CCNA Storage Forensics and File System Analysis Questions

75 of 172 questions · Page 1/3 · Storage Forensics and File System Analysis · Answers revealed

1
Multi-Selectmedium

Which TWO of the following are features of the NTFS file system that can be used to hide data? (Select TWO.)

Select 2 answers
A.Master File Table (MFT)
B.Host Protected Area (HPA)
C.$Recycle.bin
D.Alternate Data Streams (ADS)
E.Volume Shadow Copy
AnswersC, D

The $Recycle.bin folder is hidden and can be used to conceal files, though it's intended for deleted items.

Why this answer

NTFS offers two key features for hiding data: Alternate Data Streams (ADS) allow attaching hidden data to files, and the USN Journal (while not primarily for hiding) can be manipulated to hide changes. However, USN Journal is more of a forensic artifact than a hiding technique. The best answers are ADS and the $Recycle.bin (which can be used to hide files).

For this question, focus on ADS and HPA (Host Protected Area) is not NTFS-specific but can be used on NTFS drives. However, HPA is a disk-level feature, not NTFS-specific. The intended correct answers are Alternate Data Streams and the $Recycle.bin (which is a hidden folder).

2
MCQhard

An investigator is analyzing a memory dump from a compromised server using Volatility. The 'pslist' plugin shows a process with no parent PID (PPID). Which of the following is the most likely explanation?

A.The process is a system idle process
B.The process is a kernel thread and has no parent
C.The process list is incomplete due to memory corruption
D.The process is a rootkit that has unlinked itself from the process list
AnswerB, D

Correct: Kernel threads may not have a parent process in the userland process list.

Why this answer

In Volatility, pslist may show processes without a parent if the parent process has exited or the process list is corrupted. However, a more common forensic scenario is that the process is a kernel-mode rootkit hiding its parent.

3
Multi-Selectmedium

Which TWO of the following are file systems that use journaling to maintain integrity?

Select 2 answers
A.NTFS
B.FAT32
C.ext4
D.HFS+
E.APFS
AnswersA, C

NTFS uses a log file for journaling.

Why this answer

NTFS and ext4 both use journaling. FAT32 does not; APFS uses a copy-on-write mechanism but is also journal-like; HFS+ has journaling but the question may expect ext4. However, NTFS and ext4 are clear examples.

4
MCQmedium

An examiner is analyzing an SSD and notices that TRIM is enabled. Why does TRIM pose a challenge for digital forensics?

A.TRIM increases the wear leveling, which reduces the lifespan of the SSD
B.TRIM encrypts the deleted data, making it inaccessible without the key
C.TRIM compresses data, altering the original content
D.TRIM causes the SSD to physically overwrite deleted data with zeros, preventing recovery
AnswerD

TRIM instructs the SSD to erase blocks, making data unrecoverable.

Why this answer

TRIM allows the SSD to erase data blocks that are no longer in use, making it difficult to recover deleted files because the data is physically erased by the SSD's garbage collection.

5
Multi-Selectmedium

A forensic analyst is investigating a compromised Linux server running an ext4 file system. The analyst suspects the attacker deleted critical log files (e.g., /var/log/auth.log) and wants to recover them. Which TWO techniques would be MOST effective for recovering the deleted files?

Select 2 answers
A.Running `extundelete` on the partition
B.Checking the `.Trash-1000` folder
C.Using `foremost` to perform file carving based on headers and footers
D.Restoring from the `lost+found` directory
E.Executing `dd if=/dev/sda1 of=image.dd` and analyzing with `strings`
AnswersA, C

extundelete can recover deleted files from ext3/ext4 by parsing the journal.

Why this answer

For ext4, deleted file recovery can be achieved by scanning the journal for recent file metadata, or by carving the raw disk for file signatures. The inode pointers are cleared upon deletion, but journal may contain recent records.

6
MCQmedium

During a forensic examination of a Windows system, an analyst runs the Volatility plugin `netscan` on a memory dump. What information does this plugin primarily provide?

A.Network connections and listening sockets with associated processes
B.Open files and handles for each process
C.List of all running processes and their parent processes
D.The contents of the Windows firewall rules
AnswerA

Correct. netscan scans for network artifacts.

Why this answer

netscan enumerates network connections (TCP and UDP) and listening sockets from the memory dump, including state, local/remote addresses, and owning process.

7
MCQeasy

A security analyst is investigating a compromised Windows server and wants to capture the contents of RAM for analysis. Which of the following tools is specifically designed for this purpose?

A.Foremost
B.WinPmem
C.Volatility
D.FTK Imager
AnswerB

Correct. WinPmem is a dedicated memory acquisition tool for Windows.

Why this answer

WinPmem is a memory acquisition tool for Windows, part of the Rekall project, used to dump physical memory.

8
MCQmedium

An analyst is investigating a compromised Linux system and runs `ls -i` on a deleted file's directory. The inode number is 12345. Which tool can recover the file contents by referencing the inode?

A.debugfs
B.scalpel
C.foremost
D.icat
AnswerA

debugfs is a standard tool for ext2/3/4 filesystem debugging and can retrieve data by inode.

Why this answer

The debugfs tool can be used to examine and recover files by inode on ext2/3/4 filesystems. The command `debugfs -R 'cat <12345>' /dev/sda1` would output the file contents.

