CCNA Chfi Storage Filesystem Questions

75 of 172 questions · Page 2/3 · Chfi Storage Filesystem topic · Answers revealed

76
Multi-Selectmedium

Which TWO tools are commonly used for file carving during a forensic investigation?

Select 2 answers
A.fdisk
B.Autopsy
C.LiME
D.Scalpel
E.Foremost
AnswersD, E

Why this answer

Foremost and Scalpel are dedicated file carving tools that recover files based on headers/footers. fdisk is a partition tool, Autopsy is a forensic suite that can use carving but is not primarily a carver, and LiME is for memory acquisition.

77
MCQhard

In a RAID 5 array with three disks, one disk fails. The investigator images the remaining two disks and wants to reconstruct the missing data. Which approach is most appropriate?

A.Apply XOR operation between the two disk images to recover missing data
B.Mount the two disks in a Linux mdadm array with a missing disk
C.Use dd to concatenate the two disk images linearly
D.Use a tool like R-Studio to perform a virtual RAID rebuild
AnswerA

RAID 5 XOR parity can reconstruct missing data from remaining disks.

Why this answer

RAID 5 uses parity distributed across disks. Given two data disks, the third can be reconstructed by XORing the parity with the remaining data. However, the investigator must know the stripe size and parity layout.

78
MCQhard

A forensic investigator analyzing a RAID 5 array of three disks notices that one disk has failed. Can the investigator still reconstruct the data?

A.Yes, using the parity information from the remaining disks
B.No, RAID 5 requires all disks to be present
C.Yes, but only if the failed disk is the parity disk
D.No, because RAID 5 does not support hot swapping
AnswerA

RAID 5 uses parity to reconstruct data from a single failed disk.

Why this answer

RAID 5 uses distributed parity. With one disk failure, data can be reconstructed using the parity information on the remaining two disks.

79
MCQmedium

During a forensic acquisition of a suspect's SSD, the analyst notices that the drive supports TRIM. Which of the following is the most important consideration when acquiring the drive to preserve deleted data?

A.Perform a full format of the SSD before acquisition to clear any TRIM-related issues
B.Use a hardware write-blocker and acquire the drive immediately to minimize TRIM interference
C.Enable TRIM in the forensic tool to ensure the drive is optimized before imaging
D.The SSD should be powered on for several hours to allow TRIM to complete before imaging
AnswerB

Correct: Immediate acquisition with write-blocker prevents further TRIM commands from destroying data.

Why this answer

TRIM causes the SSD to erase deleted blocks immediately, making recovery impossible. Imaging the drive as soon as possible and using a write-blocker can prevent further TRIM commands.

80
MCQeasy

During a forensic analysis of an NTFS volume, an investigator finds a file that appears to be hidden. Which NTFS feature allows data to be stored in a file without affecting the file's visible size in the directory listing?

A.Alternate Data Streams (ADS)
B.Volume Shadow Copy
C.USN Journal
D.Master File Table ($MFT)
AnswerA

ADS are NTFS features that allow multiple data streams to be associated with a file, often used to hide data.

Why this answer

Alternate Data Streams (ADS) in NTFS allow data to be attached to a file, and the size is not shown in the main directory listing.

81
MCQmedium

An analyst runs 'foremost -i disk.dd -o output' and recovers several JPEG files. However, some files are corrupted or incomplete. What is the most likely cause?

A.The files were fragmented across the disk, and foremost did not reassemble fragments
B.The files were stored in a journaling file system that overwrites deleted data quickly
C.The output directory had insufficient space to store the recovered files
D.The disk image contains bad sectors that could not be read
AnswerA

Foremost typically stops at the first footer or maximum file size; it doesn't handle fragmentation.

Why this answer

Foremost uses file headers/footers for carving. If the file was fragmented, the tool may only recover the first fragment, leading to corruption.

82
MCQmedium

During a forensic examination of an ext4 filesystem, the analyst discovers that a suspicious file was deleted but the inode still exists in the filesystem. Which of the following techniques would MOST likely recover the file's data?

A.Use the `debugfs` utility with the `undel` command
B.Analyze the USN journal in NTFS
C.Run PhotoRec to carve unallocated space
D.Mount the filesystem and copy the file
AnswerA

debugfs can recover deleted files if the inode is still intact.

Why this answer

In ext4, when a file is deleted, the inode is marked as free but data blocks may remain. Using the debugfs command with the lsdel or undel function can recover the inode and data.

83
Multi-Selectmedium

Which TWO of the following are valid methods to hide data on an NTFS volume? (Choose two.)

Select 2 answers
A.Storing data in the $Recycle.bin folder
B.Using the volume boot record
C.Using the MFT resident data area
D.Using Alternate Data Streams (ADS)
E.Using the USN journal
AnswersA, D

The $Recycle.bin folder can hide files by storing them in a special directory that is not easily visible.

Why this answer

Alternate Data Streams (ADS) allow data hiding in files, and the $Recycle.bin folder can be used to store deleted files that are not visible in normal browsing.

