Chapter 37 — Quiz
14 questions: 10 multiple choice, 2 true/false, 2 short answer. Answers and a scoring band at the bottom. Commit to an answer before you look.
Multiple choice
Q1. Why is a forensic analysis workstation built around high CPU core count rather than a powerful gaming GPU? - A) Forensic tools cannot use a GPU at all. - B) The core forensic/recovery workloads — hashing, carving, indexing, super-timeline building, archive expansion, password cracking — are embarrassingly parallel and scale nearly linearly with cores. - C) GPUs are not available in workstation-class machines. - D) Core count determines how much evidence a drive can hold.
Q2. Why does a serious forensic workstation use ECC (error-correcting) memory? - A) ECC RAM is faster than ordinary RAM. - B) ECC lets you install more total RAM. - C) A single silent bit-flip in non-ECC RAM during a hash over trillions of bytes can change the digest and make a faithful image appear altered; ECC detects and corrects single-bit errors. - D) Court rules require ECC by name.
Q3. On which storage tier is a striped RAID 0 array acceptable, and why? - A) Tier 3 evidence/archive, because RAID 0 is the most reliable level. - B) Tier 2 working/scratch, because it holds only the rebuildable working copy and nothing irreplaceable, while delivering the throughput that sets your tempo. - C) Tier 1 system/tools, because the OS needs redundancy most. - D) None — RAID 0 has no place in a forensic lab.
Q4. Why do labs commonly choose RAID 6 over RAID 5 for a large evidence array? - A) RAID 6 is cheaper per terabyte. - B) RAID 5 cannot be encrypted. - C) Rebuilding a multi-terabyte array after one failure takes long enough that a second failure during the rebuild is a real risk; RAID 6 tolerates any two simultaneous failures. - D) RAID 6 is the same as a backup.
Q5. A drive arrives that is an M.2 NVMe SSD. Which statement is correct? - A) Any SATA write-blocker will protect it. - B) NVMe speaks PCIe, not SATA, so a SATA blocker is useless against it; you need an NVMe/PCIe bridge (e.g., a Tableau T7u). - C) NVMe drives cannot be write-blocked at all. - D) A USB write-blocker is the correct tool for an internal M.2 NVMe SSD.
Q6. What does WORM (Write Once, Read Many) storage add that a hash alone does not provide? - A) It makes the data download faster. - B) Hashing prevents alteration; WORM merely detects it. - C) Hashing detects alteration after the fact; WORM (e.g., LTO WORM tape, ZFS read-only snapshots, S3 Object Lock in compliance mode) prevents the overwrite in the first place — the medium refuses the write. - D) Nothing; WORM and hashing are the same control.
Q7. When you must run a suspected malware sample dynamically, why give it a simulated internet (INETSIM / FakeNet-NG) rather than real internet or no network? - A) Real internet is too slow for analysis. - B) Letting it reach the real internet can tip off the attacker and pull a second-stage payload, while simply cutting the cord makes the sample do nothing interesting; a fake internet answers its requests so you can observe its behavior with nothing leaving the lab. - C) Simulated internet makes the malware run faster. - D) Malware refuses to execute without a real DNS server.
Q8. What is a known-answer test in tool validation? - A) Asking the vendor whether the tool works. - B) Running the tool against data whose correct result is already documented (e.g., NIST CFReDS or Digital Corpora) and confirming the tool produces that known answer — for a carved file, the right bytes and the expected hash. - C) Comparing two examiners' opinions. - D) Running the tool twice and seeing if it agrees with itself.
Q9. To which standard do digital-forensics laboratories formally accredit, and through which U.S. body today? - A) ISO 9001, through the FBI. - B) ISO/IEC 17025 ("General requirements for the competence of testing and calibration laboratories"), through ANAB (the ANSI National Accreditation Board, successor to ASCLD/LAB since 2016). - C) HIPAA, through the FTC. - D) PCI-DSS, through SWGDE.
Q10. Which statement best describes the budget/learning lab? - A) Its free tools are toys; you cannot learn real forensics without commercial suites. - B) SANS SIFT, REMnux, Autopsy, Volatility, plaso, Wireshark, and FTK Imager are the same tools used in professional labs; the gap is capacity, speed, and legal context — not the capability to learn the craft. - C) You should practice on real evidence to get realistic experience. - D) A budget lab cannot run a write-blocker.
