Chapter 38 — Quiz
14 questions: 10 multiple choice, 2 true/false, 2 short answer. Answers and a scoring band at the bottom. This is the integration chapter, so the questions cross phases on purpose — commit to an answer before you look.
Multiple choice
Q1. Two disciplines run underneath every one of the twelve lifecycle phases, without interruption. Which are they? - A) Carving and hashing. - B) Chain of custody and contemporaneous documentation. - C) Encryption assessment and memory capture. - D) Reporting and testimony.
Q2. On the MHA exhibit you record a container hash (verified against the sidecar on receipt) and an acquisition/bitstream hash (re-verified on load). What does each prove?
- A) They are the same number computed twice for safety.
- B) The container hash proves the imaged data equals the source disk; the acquisition hash proves the file arrived unaltered.
- C) The container hash proves the .E01 file arrived in transit unaltered; the acquisition hash proves the imaged data equals what was read from the source at acquisition.
- D) The container hash is for civil cases and the acquisition hash is for criminal cases.
Q3. A subject machine is found powered on, logged in, encryption posture unknown. Why is "pull the plug, then image" the wrong reflex? - A) Pulling power damages the drive platters. - B) If full-disk encryption is in play, the decryption key is in RAM right now and is lost the instant power is cut — you may convert a readable case into an unreadable one; capture RAM first, per the order of volatility. - C) The BIOS clock resets on power loss and corrupts every timestamp. - D) You must always image a machine while it is running.
Q4. For one archive, $STANDARD_INFORMATION` Born is `2024-01-05 09:00:00.0000000` while `$FILE_NAME Born is 2026-06-11 21:05:47.3318442 and the USN journal records FILE_CREATE at 2026-06-11 21:05:47. What is the correct reading?
- A) The file was created in 2024; the later dates are tool errors.
- B) The $SI` time is the kernel truth; the `$FN time was forged.
- C) The $SI` time was backdated (note the zeroed sub-seconds); the kernel-maintained `$FN and the USN journal show the true creation on 2026-06-11 — a timestomp.
- D) Timestamps are unreliable, so no creation date can be stated.
Q5. In browser history, why is a TYPED navigation to a personal-cloud login treated as stronger evidence than a LINK navigation? - A) TYPED pages load faster and so are logged more reliably. - B) TYPED means the user deliberately entered the address, whereas a LINK/redirect/subframe is incidental — TYPED is a deliberate human act. - C) LINK navigations are never recorded by Chromium. - D) TYPED navigations cannot be deleted.
Q6. SRUM (SRUDB.dat) shows chrome.exe sent ≈490 MB outbound in the upload window. What does this support, and what does it not prove?
- A) It proves the specific dataset was uploaded; nothing further is needed.
- B) It proves a process sent a large volume of bytes consistent with the dataset's size, but it is an aggregate counter, not a packet capture — it does not prove what was inside the bytes or who was at the screen.
- C) It proves which human operator performed the upload.
- D) It proves the files were encrypted before sending.
Q7. Why do examiners identify files by hash-set matching / PhotoDNA rather than by opening and viewing them? - A) It is the only way to compute a SHA-256. - B) It confirms a file's identity against a curated reference set without anyone viewing the content — protecting victims' dignity and limiting examiner exposure in the gravest cases, and avoiding needless exposure to sensitive data (e.g., patient records) in others. - C) Viewing files alters their hashes. - D) Courts forbid examiners from opening any file.
Q8. In correlation, when is a lead allowed to graduate to a supported finding? - A) When the examiner is personally confident it is true. - B) When at least two independent mechanisms, produced by different subsystems, converge on it. - C) When a single high-quality artifact establishes it beyond doubt. - D) When the client confirms it matches their theory.
Q9. Which conclusion is proportionate to convergent forensic evidence of file copying and upload? - A) "The custodian stole the data and is guilty of misappropriation." - B) "J. Okafor personally sat at the keyboard and exfiltrated the dataset with intent to harm MHA." - C) "The evidence is consistent with copying of the proprietary dataset to a removable device on 2026-06-11 and upload to a personal cloud account on 2026-06-12." - D) "Nothing can be concluded because timestamps can be faked."
Q10. On cross, the attorney asks, "Couldn't malware have copied those files without your client knowing?" What is the disciplined answer? - A) "No, that's impossible." - B) "I searched for malware and remote-access tooling and found none; that negative finding is in the report. I cannot exclude every possibility, but the evidence identified none." - C) "I didn't check for malware — that wasn't my job." - D) "My client is innocent, so it must have been malware."
True/False
Q11. The convergent registry, LNK, USN, and timeline evidence proves that J. Okafor, the person, copied the files to the device. (True / False)
Q12. If a relevant region of the disk was securely wiped and no lawful key or copy exists, the examination has failed and you have nothing to report. (True / False)
Short answer
Q13. Explain the chapter's warning that "you cannot retrofit a chain of custody — you can only have kept one," and state what it means for how a 💾 recovery technician should run every job, even one that will probably never see a court.
