CCNA Computer Forensics Lab Questions

15 questions · Computer Forensics Lab · All types, answers revealed

1
MCQeasy

You are a forensic analyst in a corporate lab. A compromised server was taken offline and brought to the lab. The server runs Windows Server 2019 with a RAID 5 array of three 1TB SATA drives. The drives are hot-swappable. The server was shut down properly before removal. The lab has a forensic workstation with write-blockers, a hardware RAID controller, and imaging software. The analyst needs to acquire a forensic image of the RAID array. What is the correct course of action?

A.Reconstruct the RAID array using the same controller model in the lab, then image the logical volume via a write-blocker
B.Send the drives to a vendor for specialized RAID recovery
C.Image each drive individually using a write-blocker and then combine the images in software
D.Connect all drives to the forensic workstation and use a software RAID tool to assemble the array
AnswerA

This preserves the logical structure and ensures integrity.

Why this answer

Option A is correct because the RAID 5 array must be reconstructed using the same controller model (or an identical one) to correctly interpret the parity and striping metadata. Imaging the logical volume via a write-blocker preserves the integrity of the file system and ensures a forensically sound acquisition of the live data, which is the standard practice when the controller is available and the array is intact.

Exam trap

The trap here is that candidates often assume imaging individual drives and software reconstruction is acceptable, but the CHFI exam emphasizes that hardware RAID controllers require identical hardware to preserve the array’s logical structure and forensic integrity.

How to eliminate wrong answers

Option B is wrong because sending the drives to a vendor for specialized RAID recovery is unnecessary and costly when the array is intact and the same controller model is available in the lab; this approach is reserved for physically damaged or corrupted arrays. Option C is wrong because imaging each drive individually and combining them in software is unreliable for RAID 5, as the software may not correctly reconstruct the parity and stripe order without the exact controller metadata, potentially leading to data corruption or incomplete acquisition. Option D is wrong because connecting all drives directly to the forensic workstation and using a software RAID tool risks altering the array metadata or causing the OS to auto-assemble the array, which could modify data and violate forensic integrity; a hardware controller with a write-blocker is required to maintain a read-only acquisition.

2
MCQhard

Refer to the exhibit. The FTK Imager output shows a disk with an NTFS partition. The examiner notes that the $MFT mirror is at cluster 2. What is the logical size of the $MFT mirror in bytes?

A.320 GB
B.512 bytes
C.4096 bytes
D.8192 bytes
AnswerC

Correct: The $MFT mirror occupies one cluster (4096 bytes) when clusters per record = 1.

Why this answer

The $MFT mirror is a backup copy of the first four records of the Master File Table. Each MFT record is 1024 bytes, so four records total 4096 bytes. The FTK Imager output confirms the cluster size is 4096 bytes, and since the $MFT mirror occupies exactly one cluster (cluster 2), its logical size is 4096 bytes.

Exam trap

The trap here is that candidates confuse the $MFT mirror size with the cluster size or the total MFT size, but the mirror is always fixed at 4096 bytes because it backs up only the first four MFT records.

How to eliminate wrong answers

Option A is wrong because 320 GB is the total disk capacity, not the size of the $MFT mirror. Option B is wrong because 512 bytes is the size of a single sector, not the cluster size or the $MFT mirror size. Option D is wrong because 8192 bytes would be two clusters (2 × 4096), but the $MFT mirror occupies exactly one cluster.

3
MCQhard

Refer to the exhibit. A forensic examiner is analyzing a Windows system and sees the above NTFS file metadata. The user claims the file was last accessed at 09:15. Which of the following best explains the discrepancy?

A.The $UsnJrnl entry shows the file was modified, and the last access time was updated by the system when the file was opened for reading
B.The system has disabled last access time updates, so the reported times are unreliable
C.The creation time is earlier than the last access, indicating the file was copied from another volume
D.The $LogFile sequence number indicates a transaction rollback that reset the timestamps
AnswerA

The $UsnJrnl records changes; the last access time is updated on read operations, explaining the later timestamp.