9
Multi-Selectmedium

Which THREE of the following are techniques used to hide data on a hard drive?

Select 3 answers
A.File carving
B.Host Protected Area (HPA)
C.Slack space
D.Alternate Data Streams
E.Hashing
AnswersB, C, D

HPA is a hidden area on ATA drives.

Why this answer

Alternate Data Streams (ADS) hide data in NTFS streams. Slack space can hide data in unused cluster space. HPA hides data in a reserved area on ATA drives.

File carving is a recovery technique, not hiding. Hashing verifies integrity.

10
Multi-Selecteasy

Which two of the following are tools used for memory forensics acquisition? (Choose TWO.)

Select 2 answers
A.Autopsy
B.FTK Imager
C.WinPmem
D.Volatility
E.LiME
AnswersC, E

Correct: WinPmem captures Windows memory.

Why this answer

WinPmem and LiME are memory acquisition tools for Windows and Linux respectively.

11
MCQeasy

During a forensic analysis of a Windows 10 system, an investigator needs to locate the Master File Table ($MFT) to analyze file metadata. Which file system structure contains the $MFT?

A.ext4 superblock
B.FAT32's File Allocation Table
C.HFS+ catalog file
D.NTFS volume's Master File Table
AnswerD

Correct: $MFT is the Master File Table in NTFS.

Why this answer

The $MFT is a core NTFS system file that contains metadata for all files and directories on an NTFS volume.

12
MCQmedium

An analyst notices that a file on an NTFS volume occupies 4096 bytes on disk but its actual data is only 100 bytes. The extra space contains remnants of a previously deleted file. What is this extra space called?

A.Volume slack
B.Free space
C.RAM slack
D.File slack
AnswerD

File slack is the unused space in the last cluster of a file that may contain data from other files.

Why this answer

File slack is the unused space between the end of the file data and the end of the last cluster allocated to the file.

13
Multi-Selecthard

An analyst is conducting memory forensics on a Windows system using Volatility. Which THREE commands can provide information about network connections?

Select 3 answers
A.netscan
B.pstree
C.connscan
D.sockets
E.pslist
AnswersA, C, D

Why this answer

netscan, connscan, and sockets are Volatility plugins used to enumerate network connections. pslist and pstree list processes.

14
MCQhard

An analyst is examining a RAID 5 array of three disks. One disk has failed and been replaced; the array is rebuilding. Which of the following is the most significant forensic challenge regarding data acquisition from this array?

A.The failed disk cannot be imaged because it is physically damaged
B.The rebuild process may overwrite unallocated space or remnants of deleted files
C.RAID 5 arrays cannot be imaged using traditional tools like dd
D.The array must be imaged while degraded to preserve evidence
AnswerB

Correct: Rebuild writes parity and data, potentially destroying evidence.

Why this answer

RAID 5 distributes parity across disks. During rebuild, write operations occur that can overwrite deleted data or alter metadata, complicating acquisition.

15
MCQmedium

A security analyst detects suspicious activity on a Windows workstation. They acquire RAM using WinPmem and analyze it with Volatility. Which Volatility command would list all active processes along with their parent process IDs?

A.volatility -f mem.dmp pslist
B.volatility -f mem.dmp pstree
C.volatility -f mem.dmp connscan
D.volatility -f mem.dmp netscan
AnswerB

pstree shows process hierarchy with parent PID.

Why this answer

The pstree plugin displays processes in a tree format showing parent-child relationships. pslist lists processes but not parent PIDs.

16
MCQhard

An analyst discovers a hidden partition on a hard drive that does not appear in the standard MBR partition table. The drive uses GPT partitioning. Which area of the disk should be examined to find evidence of a hidden partition?

A.The Master Boot Record (MBR) in sector 0
B.The GPT header and partition entry array located after the protective MBR
C.The Volume Boot Record (VBR) of the C: drive
D.The Host Protected Area (HPA) at the end of the disk
AnswerB

The GPT header and partition entries define all partitions. A hidden partition might be omitted from the main table but could be discovered by scanning the entire disk for GPT-like structures.

Why this answer

GPT uses a Protective MBR in the first sector, followed by the GPT header and partition entries. A hidden partition might be created by modifying the GPT header or by using alternative partitioning schemes that are not listed in the main GPT table.

17
MCQeasy

Which forensic tool is specifically designed to recover lost partitions or file system structures and can also be used for data carving?

A.Sleuth Kit
B.EnCase
C.TestDisk
D.Volatility
AnswerC

Why this answer

TestDisk is a powerful tool for recovering lost partitions and fixing boot sectors. It can also carve data from unallocated space.

18
MCQhard

A forensic investigator is analyzing a RAID 0 array consisting of two disks. She uses FTK Imager to acquire the logical drive. However, the data appears interleaved. What additional step is necessary to properly assemble the image?

A.Use EnCase to acquire each disk separately and mount as a RAID volume
B.Simply reorder the disk images alphabetically
C.Reconstruct the RAID by determining stripe size and order, then combine the images
D.Use PhotoRec to carve files from raw images
AnswerC

RAID 0 requires knowledge of stripe size and disk order to reassemble.

Why this answer

FTK Imager can acquire a logical drive but may not reassemble RAID 0 stripes automatically. The analyst needs to identify stripe size and order, then combine the disks using a RAID reconstruction tool.

