Chapter 25 — Self-Check Quiz

DataField.Dev

Chapter 25 — Self-Check Quiz

25 questions: multiple choice and short answer. Try them closed-book. The answer key is in the collapsed block at the bottom.

Multiple choice

1. Digital forensics is best described as: - A. Hacking into devices to find criminals - B. The scientific identification, preservation, acquisition, examination, and interpretation of data on digital devices for use as evidence - C. Recovering files that were never deleted - D. Predicting crimes from social-media data

2. The defining feature of digital evidence that makes it difficult to handle is that it is: - A. Always encrypted - B. Intangible and effortlessly changed - C. Stored only in the cloud - D. Visible only to the device owner

3. At a digital crime scene, the most important reflex for a seized, powered-on phone is to: - A. Unlock it immediately to preserve the data - B. Turn it off to save battery - C. Isolate it from the network (e.g., a Faraday bag) to prevent remote wipe and syncing - D. Connect it to Wi-Fi to back it up

4. A forensic image differs from an ordinary file copy because it: - A. Is smaller and faster to make - B. Captures only the user's documents - C. Is a complete, bit-for-bit duplicate including deleted and hidden regions - D. Automatically decrypts the device

5. A write blocker is used during acquisition to: - A. Speed up imaging - B. Allow reading from the evidence drive while physically preventing any write to it - C. Encrypt the original drive - D. Delete irrelevant files

6. A cryptographic hash value is forensically valuable mainly because: - A. It compresses the data - B. The same input always yields the same hash, any single-bit change alters it completely, and it cannot feasibly be reversed or forged - C. It reveals who created a file - D. It proves a file is true

7. If the hash of a forensic image still matches the acquisition hash months later, this proves: - A. The data is authentic and true - B. The defendant created the files - C. The data has not been altered since acquisition - D. The device was lawfully seized

8. When a file is "deleted" and the recycle bin is emptied, typically: - A. The data is immediately and permanently destroyed - B. The file's index entry is removed and its space marked reusable, while the contents remain until overwritten - C. The data moves to the cloud - D. The data is encrypted

9. File carving recovers files by: - A. Asking the filesystem where they are - B. Recognizing files' internal structure (headers/footers) in raw unallocated space, independent of the filesystem - C. Decrypting the drive - D. Reading the recycle bin

10. A file recovered by carving from unallocated space usually lacks: - A. Any recoverable content - B. Its original filename, reliable timestamp, and folder context - C. The ability to be opened - D. A hash value

11. Metadata is best described as: - A. The visible content of a file - B. Data that describes other data (e.g., a file's timestamps, author, or a photo's GPS coordinates) - C. Deleted data only - D. Encrypted data only

12. A photograph's embedded EXIF GPS coordinate at a location establishes that: - A. The owner was at that location - B. The phone was at that location when the photo was taken — not necessarily its owner - C. A crime occurred there - D. The photo is authentic

13. Calling a modern smartphone a "life-logger" reflects that: - A. It is only a telephone - B. It automatically records location, communications, movement, and app activity in a uniquely complete way - C. It cannot be searched without consent - D. Its data is always inadmissible

14. Commercial mobile-extraction tools are described as "black boxes" because: - A. They are physically black - B. Their internal methods are proprietary trade secrets, not published or independently auditable - C. They never work - D. They are illegal

15. Cell-site/location data establishes that a phone was: - A. At a precise GPS point - B. In the coverage area of a particular tower sector at a given time - C. In a specific building - D. Held by a specific person

16. The popular intuition that "a phone always connects to the nearest tower" is: - A. Always true - B. Often false — signal strength depends on terrain, congestion, antenna geometry, and obstructions - C. True only in cities - D. Irrelevant to forensics

17. In rural terrain like the cold case's cabin, a cell sector's coverage area can be: - A. A few meters across - B. Miles across, so the phone could be anywhere in that wedge - C. Exactly the size of one building - D. Impossible to estimate at all

18. The historically overstated use of cell-site evidence in court was to: - A. Place a phone in a broad area - B. Contradict an alibi - C. Pinpoint a phone to a specific spot/building, as if it were GPS - D. Note which carrier the phone used

19. Cell-site data is most legitimately powerful when used to: - A. Pinpoint the exact spot of a crime - B. Identify the device's user - C. Contradict an alibi by showing the phone was in the scene's area when the suspect claimed to be far away - D. Prove guilt by itself

20. Riley v. California (2014) and Carpenter v. United States (2018) together establish that, generally: - A. Phones can be searched freely on arrest - B. A warrant is generally required to search a phone's contents and to obtain historical cell-site records - C. Encryption is illegal - D. Cell-site data is inadmissible

21. Strong device encryption means that: - A. Investigators can always access a phone with a warrant - B. A warrant grants permission but not the technical capability to open a locked, encrypted device - C. Hashing no longer works - D. Deleted data is always recoverable

Short answer

22. In two sentences, explain why hashing proves integrity but not authenticity or truth. Give one example of evidence that would hash consistently yet still be false.

23. Name two distinct reasons a phone's cell-site records are weaker placement evidence than its GPS-derived location log, and state the honest verb appropriate to each.

24. A detective gives the digital examiner the "expected" conclusion before analysis. State the bias risk and one safeguard (preview of Chapter 31).

25. In the cold case, write one sentence an honest examiner could say on the stand about Keller's cell-site evidence, and one sentence that would overstate it.

Answer key (click to expand)

**Multiple choice:** 1-B · 2-B · 3-C · 4-C · 5-B · 6-B · 7-C · 8-B · 9-B · 10-B · 11-B · 12-B · 13-B · 14-B · 15-B · 16-B · 17-B · 18-C · 19-C · 20-B · 21-B **Short answer (model points):** **22.** A hash answers exactly one question — "did the data change?" — and answers it conclusively; it says nothing about who created the data, when it was really written, or whether it accurately reflects the world. Example: a message fabricated and planted on a phone *before* seizure will hash just as consistently as a genuine one, so a matching hash proves the planted message is unaltered, not that it is true. (Integrity ≠ authenticity ≠ truth.) **23.** Any two, e.g.: (a) **coverage area, not a point** — cell-site records place the phone in a tower sector's wedge (possibly miles across in rural terrain), whereas a GPS log is accurate to meters; (b) **tower selection is loose** — a phone does not always use the nearest tower (terrain, congestion, antenna geometry), so the sector–to–location mapping is probabilistic, while GPS is a direct positional fix. **Honest verbs:** cell-site → "the phone was *in the area of* / its records are *consistent with* (or *inconsistent with* an alibi)"; GPS log → "the phone was *at* (to within meters)." Neither, by itself, proves *who* held the phone. **24.** **Risk:** the "expected" conclusion *anchors* the examination — among enormous data volumes, ambiguous fragments get read toward the wanted answer (contextual/confirmation bias). **Safeguard:** keep the desired conclusion away from the analyst where the workflow allows, document search terms/methods *before* running them, and report what was *not* found as carefully as what was; a finding produced blind is worth more than one produced knowing the answer, even when they agree. **25.** **Honest:** "The historical cell-site records are consistent with Mr. Keller's phone being in the coverage area that includes the cabin during the relevant window, and they are inconsistent with his stated alibi of being an hour away; they do not place the phone — or him — at the cabin specifically." **Overstated:** "The cell records prove Keller was at the cabin when the fire was set."