Why this answer

Option A is correct because the $UsnJrnl (Update Sequence Number Journal) records that the file was modified, and on Windows systems, when a file is opened for reading, the last access time is updated by default. The discrepancy arises because the user claims the file was last accessed at 09:15, but the NTFS metadata shows a different last access time, which could be due to the system updating the last access time upon modification or read operations, as recorded in the $UsnJrnl.

Exam trap

Cisco often tests the misconception that last access time updates are always disabled or unreliable, but the trap here is that the $UsnJrnl entry confirms the file was modified, which can trigger a last access time update, making the user's claim inconsistent with the system's logged activity.

How to eliminate wrong answers

Option B is wrong because if the system had disabled last access time updates (via the NtfsDisableLastAccessUpdate registry key), the last access time would not be updated at all, but the exhibit shows a last access time, indicating updates are enabled. Option C is wrong because the creation time being earlier than the last access time is normal and does not indicate a copy operation; file copy operations typically set the creation time to the current time, not an earlier one. Option D is wrong because the $LogFile sequence number indicates transaction logging for file system operations, but a transaction rollback would revert the file to a previous state, not reset timestamps in the manner described.

4
MCQmedium

A forensic lab manager is setting up a new lab and must decide on the physical security measures. Which of the following is the MOST important to implement first?

A.Construct Faraday cages around the evidence storage area
B.Deploy CCTV cameras covering all entry points
C.Install a gas-based fire suppression system
D.Implement a biometric access control system
AnswerD

Biometric access control prevents unauthorized entry, which is the first line of defense.

Why this answer

Biometric access control is the most critical first step because it establishes a foundational layer of physical security that authenticates and authorizes personnel before they can access the lab. Without controlling who enters, other measures like CCTV or fire suppression are less effective, as unauthorized individuals could compromise evidence integrity. This aligns with the principle of defense-in-depth, where access control is the primary barrier against tampering or theft.

Exam trap

The trap here is that candidates often prioritize surveillance (CCTV) or evidence preservation (Faraday cages) over the foundational security principle of access control, failing to recognize that without controlling who enters, all other measures are reactive rather than preventive.

How to eliminate wrong answers

Option A is wrong because Faraday cages are specialized for blocking electromagnetic signals (e.g., to prevent remote wiping of mobile devices) and are not a general physical security measure; they should be implemented after basic access controls are in place. Option B is wrong because CCTV cameras are a monitoring/deterrent tool, not a preventive control; they record breaches but do not stop unauthorized access, making them secondary to access control. Option C is wrong because gas-based fire suppression systems protect against fire damage but do not address the immediate threat of unauthorized entry or evidence tampering; they are a safety measure, not a security measure.

5
Multi-Selecteasy

Which TWO of the following are essential requirements for a computer forensics lab according to best practices?

Select 2 answers
A.Uninterruptible power supply (UPS) and surge protectors
B.Offsite cloud storage for all case files
C.Shared workstations to reduce hardware costs
D.Restricted access with visitor logs and biometric authentication
E.Open wireless network for flexibility
AnswersA, D

Clean power is critical to protect forensic equipment and prevent data loss.

Why this answer

A is correct because a UPS provides temporary power during outages to prevent data loss or corruption during forensic imaging, while surge protectors guard against voltage spikes that could damage sensitive lab equipment. Best practices require both to ensure chain of custody integrity and hardware reliability.

Exam trap

EC-Council often tests the misconception that cloud storage is acceptable for forensic labs, but candidates must remember that chain of custody and jurisdictional control require local, encrypted storage with strict access logging.

6
Drag & Dropmedium

Drag and drop the steps to recover deleted files using Recuva into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

File recovery involves selecting type, location, scanning, and saving to a different drive.

7
Multi-Selectmedium

A forensic examiner is setting up a new lab. Which THREE of the following practices are essential for maintaining the integrity of digital evidence?