19
MCQeasy

A forensic analyst finds a partition that uses the Master Boot Record (MBR) scheme. Which of the following is TRUE about the MBR partition table?

A.It uses a 128-bit Globally Unique Identifier (GUID) for partitions
B.It supports disks larger than 2 TiB
C.It stores partition information in a 64-byte table
D.It stores a backup partition table at the end of the disk
AnswerC

The MBR partition table is 64 bytes, containing four 16-byte entries.

Why this answer

The MBR uses a 32-bit Logical Block Address (LBA) which limits the maximum addressable disk size to 2 TiB. It stores a 64-byte partition table with four primary partitions.

20
Multi-Selecteasy

Which TWO of the following are examples of file carving tools? (Select two.)

Select 2 answers
A.WinPmem
B.FTK Imager
C.PhotoRec
D.Foremost
E.dd
AnswersC, D

Correct. A file carver from the TestDisk suite.

Why this answer

Foremost and PhotoRec are well-known file carving tools that recover files based on headers/footers.

21
MCQmedium

During a forensic investigation of a hard disk, the investigator finds that the partition table is missing. The disk was previously partitioned using GPT. Which area of the disk should be examined to recover the GPT partition table?

A.Last sector of the disk
B.Volume boot record
C.Master Boot Record (LBA 0)
D.LBA 1 (sector 1)
AnswerD

The GPT header and partition entries start at LBA 1.

Why this answer

GPT stores a primary partition table at LBA 1 (sector 1) and a backup at the end of the disk. The protective MBR is at LBA 0.

22
Multi-Selecteasy

Which TWO of the following are commonly used tools for file carving (recovering files based on file signatures)? (Select TWO.)

Select 2 answers
A.Nmap
B.Foremost
C.Wireshark
D.John the Ripper
E.Scalpel
AnswersB, E

Foremost is a classic file carver that uses configuration files to define signatures.

Why this answer

Foremost and Scalpel are well-known file carving tools that use header/footer signatures to recover files from disk images.

23
Multi-Selectmedium

Which TWO of the following are Volatility plugins used for process enumeration? (Select two.)

Select 2 answers
A.pslist
B.netscan
C.pstree
D.mftparser
E.hashdump
AnswersA, C

Correct. Lists processes from the EPROCESS list.

Why this answer

pslist lists processes by walking the doubly-linked list. pstree displays process hierarchy. Both are standard process enumeration plugins.

24
MCQhard

An analyst is investigating a Linux system that used ext4. The suspect deleted several files and then ran 'fstrim' on the partition. Which of the following best describes the challenge in recovering the deleted data?

A.The ext4 journal will automatically purge the metadata of deleted files
B.Data recovery is still possible using file carving because fstrim only affects free space
C.The inodes are overwritten immediately, making recovery impossible
D.The TRIM command instructs the SSD to permanently erase the blocks, and wear leveling may also have moved data
AnswerD

Why this answer

The fstrim command sends TRIM commands to the SSD, causing the device to garbage-collect and erase deleted blocks. Wear leveling may have moved data, complicating recovery.

25
MCQmedium

During a forensic examination of an SSD, the analyst notes that TRIM is enabled. What challenge does TRIM pose for data recovery?

A.TRIM reduces the lifespan of the SSD by excessive writes
B.TRIM compresses data, altering forensic signatures
C.TRIM encrypts data, preventing forensic access
D.TRIM permanently erases deleted data at the block level, hindering recovery
AnswerD

TRIM informs the SSD to erase blocks, making recovery difficult.

Why this answer

TRIM allows the SSD to erase data blocks that are no longer in use, making it difficult to recover deleted files because the physical data may be zeroed out.

26
MCQeasy

During a forensic investigation, an examiner wants to recover deleted files from a FAT32 file system. Which structure is most critical for file recovery?

A.File Allocation Table (FAT)
B.Master File Table (MFT)
C.Journal
D.Inode table
AnswerA

FAT stores cluster chains; deleted files may have their directory entries and FAT chains intact.

Why this answer

The File Allocation Table (FAT) contains cluster chains for files; deleted entries may still be recoverable if not overwritten.

27
MCQeasy

What is slack space in a file system?

A.Space used by the file system journal
B.The unused portion of a file's last cluster
C.Space reserved for the MBR
D.Space between partitions on a disk
AnswerB

File slack is the unused bytes in the last cluster assigned to a file.

Why this answer

Slack space is the unused portion of a cluster that remains after a file is written, potentially containing residual data from previous files.

28
Multi-Selecteasy

An analyst is preparing to analyze a RAID 5 array of three disks. The analyst wants to reconstruct the logical volume for file system analysis. Which THREE steps are essential in this process?

Select 3 answers
A.Use a tool like `mdadm` (Linux) or RAID reconstructor (Windows) to assemble the array
B.Zero out the first sector of each disk to remove remnants of previous arrays
C.Determine the disk order and stripe size
D.Identify the parity rotation method (left-symmetric, etc.)
E.Run `chkdsk` on each individual disk before reconstruction
AnswersA, C, D

Specialized tools are needed to combine the disks.

Why this answer

RAID reconstruction involves identifying the order of disks, stripe size, and parity layout, then using a tool that can reassemble the array to access the file system.

29
MCQmedium

A forensic investigator is analyzing a USB drive formatted with FAT32 and finds that a deleted file's directory entry still exists but the first character of the filename is replaced with 0xE5. What does this indicate?

