Evidence
Why should evidence media be write-protected?
To make sure data is not altered.
Which tool is commonly used to create forensic disk images?
FTK imager
What files does Microsoft Outlook use to store email?
pst / .ost
What is unallocated space?
Deleted-data space/Unused storage
What affects brute-force cracking most?
Password length
What should a report explain besides findings?
Significance
What is chain of custody?
A documented record of who handled evidence, when, where, and why.
Name one forensic tool that can process evidence and reveal artifacts such as emails, internet history, and file activity.
Magnet AXIOM (also acceptable: Autopsy)
What is a Faraday bag used for?
Block signals/ Isolate from network/Prevent Remote Wiping
What verifies evidence integrity?
Hashing
Least secure cloud model?
Public cloud
The most reliable way to ensure that jurors recall testimony
Present evidence combining oral testimony and graphics that support the testimony.
Why create two forensic images instead of one?
To ensure one good backup copy exists if the other becomes damaged or corrupted.
What is the primary goal of digital forensics?
To collect, preserve, analyze, and present digital evidence.
What can remote wipe do?
Delete data/Factory Reset
1. Removing account information
2. Returning the phone to the original factory settings
3. Deleting contacts
Name two hashing algorithms.
MD5 / SHA-1
Why use strong passwords?
Harder to crack
what do you mean by Voir dire
The process of qualifying a witness as an expert
What is the purpose of hashing in digital forensics?
To validate integrity and prove evidence has not changed.
What does “forensically sound” mean?
Evidence is collected in a way that preserves integrity and is defensible.
Why isolate a seized phone?
Prevent remote access/wiping
What can duplicate image files of different sizes indicate?
Steganography
What attack guesses many passwords?
Brute force
When using graphics while testifying, which of the following guidelines applies?
Make sure the jury can see your graphics.
Your exhibits must be clear and easy to understand.
Practice using charts for courtroom testimony.
Investigator accidentally changes file metadata during analysis. Why is this serious?
Evidence integrity is compromised, making findings less reliable or inadmissible.
What happens if evidence handling cannot be documented?
Evidence credibility may be challenged in court.
First action when phone is ON?
Isolate from network
What signs on a suspect drive might suggest hidden data inside image files?
Steganography programs in the suspect's All Programs list
Graphics files with the same name but different file sizes
Multiple copies of a graphics file
What is the best password practice for user
Long passphrase
If new technology or evidence changes your understanding, what should an expert witness do?
Update or revise their opinion based on new evidence.
What is one major limitation of a virtual machine running on a host computer?
Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.
This is considered the most critical aspect of digital evidence because it proves the data has not changed.
VALIDATION
What forensic tools can isolate a mobile phone from network signals and prevent remote access?
Faraday bags and shielded containers (such as paint cans)
What is the difference between data recovery and digital forensics?
Data recovery retrieves lost files; digital forensics investigates and interprets digital evidence
This security practice keeps forensic workstations isolated from outside networks during examinations.
No direct Internet connection / network isolation
What are the key responsibilities of a digital forensics lab manager?
knowing the lab objectives
Making necessary changes in lab procedures and software
Ensuring that staff members have enough training to do the job