Select 3 answers
A.Perform regular backups of the forensic workstation’s operating system.
B.Disable write-blocking when imaging drives to improve speed.
C.Use write-blocking devices when acquiring data from suspect drives.
D.Implement a chain-of-custody procedure for all evidence.
E.Store evidence in a secure, access-controlled environment.
AnswersC, D, E

Correct: Write-blockers prevent alteration of original evidence.

Why this answer

Option C is correct because write-blocking devices (hardware or software) prevent any write operations to the source drive during acquisition, ensuring the original data remains unaltered. This is fundamental to maintaining the integrity of digital evidence, as any modification could render the evidence inadmissible in court. Forensic imaging tools like FTK Imager or dd rely on write-blockers to guarantee a bit-for-bit copy without contaminating the source.

Exam trap

EC-Council often tests the misconception that operational convenience (like faster imaging) can ever override the foundational forensic requirement of write protection, leading candidates to incorrectly choose Option B.

8
Multi-Selectmedium

Which THREE of the following are recommended practices for maintaining the integrity of digital evidence in a forensics lab?

Select 3 answers
A.Maintain a detailed chain of custody log
B.Generate cryptographic hashes of evidence files
C.Use hardware write-blockers during acquisition
D.Perform regular backups of all evidence
E.Run antivirus scans on evidence before analysis
AnswersA, B, C

Documents handling and prevents tampering.

Why this answer

Maintaining a detailed chain of custody log (Option A) is a recommended practice because it provides a verifiable, chronological record of every person who handled the evidence, the time and date of each transfer, and the purpose of each transfer. This ensures the evidence's integrity by demonstrating that it has not been tampered with or altered from the moment of seizure through analysis and presentation in court. Without a proper chain of custody, the evidence can be challenged as inadmissible under rules like Federal Rule of Evidence 901.

Exam trap

The trap here is that candidates often confuse general IT best practices (like backups and antivirus scans) with forensic-specific integrity practices, failing to recognize that backups can create chain-of-custody gaps and antivirus scans can actively modify evidence.

9
MCQmedium

A forensic lab is establishing a chain of custody procedure. Which practice is considered best according to CHFI guidelines?

A.Require biometric authentication for all lab personnel
B.Store evidence in a secure room with limited access
C.Use encryption to protect evidence files
D.Document every transfer of evidence with signatures and timestamps
AnswerD

Documentation is key to maintaining chain of custody.

Why this answer

Option D is correct because the chain of custody is fundamentally a legal and procedural requirement to demonstrate the integrity and admissibility of digital evidence. CHFI guidelines emphasize that every transfer of evidence must be meticulously documented with signatures, timestamps, and purpose to create an unbroken audit trail, which is the only practice that directly satisfies the legal standard for evidence handling.

Exam trap

EC-Council often tests the distinction between security controls (like encryption or access restrictions) and procedural documentation (like signatures and timestamps), leading candidates to confuse physical or technical safeguards with the legal requirement for an auditable chain of custody.

How to eliminate wrong answers

Option A is wrong because biometric authentication controls access to the lab but does not document the transfer or handling of evidence, which is the core requirement for chain of custody. Option B is wrong because storing evidence in a secure room with limited access is a physical security measure, not a documentation procedure; it does not create the required audit trail for each transfer. Option C is wrong because encryption protects evidence files from unauthorized access or tampering but does not provide a documented record of who handled the evidence and when, which is essential for chain of custody.

10
MCQeasy

You are a forensic examiner at a corporate security firm. You receive a laptop from the HR department that belonged to a terminated employee. The laptop was used for company business and is suspected of containing unauthorized file-sharing software. The laptop is running Windows 10 with BitLocker drive encryption enabled. Before shutdown, the employee was logged into the system. HR claims the laptop was shut down properly and then handed over within an hour. You are asked to acquire a forensic image of the hard drive for analysis. However, when you boot the laptop, you are prompted for the BitLocker recovery key. HR does not have the key, and the employee refuses to cooperate. The laptop also has a TPM chip. Which of the following is the most appropriate course of action to acquire the data?