A.The file is marked as hidden
B.The file has been deleted
C.The file is encrypted
D.The file is fragmented
AnswerB

0xE5 is the deletion marker in FAT directory entries.

Why this answer

In FAT file systems, when a file is deleted, the first byte of the directory entry is set to 0xE5 to mark it as deleted, while the rest of the entry remains until overwritten.

30
MCQeasy

A forensic analyst is examining a Windows 10 system and needs to view the Master File Table ($MFT) to identify recently deleted files. Which tool is most appropriate for parsing the $MFT directly?

A.Wireshark
B.John the Ripper
C.EnCase
D.Nmap
AnswerC

EnCase is a forensic suite that can parse $MFT entries and recover deleted files.

Why this answer

The $MFT is a core component of NTFS. EnCase has built-in support for parsing $MFT and extracting file metadata.

31
MCQmedium

An investigator uses the Volatility framework on a memory dump from a Windows 10 system. Which command would list all processes, including those hidden by rootkits?

A.volatility -f memory.dmp --profile=Win10x64 psscan
B.volatility -f memory.dmp --profile=Win10x64 pslist
C.volatility -f memory.dmp --profile=Win10x64 psxview
D.volatility -f memory.dmp --profile=Win10x64 pstree
AnswerC

psxview cross-references multiple sources to detect hidden processes.

Why this answer

The 'psxview' plugin in Volatility compares process lists from various sources to detect hidden processes.

32
MCQeasy

Which of the following is a Windows-based forensic suite that provides timeline analysis, keyword search, and file system browsing for forensic investigations?

A.Wireshark
B.FTK
C.Autopsy
D.EnCase
AnswerC

Autopsy is an open-source platform with timeline, keyword search, and file browsing.

Why this answer

Autopsy is an open-source digital forensics platform that runs on Windows, Linux, and macOS. It provides timeline analysis, keyword search, and file system browsing.

33
MCQhard

During a forensic analysis of an APFS volume, the investigator needs to examine file metadata such as creation time, modification time, and extended attributes. Which APFS structure contains this information?

A.Volume Superblock
B.Journal
C.Inode Table
D.Extent Reference Tree
AnswerC

APFS uses inode-like structures (inode number) that hold standard metadata including timestamps and permissions.

Why this answer

In APFS, files and directories are represented by inodes. The inode contains basic metadata. Extended attributes are stored separately in B-tree structures.

34
Multi-Selectmedium

Which TWO of the following are valid methods to hide data on an NTFS file system without using external tools?

Select 2 answers
A.Embedding data in file slack space
B.Storing data in the NTFS file system journal ($LogFile)
C.Using the $Volume attribute in the MFT
D.Encrypting data with EFS
E.Using Alternate Data Streams (ADS)
AnswersA, E

File slack is unused space at the end of a cluster that can be filled with data.

Why this answer

Alternate Data Streams (ADS) allow hiding data within a file's stream. Slack space (file slack) can hide data in unused bytes between the end of file and end of cluster. Both are native NTFS features.

35
MCQmedium

An investigator is analyzing a FAT32 drive and notices that a deleted file's directory entry still exists, but the first byte of the filename is changed to 0xE5. What does this indicate about the file?

A.The file is fragmented
B.The file is marked as deleted but its data clusters may still be intact
C.The file has been securely overwritten
D.The file is encrypted
AnswerB

0xE5 indicates deletion; clusters are marked free but data remains until overwritten.

Why this answer

In FAT file systems, a deleted file's directory entry has the first byte of the filename set to 0xE5. The clusters in the FAT may still be allocated or marked as free.

36
MCQhard

An analyst discovers that a Windows system has hidden data in the Host Protected Area (HPA) of the hard drive. Which tool or method can be used to detect and access the HPA?

A.Using the Windows Disk Management utility
B.Using the hdparm command in Linux with the -N flag
C.Using the Volatility framework
D.Using the chkdsk command
AnswerB

hdparm -N /dev/sda shows the user-accessible capacity vs. native capacity, revealing HPA.

Why this answer

HPA is a region of the disk that is normally hidden from the operating system. Tools like hdparm (Linux) or MBRTool can be used to detect and modify HPA settings. FTK and EnCase can also detect HPA when imaging at the device level.

37
MCQmedium

A forensic investigator recovers a hard drive from a suspect's computer. The drive is detected as 120 GB in BIOS, but forensic tools report only 100 GB of addressable space. Which data hiding technique is MOST likely being used?

A.Device Configuration Overlay (DCO)
B.Volume slack
C.Host Protected Area (HPA)
D.Alternate Data Streams (ADS)
AnswerC

Correct. HPA reduces the reported capacity to hide data in the protected area.

Why this answer

Host Protected Area (HPA) is a region on ATA drives that can be hidden from the OS by using the SET MAX ADDRESS command. It is commonly used for hiding data.

38
MCQmedium

An investigator needs to analyze the contents of the Windows Recycle Bin on a system running Windows 10. Which artifact(s) should the investigator examine to determine the original location and deletion time of a file in the Recycle Bin?

A.The 'System Volume Information' folder
B.The '$I' and '$R' files in the $Recycle.Bin\<SID> folder
C.The 'INFO2' file in the Recycled folder
D.The 'desktop.ini' file in the Recycle Bin
AnswerB

$I files contain metadata (original name, path, deletion time); $R files contain the actual data.

