Questions Set-6_ Cyber Forensic

CYBER FORENSICS

Q1. Which of the following is a memory-only malware?

A. Worm

B. Exploit kit

C. Fileless malware

D. Ransomware

Answer: C. Fileless malware

Explanation: Fileless malware resides in RAM and disappears after reboot.

Q2. A “cold boot attack” extracts data from:

A. BIOS ROM

B. RAM after shutdown

C. SSD flash cells

D. Graphics cache

Answer: B. RAM after shutdown

Explanation: RAM retains data for seconds → keys can be recovered through cooling.

3. “Entropy analysis” in digital forensics is used to detect:

A. Time stamps

B. Encrypted or compressed data

C. File system errors

D. Hidden partitions

Answer: B. Encrypted or compressed data

Explanation: High entropy = encrypted/compressed = potential hidden content.

4. Which technique hides data in network traffic patterns?

A. Steganography

B. Packet crafting

C. Covert channels

D. Tunneling

Answer: C. Covert channels

Explanation: Covert channels encode data in header fields or timing patterns.

5. A “Timestamp anti-forensic technique” that alters timestamps is:

A. MAC spoofing

B. Timestomping

C. File carving

D. Log wiping

Answer: B. Timestomping

Explanation: Timestomping modifies MAC (Modified, Accessed, Created) times.

6. Which OS artifact maintains a list of recently accessed files?

A. Registry

B. Prefetch files

C. NTFS journal

D. Dump files

Answer: B. Prefetch files

Explanation: Prefetch files (*.pf) track program execution and last run times.

7. The tool “dcfldd” is used for:

A. Wi-Fi analysis

B. Secure data wiping and imaging

C. Network visualization

D. Rootkit detection

Answer: B. Secure data wiping and imaging

Explanation: Enhanced dd tool with hashing and logging capabilities.

8. APFS snapshots are used for:

A. Encryption

B. System restore points

C. File filtering

D. Network logging

Answer: B. System restore points

Explanation: APFS supports fast system rollback through snapshots.

9. A “Beaconing” pattern in network traffic is indicative of:

A. Keylogging

B. Data wiping

C. Malware communicating with C2 servers

D. Port scanning

Answer: C. Malware communicating with C2 servers

Explanation: Beaconing = periodic attempts by malware to contact command-and-control.

10. The primary challenge with SSD forensic acquisition is:

A. Lack of storage

B. Wear-leveling and garbage collection

C. Incompatible cables

D. Slow read speed

Answer: B. Wear-leveling and garbage collection

Explanation: SSDs constantly rewrite blocks → deleted data can be overwritten instantly.