A.Contact IT to obtain the BitLocker recovery key from Active Directory.
B.Perform a cold boot attack to extract the BitLocker key from memory.
C.Boot from a Linux live USB and use tools to bypass BitLocker.
D.Boot the laptop normally and let BitLocker unlock the drive using the TPM.
AnswerD

Correct: Since the laptop was shut down properly and has TPM, normal boot should unlock the drive without the recovery key.

Why this answer

Option D is correct because the laptop was shut down properly and handed over within an hour, meaning the TPM (Trusted Platform Module) still holds the BitLocker key in its secure storage. When the system boots normally, BitLocker will automatically unlock the drive using the TPM without requiring a recovery key or user PIN, as long as the boot configuration has not changed. This is the standard behavior for a TPM-only protector configuration, which is common in corporate Windows 10 deployments.

Exam trap

EC-Council often tests the misconception that BitLocker always requires a recovery key or that a cold boot attack is a standard forensic technique, when in fact a properly shut-down system with TPM will unlock automatically, making the simplest boot the correct first step.

How to eliminate wrong answers

Option A is wrong because contacting IT to obtain the BitLocker recovery key from Active Directory is a valid step only if the key was escrowed, but the question states HR does not have the key and the employee refuses to cooperate; however, the most appropriate immediate action is to boot normally first, as the TPM will unlock the drive without needing the recovery key. Option B is wrong because a cold boot attack is a specialized technique used to extract memory contents from a system that was recently running, but here the laptop was shut down properly an hour ago, so the memory contents (including any BitLocker key remnants) are long gone; this attack is impractical and not the most appropriate course. Option C is wrong because booting from a Linux live USB and using tools to bypass BitLocker is not feasible against a fully encrypted drive with TPM-bound keys; BitLocker with TPM protection cannot be bypassed by simply booting an alternate OS, as the TPM will not release the key to an untrusted boot environment.

11
MCQeasy

A forensic analyst is troubleshooting a write-blocker that is not working correctly. The analyst connected the write-blocker between the suspect drive and the forensic workstation, but the workstation still shows the drive as writable. What is the most likely cause?

A.The suspect drive was connected before the write-blocker was powered on
B.The write-blocker does not have external power
C.The suspect drive uses SATA but the write-blocker is USB-only
D.The write-blocker is connected to the suspect drive's output port
AnswerA

Connecting the drive before powering the write-blocker can bypass the write-block.

Why this answer

When a write-blocker is powered on after the suspect drive is already connected, the drive may have already been enumerated by the operating system as a writable device. Write-blockers rely on intercepting and filtering ATA/SCSI commands at the hardware level before the OS sees the drive; if the drive is connected first, the OS may have already sent write commands or cached write attributes, bypassing the blocker's protection. This is why the proper sequence is to power on the write-blocker first, then connect the suspect drive.

Exam trap

EC-Council often tests the power-on sequence as a subtle but critical procedural step, knowing that candidates may focus on hardware compatibility or cabling errors instead of the order of operations.

How to eliminate wrong answers

Option B is wrong because most write-blockers are designed to draw power from the host USB port or have an external power adapter; lack of external power would cause the blocker to not enumerate at all, not to allow writes. Option C is wrong because SATA-to-USB write-blockers exist and are common; if the blocker is USB-only, it simply would not physically connect to a SATA drive, so the workstation would not see the drive at all. Option D is wrong because write-blockers have clearly labeled input (suspect drive) and output (host) ports; connecting to the output port would reverse the data flow and likely cause no enumeration or a connection error, not a writable drive.

12
MCQhard

A forensic lab is designing a network architecture to ensure the integrity of evidence during acquisition. What is the most critical design consideration?