Why this answer

In Windows Vista and later, the Recycle Bin uses $Recycle.Bin folder with each user having a subfolder named by SID. The file 'Info2' or '$I<filename>' files contain metadata such as original path and deletion time.

39
MCQmedium

A forensic analyst is examining a USB drive formatted with FAT32. A suspect claims they deleted a file several weeks ago. The analyst uses a carving tool but cannot recover the file. What is the MOST likely reason for the failed recovery?

A.The file was encrypted and cannot be carved
B.FAT32 does not support file carving
C.The file was stored in the MFT, which is only present in NTFS
D.The file clusters were overwritten by new data
AnswerD

Correct. File carving relies on data still being present; overwritten data cannot be recovered.

Why this answer

On FAT32, when a file is deleted, the directory entry is marked as deleted (first byte set to 0xE5) and the FAT clusters are freed. If the clusters have been reallocated and overwritten, carving fails.

40
MCQmedium

A forensic examiner acquires a RAM image from a Windows 10 system and uses Volatility to analyze it. Which command would list all running processes along with their parent process IDs and command lines?

A.volatility -f mem.raw pslist
B.volatility -f mem.raw netscan
C.volatility -f mem.raw cmdline
D.volatility -f mem.raw pstree
AnswerD

pstree displays processes in a tree format showing parent-child relationships and also includes command lines.

Why this answer

The pstree plugin shows processes in tree format with parent-child relationships, while pslist lists processes without parent info. For parent PIDs and command lines, pstree is appropriate.

41
MCQmedium

A security analyst examines a compromised Windows server and finds a file named 'readme.txt' that appears legitimate. However, using `dir /r`, they discover an alternate data stream named 'readme.txt:hidden.exe'. What is the most likely purpose of this alternate data stream?

A.It is a backup copy of the file
B.It is a symbolic link to another file
C.It is a malicious executable hidden in the file
D.It is a log file generated by the operating system
AnswerC

Attackers often hide malware in ADS to evade detection.

Why this answer

Alternate Data Streams can be used to hide malicious executables within seemingly innocuous files. The stream 'hidden.exe' suggests an executable is hidden in the file.

42
MCQhard

An investigator images an SSD that has TRIM enabled. Which of the following challenges will MOST likely affect the recovery of deleted files from this SSD?

A.The SSD uses a different partition table scheme
B.TRIM causes the SSD to zero out freed blocks, preventing recovery
C.The SSD firmware encrypts all data, requiring a decryption key
D.Wear leveling spreads data across blocks, complicating recovery
AnswerB

TRIM erases data blocks after deletion, making recovery impossible.

Why this answer

TRIM command allows the SSD to erase data blocks immediately after deletion, making recovery impossible as data is physically erased.

43
MCQmedium

During an investigation of a Linux system, an analyst runs `ls -li` and sees that a file's inode number is 0. What does this indicate about the file?

A.The file is a symbolic link
B.The file is a device file
C.The file is a hard link
D.The file has been deleted but is still open
AnswerD

An inode of 0 often means the file is unlinked (deleted) but still referenced by an open file descriptor.

Why this answer

In Linux, an inode number of 0 typically indicates a file that has been deleted but is still open by a process. The directory entry may be removed but the inode remains until the file is closed.

44
MCQmedium

An analyst is examining a hard drive that was seized from a suspect. The drive is detected as a smaller capacity than listed on the label. Which of the following is the MOST likely explanation?

A.The drive has been partitioned with a GPT table, which does not use the full capacity
B.The file system is FAT32, which has a 2 TB limit
C.The drive controller has a firmware bug reporting incorrect size
D.The drive has a Host Protected Area (HPA) that hides sectors from the OS
AnswerD

HPA hides sectors by setting a maximum address lower than actual.

Why this answer

The Host Protected Area (HPA) or Device Configuration Overlay (DCO) can hide portions of the drive. HPA is set by the manufacturer or user, DCO can be set by the manufacturer. Both reduce the visible capacity.

This is a common data hiding technique.

45
Multi-Selectmedium

An analyst is examining a Windows 10 system and suspects the use of NTFS alternate data streams (ADS) to hide malicious executables. Which THREE methods can the analyst use to detect hidden ADS on the system?

Select 3 answers
A.Checking the $MFT for $DATA attributes where the attribute name is not empty
B.Using `Sysinternals streams.exe` to enumerate streams on the drive
C.Comparing file sizes from `dir` output with raw disk sector counts
D.Running `sfc /scannow` to verify system file integrity
E.Running `dir /r` in the command prompt to list files with alternate streams
AnswersA, B, E

Default $DATA has no name; named streams indicate ADS.

Why this answer

ADS can be detected by using tools that list streams (like streams.exe or dir /r), checking the $MFT for $DATA attributes with a non-empty name, or scanning for known malicious ADS names with forensic tools.

46
MCQmedium

A Linux system uses the ext4 filesystem. A forensic analyst needs to recover a recently deleted file. Which of the following methods is MOST likely to succeed if the file's inode has not been reallocated?

A.Mount the filesystem with `mount -o ro,noatime` and browse
B.Use `dd` to copy the entire partition and search for the file signature
C.Use `ls -la` to view deleted file entries
D.Run `extundelete /dev/sda1 --restore-file /path/to/file`
AnswerD

Correct. extundelete is designed for this purpose.