True/False
Q11. A RAID 6 array is a form of backup, so a lab that stores its master images on RAID 6 does not need separate off-site copies. (True / False)
Q12. A correctly functioning hardware write-blocker on the source guarantees that nothing on the connected drive changes during examination. (True / False)
Short answer
Q13. It is a myth that Volatility loads an entire memory image into RAM. In two or three sentences, explain why a forensic workstation should still be specified with as much RAM as you can afford.
Q14. In two or three sentences, explain the difference between redundancy and backup, and why a complete evidence-storage design needs both.
---
Answer key
Q1 — B. The work is parallel: an indexing run that takes nine hours on four cores takes a bit over an hour on thirty-two. Cores, not frame rate, clear a caseload; a GPU matters only for cracking and ML triage.
Q2 — C. When you compute a hash over four trillion bytes, a single silent bit-flip in non-ECC RAM can change the digest and make a faithful image look altered. ECC detects and corrects single-bit errors, so the memory does not lie to you — the same logic that makes you hash everything makes you want ECC.
Q3 — B. RAID 0 is acceptable only on Tier 2 scratch precisely because that tier holds the rebuildable working copy (re-copy from the master) and its throughput sets your tempo. It must never hold Tier 3 evidence, which is irreplaceable.
Q4 — C. A single-disk rebuild on a multi-terabyte array is long enough that a second failure during the rebuild is a genuine risk; RAID 6 survives any two simultaneous failures. (RAID is still not a backup — see Q11.)
Q5 — B. NVMe is a PCIe-attached protocol, not SATA (the distinction drawn in Chapter 3). A SATA blocker cannot bridge it; you need an NVMe/PCIe write-blocker such as the Tableau T7u.
Q6 — C. The hash detects change; WORM prevents it because the medium itself refuses the overwrite (LTO WORM, archival BD-R, ZFS read-only snapshots, S3 Object Lock compliance mode — which even an administrator cannot delete before retention expires). A defensible lab wants both.
Q7 — B. Real internet tips off the attacker and may pull a second-stage payload; no network makes the sample inert. A simulated internet answers DNS/HTTP/etc. so you observe the malware's intentions while nothing leaves the lab.
Q8 — B. A known-answer test runs the tool against documented reference data (NIST CFReDS, Digital Corpora, or a test image you built with planted, documented files) and confirms the known result — for a carve, the correct signature and the expected SHA-256.
Q9 — B. ISO/IEC 17025 is the standard; ASCLD/LAB's accreditation function merged into ANAB in 2016, which now accredits forensic labs to it (and crime-scene units to ISO/IEC 17020).
Q10 — B. The free toolchain is professional-grade; SIFT, REMnux, Autopsy, Volatility, plaso, Wireshark, and FTK Imager are found on government and corporate benches. The budget lab differs in capacity/speed and legal context, not in the ability to learn — practice only on data you are allowed to touch.
Q11 — False. RAID survives a drive failure; it does not survive deletion, ransomware, fire, flood, or theft. The 3-2-1 principle (three copies, two media types, one off-site) applies to evidence too — and doubly, because the data is irreplaceable and consequential. (Anchor #3's ransomware lesson lands here.)
Q12 — False. The blocker guarantees you did not write; it cannot guarantee the device changed nothing on its own. A TRIM-happy SSD's own controller can be garbage-collecting deleted data even while the host is correctly blocked, and soldered/self-encrypting/chip-off scenarios bypass the bridge entirely.
Q13 — Model answer. RAM is the workstation's cache: modern memory dumps are 256 GB+, and operations such as process-tree building, injected-code scanning, and yarascan re-read the image many times, running far faster when the OS can cache large portions in physical memory. RAM is also consumed simultaneously by full-text indexers and database engines, several concurrent VMs, and occasionally by artifacts (a reconstructed RAID set, a giant mailbox) that must be opened whole.
Q14 — Model answer. Redundancy (RAID 6/10, ZFS) protects against the ordinary, certain event of a drive failing; backup protects against deletion, corruption, ransomware, fire, flood, and theft — events redundancy cannot survive. An evidence store needs redundancy so a dead disk never loses a master image, and off-site/offline backups so a single catastrophe at the lab cannot destroy the only copy of irreplaceable evidence.
Scoring: 13–14 correct — you could scope and defend a real lab build, from workstation spec to validation log. 10–12 — solid; revisit the storage-tiers and tool-validation sections and the RAID-versus-backup distinction. 7–9 — you have the vocabulary but not yet the boundaries; re-read "The storage hierarchy," "Evidence storage and handling," and "Software, licensing, updates, and tool validation." Below 7 — re-read the chapter before the capstone; the lab is the environment that makes every later finding defensible, and a gap here becomes a gap a defense attorney will find.