A.Deploy multiple forensic workstations to parallelize tasks
B.Use a segmented network to isolate forensic tools
C.Encrypt all data in transit over the network
D.Implement hardware write-blockers on all acquisition stations
AnswerD

Write-blockers prevent any writes to the source drive, ensuring integrity.

Why this answer

Hardware write-blockers are the most critical design consideration because they physically prevent any write operations to the source drive at the ATA/SCSI command level, ensuring that the evidence remains bit-for-bit unchanged during acquisition. Without a hardware write-blocker, even a single read operation from a forensic workstation could inadvertently modify metadata (e.g., last access timestamps) or trigger anti-forensic mechanisms, compromising the integrity of the evidence and its admissibility in court.

Exam trap

The trap here is that candidates often confuse network security measures (segmentation, encryption) with evidence integrity controls, failing to recognize that the most critical design consideration is preventing any write access to the source media at the hardware level during acquisition.

How to eliminate wrong answers

Option A is wrong because deploying multiple forensic workstations to parallelize tasks improves throughput but does not address the fundamental requirement of preserving evidence integrity; it can even introduce chain-of-custody issues if not properly managed. Option B is wrong because using a segmented network to isolate forensic tools enhances security and prevents unauthorized access, but it does not prevent write operations to the source drive during acquisition, which is the primary integrity concern. Option C is wrong because encrypting data in transit over the network protects confidentiality and integrity during transfer, but it does not prevent the acquisition station from writing to the source drive; the evidence could be altered before encryption even occurs.

13
Multi-Selecthard

Which TWO of the following are essential components of a computer forensics lab according to CHFI best practices?

Select 2 answers
A.Server farm for data processing
B.Evidence storage area with controlled access
C.Public-facing website for case management
D.Coffee machine for staff convenience
E.Forensic workstation with specialized software
AnswersB, E

Critical for evidence integrity.

Why this answer

Option B is correct because a computer forensics lab must have a secure evidence storage area with controlled access to maintain the chain of custody and prevent tampering or unauthorized access to digital evidence. CHFI best practices emphasize physical security controls, such as biometric locks or access logs, to ensure evidence integrity throughout the investigation lifecycle.

Exam trap

EC-Council often tests the distinction between 'nice-to-have' items (like coffee machines) and mandatory security components (like controlled-access evidence storage), leading candidates to select convenience over critical infrastructure.

14
MCQmedium

During a forensic investigation, an analyst needs to acquire data from a live Windows system without altering the system's state. Which tool should the analyst use to capture the contents of RAM?

A.dd
B.FTK Imager Lite
C.EnCase
D.WinHex
AnswerB

FTK Imager Lite is designed to capture RAM from a live system without altering the system's state.

Why this answer

FTK Imager Lite is designed for live forensic acquisition on Windows systems, including capturing RAM contents without altering the system state. It uses a lightweight, read-only approach that avoids writing to the disk or modifying memory pages, preserving the integrity of the evidence.

Exam trap

EC-Council often tests the misconception that dd is the universal acquisition tool, but candidates forget that dd is not native to Windows and can alter the system state if not used with a dedicated memory acquisition driver.

How to eliminate wrong answers

Option A is wrong because dd is a Unix/Linux command-line tool for bit-for-bit copying, but it lacks native support for Windows memory acquisition and can cause system state changes if not used with specialized wrappers. Option C is wrong because EnCase is a comprehensive forensic suite that can acquire RAM, but its full installation and driver loading may alter the system state more than FTK Imager Lite's minimal footprint. Option D is wrong because WinHex is a hex editor and disk editor that can access physical memory, but it is not optimized for live RAM capture and may require manual configuration that risks altering the system state.

15
Matchingmedium

Match each Windows Registry hive to its stored information.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

User account passwords and hashes

System configuration and device drivers

Installed software and settings

Security policies and user rights

Per-user settings and preferences

Why these pairings

These hives contain specific types of configuration data.

Ready to test yourself?

Try a timed practice session using only Computer Forensics Lab questions.