Why this answer

extundelete is a utility that can recover deleted files on ext3/4 by parsing the journal and inode information. It works best if the inode is still intact.

47
MCQhard

During a memory forensics analysis using Volatility, an examiner runs 'python vol.py -f memory.dmp pslist' and sees a suspicious process named 'expl0rer.exe' with a PPID of 4. What does a PPID of 4 indicate, and what should the examiner do next?

A.The process is probably a hidden or injected process; run 'psxview' and 'malfind' to detect anomalies
B.The process is a child of the System process, indicating it is a legitimate system process; no further action needed
C.The process is a child of the System Idle Process, which is normal; ignore it
D.The process has been injected into the System process and is likely a rootkit; run 'psscan' to verify
AnswerA

'psxview' cross-references with other sources to find hidden processes; 'malfind' searches for injected code.

Why this answer

PPID 4 is the System process (PID 4) in Windows. Legitimate processes should not have System as parent; this suggests process hollowing or injection. The examiner should investigate the process further with process dump and memory analysis.

48
MCQmedium

In an ext4 file system, a forensic analyst needs to examine the journal to recover recently deleted files. Where is the journal typically stored?

A.In a reserved area after the superblock
B.In the superblock
C.In a special inode (inode 8)
D.In the group descriptor table
AnswerC

The journal is stored in inode 8 by default.

Why this answer

In ext4, the journal is stored in a special inode (inode 8) or as a file named .journal. It can also be stored in a separate block group.

49
MCQmedium

During a forensic investigation, you encounter a Windows system with an NTFS volume. The suspect claims they never used the recycle bin, but you find files in the $Recycle.bin folder. Which artifact can help you determine the original file path and deletion time?

A.The USN journal
B.The file slack space
C.The $I file in the $Recycle.bin folder
D.The $MFT entry for the deleted file
AnswerC

Correct. $I files contain original path and deletion time.

Why this answer

The $Recycle.bin contains $I (info) and $R (data) files. The $I file stores metadata including original filename, path, and deletion timestamp.

50
Multi-Selecthard

Which TWO of the following are challenges in SSD forensics compared to traditional HDD forensics? (Choose two.)

Select 2 answers
A.SSDs are not compatible with forensic imaging tools
B.Wear leveling distributes data across blocks, making it harder to recover specific files
C.TRIM command causes deleted data to be erased quickly
D.SSDs have larger storage capacity than HDDs
E.SSDs are more resistant to physical damage
AnswersB, C

Wear leveling moves data around, complicating file carving.

Why this answer

B is correct because wear leveling is a fundamental SSD technology that spreads write operations evenly across all memory blocks to prevent premature wear. This process scatters file fragments across different physical locations, making it significantly harder to recover specific files using traditional forensic methods that rely on contiguous data storage.

Exam trap

EC-Council often tests the misconception that TRIM is a challenge only for deleted data recovery, but candidates must also recognize wear leveling as a separate, equally critical challenge that affects the forensic recovery of both deleted and existing files.

51
Multi-Selectmedium

Which TWO of the following are challenges specific to SSD forensics compared to traditional HDD forensics?

Select 2 answers
A.Bad sectors
B.Wear leveling
C.File fragmentation
D.TRIM command
E.Slack space
AnswersB, D

Why this answer

TRIM command causes SSDs to erase deleted blocks immediately, and wear leveling spreads data across cells to extend lifespan, both complicating data recovery.

52
MCQhard

A forensic examiner is analyzing a RAID 5 array consisting of three disks. One disk has failed and is not available. The remaining two disks contain data and parity. Which technique can be used to reconstruct the missing disk's data and recover the original data?

A.Replace the failed disk and rebuild the array using the controller's rebuild function
B.Use dd to image the two disks, then perform a XOR operation on the data stripes to reconstruct the third disk's data
C.Use FTK Imager to create a logical image of each disk and merge them
D.Simply image the two disks and use file carving tools to extract files
AnswerB

XOR of data from two disks yields the missing data if parity is involved.

Why this answer

In RAID 5, parity is distributed across all disks. With two disks and one missing, XOR operations can reconstruct the missing data.

53
MCQmedium

A forensic investigator is examining a Mac system with APFS. Which artifact would be most useful for determining the exact time a file was moved to the Trash?

A.The file's creation timestamp in the directory entry
B.The APFS journal (fsroot) records the move operation with a timestamp
C.The .DS_Store file in the Trash folder
D.The 'com.apple.metadata:kMDItemWhereFroms' extended attribute
AnswerB

The journal logs metadata changes, including move operations.

Why this answer

APFS maintains a journal (fsroot) that records file system operations, including moves to Trash.

54
MCQhard

During a forensic analysis of a compromised server, you discover that a rootkit has hidden itself by modifying the HPA (Host Protected Area) of the hard disk. Which tool can detect the presence of an HPA by comparing the reported size with the actual number of sectors?

A.smartctl
B.dd
C.fdisk
D.hdparm
AnswerD

hdparm can read ATA settings, including HPA and DCO, to detect hidden areas.

Why this answer

The hdparm tool in Linux can query the ATA security features, including HPA. The command `hdparm -N /dev/sda` displays the HPA settings and can reveal if an HPA is active by showing a reduced device size.

55
MCQeasy

Which file system uses a Master File Table ($MFT) as its central catalog for file metadata?

