital-forensics lab meets.
37.30 ⭐ (Progressive project — set up your analysis environment.) You are one chapter from the capstone. Stand up and document your lab at whatever scale you can, then add the artifacts to your Forensic Case File: (1) a lab description (workstation, the three separate storage roles, tools and versions); (2) an evidence-storage note (your chosen encryption mechanism — BitLocker/LUKS/VeraCrypt — and CASE-YYYY-NN/ naming + a one-line access rule); (3) a completed tool-validation log from a real known-answer test against a CFReDS/Digital Corpora image (or a USB you populated and documented yourself — see Appendix J); (4) a write-protection validation record; (5) your one-page acquisition and analysis SOPs. State, in one sentence, why running every capstone finding through this documented, validated environment is what will make your capstone report "defensible rather than merely plausible."
Self-check. You have mastered this chapter when you can do four things without notes: spec a forensic workstation from the shape of the workload (cores, ECC RAM, three storage tiers, GPU only where it earns its place) and defend every line; design evidence storage that is encrypted, redundant, WORM-immutable, backed up off-site, and access-logged, and explain which property hashing provides and which WORM provides; architect network isolation and a contained malware sandbox so a sample can never reach the evidence store, production, or the real internet; and run a known-answer tool validation end to end — carve a known file, verify its hash against documented ground truth, and write the log row that is your Daubert defense. If the storage-tier rule, the RAID-versus-backup distinction, or the validation log still feels hazy, re-read the matching section before Chapter 38 — The Capstone Investigation, where you will work a complete case inside the lab you just built.