84
MCQmedium

During a forensic investigation, an analyst finds a file with a creation timestamp earlier than the volume's formatted timestamp. Which of the following is the most likely explanation?

A.The file is actually a link to another file, so its timestamps reflect the source
B.The file's timestamps were deliberately modified to mislead investigators
C.The system clock was incorrect at the time of file creation
D.The file was created on a different system and copied to this volume
AnswerB

Anti-forensics techniques like timestamp manipulation are used to confuse analysis.

Why this answer

File timestamps can be manipulated by anti-forensics tools. A creation time before the volume format is a strong indicator of timestamp manipulation.

85
MCQeasy

Which file system journal is commonly used in Linux ext3/ext4 to record metadata changes before they are committed to the main file system?

A.$LogFile
B.Journal (JBD/JBD2)
C.Recycle Bin
D.USN Journal
AnswerB

ext3 and ext4 use the Journaling Block Device (JBD/JBD2) to maintain a metadata journal.

Why this answer

The journal in ext3/ext4 logs metadata changes (and optionally data) to ensure filesystem consistency after a crash. It is a circular log that is replayed during mount.

86
Multi-Selectmedium

Which TWO tools are specifically designed for file carving (recovering files based on signatures) and are commonly used in digital forensics?

Select 2 answers
A.Volatility
B.Scalpel
C.Foremost
D.EnCase
E.Autopsy
AnswersB, C

Scalpel is another file carving tool, originally based on Foremost.

Why this answer

Scalpel and Foremost are both purpose-built file carving tools that recover files by scanning raw data for known file headers and footers (signatures), without relying on filesystem metadata. Scalpel is a rewrite of Foremost with a more efficient configuration file, while Foremost was originally developed by the U.S. Air Force Office of Special Investigations.

Both are widely used in digital forensics for data recovery from damaged or unallocated disk space.

Exam trap

EC-Council often tests the distinction between dedicated file carving tools (Scalpel, Foremost) and broader forensic suites (EnCase, Autopsy) that include carving as a secondary feature, leading candidates to incorrectly select the more well-known commercial tools.

87
Multi-Selecthard

During a forensic analysis of an SSD, the analyst encounters challenges due to TRIM and wear-leveling. Which TWO statements accurately describe the impact of these features on data recovery?

Select 2 answers
A.TRIM immediately and permanently erases deleted file data at the block level
B.Wear-leveling can scatter fragments of a file across different NAND chips, complicating physical imaging
C.Both TRIM and wear-leveling are transparent to the operating system and have no impact on forensic analysis
D.Wear-leveling ensures that deleted files are overwritten with zeros to prevent forensic recovery
E.TRIM is only effective on HDDs, not SSDs
AnswersA, B

TRIM commands cause the SSD to erase blocks, preventing recovery.

Why this answer

TRIM causes the SSD to erase data blocks that are no longer in use, making recovery difficult. Wear-leveling distributes writes evenly, but also moves data around, complicating physical recovery.

88
MCQeasy

Which file system artifact in NTFS is used to hide data by appending a stream to an existing file without affecting its primary data stream?

A.USN Journal
B.$Recycle.bin
C.Alternate Data Streams (ADS)
D.Master File Table ($MFT)
AnswerC

ADS allows data to be hidden in a separate stream.

Why this answer

Alternate Data Streams (ADS) allow hiding data by attaching additional streams to files. They are not visible in standard directory listings.

89
MCQmedium

During a forensic investigation, you need to acquire the RAM of a running Linux system. Which tool is specifically designed for memory acquisition on Linux?

A.Memdump
B.Volatility
C.WinPmem
D.LiME
AnswerD

LiME is the recommended tool for Linux memory acquisition.

Why this answer

LiME (Linux Memory Extractor) is a loadable kernel module that allows full system memory acquisition from Linux systems. It is the standard tool for Linux memory forensics.

90
Multi-Selecthard

Which THREE of the following are characteristics of the GPT (GUID Partition Table) compared to MBR?

Select 3 answers
A.Partition information is stored in the boot code area
B.Uses a 32-bit Logical Block Address (LBA)
C.Partitions are identified by a Globally Unique Identifier (GUID)
D.Supports up to 128 primary partitions
E.Stores a backup partition table at the end of the disk
AnswersC, D, E

Each partition has a GUID.

Why this answer

GPT uses GUIDs, supports up to 128 partitions, stores a backup partition table at the end, and uses 64-bit LBA. It does not store partitions in the boot code area.

91
MCQhard

During a forensic investigation of a Windows 10 system, you find that a suspect used the 'cipher /w:C:' command. What is the primary forensic implication of this action?

A.It encrypts all files on the C: drive
B.It wipes free space, hindering recovery of deleted files
C.It enables file system journaling
D.It removes alternate data streams from files
AnswerB

cipher /w overwrites free space to prevent recovery of deleted data.

Why this answer

The `cipher /w:C:` command overwrites free space on the C: drive with zeros, making deleted file recovery from unallocated space much more difficult.