A.FAT32
B.APFS
C.ext4
D.NTFS
AnswerD

Why this answer

NTFS uses the $MFT to store information about all files and directories on the volume.

56
MCQmedium

When analyzing an NTFS volume, an investigator wants to identify files that were recently accessed or modified. Which NTFS artifact stores metadata about file system changes and can be parsed using tools like MFTEcmd or NTFSLogTracker?

A.$USN_Jrnl
B.$LogFile
C.$Recycle.Bin
D.$MFT
AnswerA

The $USN_Jrnl (USN Journal) records all changes to files and directories.

Why this answer

The USN (Update Sequence Number) journal records changes to files and directories, including timestamps and reason codes. It is commonly used to track recent activity.

57
MCQeasy

A forensic investigator examines a hard drive and needs to recover deleted files. Which tool is specifically designed for file carving by scanning raw data for file headers and footers without relying on the file system?

A.Foremost
B.Volatility
C.Autopsy
D.FTK Imager
AnswerA

Foremost is a classic file carving tool that recovers files based on signatures.

Why this answer

Foremost is a file carving tool that recovers files based on headers, footers, and data structures, independent of the file system metadata.

58
MCQmedium

An analyst suspects that sensitive data was hidden in the NTFS Alternate Data Streams (ADS) of a file on a suspect's drive. Which tool is specifically designed to enumerate and extract data from ADS on a live Windows system?

A.Foremost
B.PhotoRec
C.dd
D.Streams.exe (Sysinternals)
AnswerD

Correct: Streams.exe lists and extracts ADS data.

Why this answer

Streams.exe (from Sysinternals) is the standard tool to list and extract data from Alternate Data Streams on Windows.

59
Multi-Selecthard

Which THREE of the following are challenges specific to SSD forensics compared to HDD forensics?

Select 3 answers
A.Garbage collection that automatically erases stale blocks
B.TRIM command causing data erasure
C.Wear leveling algorithms that relocate data
D.Platter rotation causing magnetic remanence
E.Controller-based compression reducing data size
AnswersA, B, C

GC can erase data without OS command, complicating recovery.

Why this answer

SSDs have unique features: TRIM command erases data blocks, wear leveling moves data around complicating recovery, and garbage collection can erase deleted data without OS intervention. Platter rotation is HDD-specific.

60
MCQmedium

A security analyst is investigating a compromised Windows system and wants to see which processes were running at the time of memory capture. Which Volatility command should they use?

A.volatility -f mem.dump pslist
B.volatility -f mem.dump hashdump
C.volatility -f mem.dump malfind
D.volatility -f mem.dump netscan
AnswerA

pslist lists all processes from the memory image.

Why this answer

The 'pslist' plugin lists processes from the EPROCESS structures. 'pstree' shows parent-child relationships.

61
Multi-Selectmedium

Which THREE of the following are characteristics of the Master File Table ($MFT) in NTFS? (Choose three.)

Select 3 answers
A.It contains a record for every file and directory on the volume
B.Small files can be stored resident within the $MFT record
C.Each record is typically 1024 bytes in size
D.It is located at a fixed position at the beginning of the volume
E.It is only used for directory metadata
AnswersA, B, C

Each file and directory has at least one $MFT record.

Why this answer

The $MFT stores metadata (attributes) for each file and directory in records. Each record is typically 1 KB. Small files can be stored resident within the $MFT record.

62
MCQeasy

Which tool is specifically designed to acquire RAM from a Linux system for forensic analysis?

A.WinPmem
B.LiME
C.EnCase
D.FTK Imager
AnswerB

LiME is the standard Linux memory acquisition tool.

Why this answer

LiME (Linux Memory Extractor) is a tool for capturing RAM on Linux systems, often used with the Volatility framework.

63
MCQmedium

During a forensic investigation, an analyst discovers data hidden in the Host Protected Area (HPA) of a hard drive. Which tool is commonly used to view and access the HPA?

A.PhotoRec
B.fdisk
C.dd
D.hdparm
AnswerD

Why this answer

hdparm is a Linux utility that can be used to manage ATA commands, including reading or modifying the HPA size.

64
Multi-Selectmedium

Which TWO of the following are methods used to hide data within the NTFS file system?

Select 2 answers
A.USN Journal
B.File slack space
C.Volume Shadow Copy
D.Alternate Data Streams (ADS)
E.Encrypting File System (EFS)
AnswersB, D

Why this answer

ADS allows hiding data in streams attached to files, and slack space can hide data in unused bytes at the end of file clusters.

65
MCQeasy

An investigator needs to recover deleted files from a USB drive formatted with FAT32. Which of the following techniques would be most effective, assuming the files have not been overwritten?

A.Check the journal for recent changes
B.Examine the FAT for unallocated clusters and reconstruct files
C.Analyze the $MFT for orphaned entries
D.Use the 'foremost' tool to carve based on file signatures
AnswerB, D

Correct: In FAT32, the File Allocation Table can be used to chain clusters and recover files.

Why this answer

FAT32 stores directory entries that are marked as deleted but still contain file metadata; carving based on remnants of directory entries is effective.

66
Multi-Selectmedium

Which THREE of the following are types of slack space that can contain hidden data on a hard disk?

Select 3 answers
A.Device Configuration Overlay
B.Host Protected Area
C.File slack
D.Volume slack
E.RAM slack
AnswersC, D, E

File slack is the unused space between the end of a file and the end of the last cluster.

