Header Ads Widget

Questions Set-4_ Cyber Forensic

December 19, 2025


CYBER FORENSICS

Q1. Slack space refers to:

A. Network buffer

B. Unused space within the last cluster of a file

C. RAM allocation

D. Reserved BIOS area

Answer: B. Unused space within the last cluster of a file

Explanation: Slack space may contain remnants of previously stored data.

Q2. A “live forensic acquisition” differs from static analysis because:

A. It captures volatile memory

B. It uses free tools

C. It does not involve imaging

D. It only uses hardware write blockers

Answer: A. It captures volatile memory

Explanation: Live acquisition accesses RAM, network state, volatile processes.

Q3. What is the primary purpose of a hardware write blocker?

A. Speed up data transfer

B. Prevent writes to the source drive

C. Encrypt the evidence

D. Display logs

Answer: B. Prevent writes to the source drive

Explanation: Write blockers ensure forensic integrity by blocking write commands.

Q4. The file “hiberfil.sys” stores:

A. Deleted files

B. Memory content saved during system hibernation

C. Registry history

D. Cache data

Answer: B. Memory content saved during system hibernation

Explanation: Windows uses hiberfil.sys to save RAM state, rich in forensic artifacts.

Q5. Which encryption mode is most vulnerable to predictable patterns?

A. CBC

B. ECB

C. CFB

D. OFB

Answer: B. ECB

Explanation: ECB encrypts blocks independently — identical plaintext = identical ciphertext.

Q6. Which registry hive stores information about Windows user accounts?

A. NTUSER.DAT

B. SYSTEM

C. SAM

D. SOFTWARE

Answer: C. SAM

Explanation: SAM contains hashed passwords and account details.

Q7. The TCP three-way handshake consists of:

A. SYN → ACK → FIN

B. ACK → SYN → FIN

C. SYN → SYN/ACK → ACK

D. SYN/ACK → ACK → RST

Answer: C. SYN → SYN/ACK → ACK

Explanation: Three-way handshake establishes a reliable connection.

Q8. Which forensic artifact contains Wi-Fi profile passwords in Windows?

A. NTUSER.DAT

B. SAM

C. SYSTEM32 logs

D. WLAN XML files

Answer: D. WLAN XML files

Explanation: XML profiles stored in

C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\...

Q9. APFS is the default file system for:

A. iOS and macOS (new versions)

B. Linux

C. Windows

D. Android

Answer: A. iOS and macOS (new versions)

Explanation: Apple File System (APFS) is optimized for flash/SSD.

10. Network traffic capture files in Wireshark are saved as:

A. .pcap / .pcapng

B. .cab

C. .xml

D. .txt

Answer: A. .pcap / .pcapng

Explanation: .pcap and .pcapng are standard packet capture formats.


Tags:
Shruti Verma

Shruti Verma

Founder of SavvyForensics

Post a Comment

0 Comments