Q14. In two or three sentences, explain the deepest limit of a capstone investigation — "the gap between what and who" — using the MHA case, and give the professional sentence the chapter says you must be able to say without flinching when the evidence runs out.
---
Answer key
Q1 — B. Chain of custody and contemporaneous documentation run unbroken beneath all twelve phases; everything else is a phase, not a substrate. A finding you never wrote down, hashed, and filed "did not happen."
Q2 — C. The container hash proves the .E01 file arrived in transit unaltered (it matched the sidecar on receipt); the acquisition/bitstream hash, stored inside the E01 and re-verified on load, proves the imaged data equals what was read from the source disk. Two different numbers doing two different jobs — confusing them is a cross-examination gift.
Q3 — B. The order of volatility says capture the most fleeting evidence first. A running, possibly-encrypted machine holds the decryption key in RAM now; cutting power can lose it and render the disk unreadable. Photograph state, capture RAM with a validated tool, collect volatile artifacts, then make the dead-box decision.
Q4 — C. The user-settable $STANDARD_INFORMATION` was backdated (the zeroed sub-seconds are a classic tell), while the kernel-maintained `$FILE_NAME and the $UsnJrnl FILE_CREATE record agree on the true creation of 2026-06-11 — a detected timestomp. Trust the kernel's clock over the user's.
Q5 — B. A TYPED transition means the user deliberately entered the address; a subframe/redirect/LINK is incidental. The deliberate human act is the stronger artifact, and it also argues against an "it was just automated sync" alternative.
Q6 — B. SRUM's per-application byte counter supports an inference of a large outbound transfer consistent with the dataset's size, but it is an aggregate, not a packet capture; it does not establish the content of the bytes or who was watching the screen. Strength comes from convergence with the file-access timeline, not from SRUM alone.
Q7 — B. Hash-set matching and PhotoDNA confirm a file's identity against a curated set without viewing it: in the anchor case this protects victims' dignity and the examiner's well-being; in the MHA case the same restraint lets you prove a dataset's identity without trawling a stranger's medical records.
Q8 — B. Correlation requires convergence: a claim becomes "supported" only when independent mechanisms from different subsystems agree. A single artifact is a data point; a conclusion is a corroborated pattern. (This is exactly what the chapter's CorrelatedFinding helper enforces with its >= 2 independent-mechanisms rule.)
Q9 — C. "Consistent with copying… and upload…" is proportionate to the evidence. "Stole," "guilty," "with intent," and naming the human operator import intent, identity, and a legal verdict the forensic evidence alone does not establish; "nothing can be concluded" under-claims when corroboration is strong.
Q10 — B. The disciplined answer points to the negative finding already in the report (no malware/RAT identified) and honestly concedes you cannot exclude every possibility while noting the evidence identified none. Overclaiming ("impossible") or having skipped the check both lose credibility.
Q11 — False. The evidence ties the activity to the jokafor profile, a device, and a session — never to a pair of hands. Another person could have used an unlocked session or shared credentials. You write "activity occurred within the jokafor profile" and reserve any statement about the operator for a clearly labeled, qualified inference.
Q12 — False. "Acquired, verified, and inaccessible" — or "recoverable only via escrow/PIN/court order" — is a complete, professional result, not a failure. Knowing which sentence to write, and writing "the evidence is insufficient to reach a conclusion" without flinching when it is true, is itself the skill.
Q13 — Model answer. A chain of custody and the integrity it proves must be built as you go — hashes recorded at acquisition, an unbroken custody log, work on a verified copy; none of it can be reconstructed credibly after a dispute arises, because its credibility comes from predating the dispute. So a recovery technician should run every job with enough phase-1/phase-2 discipline (who authorized this? what is the scope? image first, record the hashes, log custody) that if the recovery turns into a case — fraud surfaces on the reformatted drive, the ransomware job becomes an insurance fight — the paperwork already holds up. You cannot retrofit it; you can only have kept it.
Q14 — Model answer. Digital evidence routinely establishes what happened on a system and when — a device was attached, files were copied, ≈490 MB went out — while leaving the human operator and the human intent underdetermined; the MHA case can show copying from the jokafor profile to a device and an upload to a personal cloud account, but cannot prove from bytes alone which person sat at the keyboard or what they meant to do. The sentence you must be able to say calmly is, "the evidence is insufficient to reach a conclusion on this question."
Scoring: 13–14 correct — you can run and defend a complete matter end to end; you are capstone-ready. 10–12 — solid; revisit correlation (convergence before conclusion), proportionality (account ≠ person, "consistent with" ≠ "stole"), and the two-hash distinction. 7–9 — you have the phases but not yet the seams; re-read "Phase 10 — Correlate," "Phase 11 — Report," and "Limitations: knowing when to stop." Below 7 — re-read the chapter and run one public scenario image through the full lifecycle before assembling your own case file; the integration is the skill the quiz is testing, not any single technique.