Why this answer

File slack, volume slack, and RAM slack are types of slack space. HPA and DCO are hidden areas, not slack space.

67
MCQeasy

A forensic analyst needs to acquire RAM from a live Linux system for memory analysis. Which tool is specifically designed for this purpose and can capture memory without rebooting?

A.FTK Imager
B.Volatility
C.LiME
D.dd
AnswerC

LiME (Linux Memory Extractor) is the standard tool for Linux memory acquisition.

Why this answer

LiME (Linux Memory Extractor) is a kernel module that allows acquisition of volatile memory from Linux systems. It loads into the kernel and dumps RAM to a file or over the network.

68
MCQhard

During a forensic examination of a solid-state drive (SSD), you notice that files deleted several months ago cannot be recovered using traditional file carving tools. Which SSD feature is MOST likely preventing recovery?

A.TRIM
B.Over-provisioning
C.Garbage Collection
D.Wear levelling
AnswerA

TRIM causes the SSD to erase freed blocks, preventing recovery of deleted files via file carving.

Why this answer

TRIM is a command that allows the operating system to inform the SSD which data blocks are no longer in use. When TRIM is enabled, the SSD internally erases those blocks, making file carving ineffective for deleted files.

69
MCQeasy

A forensic analyst is examining a hard drive and needs to identify the number of sectors per track. Which component of the hard disk structure defines this?

A.Track
B.Sector
C.Cluster
D.Cylinder
AnswerA

Why this answer

A track is a circular division of data on a platter, and each track is divided into sectors. The number of sectors per track is a characteristic of the track itself.

70
MCQmedium

An analyst finds evidence that an attacker used steganography to hide data within image files on the suspect's computer. Which of the following tools is MOST appropriate for detecting steganography in these images?

A.Foremost
B.Autopsy
C.Stegdetect
D.Volatility
AnswerC

Stegdetect is designed to detect steganography in images.

Why this answer

StegExpose, StegDetect, or tools like `stegsolve` can detect steganography. Among the options, `stegdetect` is a known tool for detecting steganography in JPEG images.

71
MCQhard

An analyst retrieves a forensic image of a hard drive and discovers that the size reported by the operating system is smaller than the actual physical capacity. The extra space is not accessible through standard partition tools. This hidden area is MOST likely:

A.Device Configuration Overlay
B.Host Protected Area
C.Volume slack
D.RAM slack
AnswerB

HPA is a hidden area configured via ATA commands.

Why this answer

The Host Protected Area (HPA) is an area on the hard drive that is not accessible through standard ATA commands. It can be used to hide data.

72
MCQhard

During an investigation, an analyst uses the `volatility -f mem.dmp windows.pslist` command and observes a process named 'svchost.exe' with PID 1234. Further analysis shows that this process has no parent process (PPID = 0). What is the MOST likely explanation for this anomaly?

A.The process is a child of the System process (PID 4) but Volatility misreported it
B.The process belongs to a different session and Volatility failed to resolve the parent
C.The process is a legitimate system process that was started during boot
D.The process has been hidden using a rootkit that manipulated kernel objects (DKOM)
AnswerD

DKOM can alter the EPROCESS block to hide a process, often resulting in PPID=0.

Why this answer

In Windows, only the Idle process (PID 0) and System process (PID 4) typically have PPID 0. A user-mode process like svchost.exe with PPID 0 suggests the process list has been tampered with, often by rootkit techniques such as DKOM.

73
MCQmedium

During a forensic examination, an analyst uses Autopsy to view the contents of the Recycle Bin on a Windows 10 system. However, some files that were deleted by the user do not appear in the Recycle Bin. What is the MOST likely reason?

A.The Recycle Bin stores only files smaller than 1 GB
B.The files were encrypted
C.The files were deleted using Shift+Delete
D.The Recycle Bin was emptied
AnswerC

Shift+Delete bypasses Recycle Bin.

Why this answer

Files deleted using Shift+Delete bypass the Recycle Bin and are directly marked for deletion. Additionally, files deleted from command line or external drives may not go to Recycle Bin.

74
MCQmedium

During an investigation, an analyst recovers a file from unallocated space that contains fragments of a deleted document. The file size is 512 bytes, but the cluster size of the volume is 4096 bytes. What is the term for the unused bytes between the end of the file and the end of the last cluster?

A.Volume slack
B.Drive slack
C.File slack
D.RAM slack
AnswerC

Correct: File slack is the unused space in the last cluster after the file ends.

Why this answer

File slack is the space between the end of the logical file and the end of the last cluster allocated to it.

75
MCQhard

An analyst is investigating a Linux server that suffered a data breach. The attacker deleted several log files. The analyst runs `debugfs /dev/sda1` and issues the command `lsdel`. What is the purpose of this command in the context of file recovery?

A.List inodes of deleted files that still have allocated blocks
B.Recover deleted files from the journal
C.List all deleted directory entries in the journal
D.Display the current superblock information
AnswerA

Correct. lsdel shows inodes of deleted files with allocated blocks for potential recovery.

Why this answer

debugfs is a tool for ext2/3/4 filesystem debugging. The `lsdel` command lists inodes of deleted files that still have allocated blocks, enabling recovery.

Page 1 of 3 · 172 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Storage Forensics and File System Analysis questions.