92
MCQeasy

An analyst is investigating a compromised Linux system. Which file system structure holds metadata about every file and directory, including permissions, ownership, timestamps, and pointers to data blocks?

A.Journal
B.Block bitmap
C.Superblock
D.Inode
AnswerD

Each file and directory has an inode containing metadata and pointers to data blocks.

Why this answer

Inodes are data structures in ext2/3/4 that store metadata about files and directories.

93
MCQhard

An investigator is analyzing a RAID 5 array consisting of three disks. One disk fails and is replaced. After rebuilding, the file system appears corrupted. What is the MOST likely cause?

A.Two disks failed simultaneously
B.The replacement disk is smaller than the original
C.The file system is not supported by the RAID controller
D.The array was configured with an incorrect stripe size
AnswerB

RAID 5 requires all disks to be the same size; a smaller disk can cause rebuild errors.

Why this answer

RAID 5 can tolerate one disk failure. If the replacement disk is smaller than the original, the rebuild may fail or cause corruption.

94
MCQmedium

In an ext4 file system, after a file is deleted, the inode's di_mode field is set to 0 and the block pointers are cleared. However, the file content may still be recoverable until what happens?

A.The data blocks are overwritten by new files
B.The file system is unmounted
C.The superblock is updated
D.The journal is committed
AnswerA

Once the blocks are reassigned and overwritten, recovery becomes difficult.

Why this answer

In ext4, when a file is deleted, its inode is marked as free, and data blocks are added to the free block bitmap. Recovery is possible if the blocks have not been reused.

95
MCQeasy

A forensic analyst is examining a FAT32 file system and finds that the file allocation table indicates a cluster chain ending with 0x0FFFFFFF. What does this value signify?

A.End-of-file marker
B.Free cluster
C.Reserved cluster
D.Bad cluster
AnswerA

0x0FFFFFFF is the end-of-cluster-chain marker.

Why this answer

In FAT32 file systems, the File Allocation Table (FAT) uses 32-bit entries to track cluster allocation. The value 0x0FFFFFFF is the defined end-of-file (EOF) marker, indicating that the current cluster is the last in a file's cluster chain. This is a standard FAT32 convention, distinct from other special values like free or bad clusters.

Exam trap

The trap here is confusing the FAT32 EOF marker (0x0FFFFFFF) with the bad cluster marker (0x0FFFFFF7) or the reserved cluster range (0x0FFFFFF0–0x0FFFFFF6), as EC-Council often tests the exact hex values to catch candidates who memorize concepts without the precise numbers.

How to eliminate wrong answers

Option B is wrong because a free cluster is represented by the value 0x00000000 in FAT32, not 0x0FFFFFFF. Option C is wrong because reserved clusters are indicated by values in the range 0x0FFFFFF0 through 0x0FFFFFF6, not 0x0FFFFFFF. Option D is wrong because a bad cluster is marked with the value 0x0FFFFFF7 in FAT32, which is a specific sentinel for physical media defects.

96
MCQhard

In an ext3 file system, after deleting a file, the inode's link count drops to 0, but the data blocks remain. Which of the following is true regarding recovery?

A.The file can be recovered by reading the journal and replaying the deletion transaction
B.The file may be recovered through file carving by searching for known file signatures in the data blocks
C.The file cannot be recovered because ext3 zeroes the inode on deletion
D.The file can be recovered by undeleting the inode using debugfs or extundelete
AnswerB

Since data blocks are not overwritten immediately, file carving can recover the file by finding its header/footer signatures.

Why this answer

In ext3, deleting a file clears the inode and data block pointers. Recovery requires scanning the raw disk for file signatures (file carving) because the inode no longer points to the data.

97
MCQhard

During a forensic examination of a solid-state drive (SSD), the analyst notices that the TRIM command was enabled. What challenge does this pose for data recovery?

A.It erases data blocks immediately after deletion, preventing recovery
B.It causes fragmentation, making file recovery more complex
C.It causes the drive to encrypt data automatically
D.It physically destroys the NAND cells, making the drive unusable
AnswerA

TRIM notifies the SSD controller to erase blocks, making deleted data unrecoverable.

Why this answer

TRIM allows the SSD to erase data blocks immediately after deletion, making it impossible to recover data from those blocks using traditional file carving or undelete methods.

98
MCQmedium

During an investigation, an analyst recovers deleted files from an NTFS volume. She notices that some files have data hidden in a stream that is not visible in regular directory listings. This stream is associated with a file but not stored in the $MFT. Which NTFS feature is being used to hide the data?

A.Journaling in NTFS
B.Alternate Data Streams (ADS)
C.Extended attributes in ext4
D.Volume shadow copy
AnswerB

ADS allow hiding data in NTFS streams.

Why this answer

Alternate Data Streams (ADS) allow data to be attached to a file as a separate stream, invisible in standard directory listings.

99
Multi-Selectmedium

Which two of the following are characteristics of the ext4 file system? (Choose TWO.)

Select 2 answers
A.Uses a Master File Table ($MFT) to store file metadata
B.Uses a file allocation table (FAT) to track clusters
C.Uses a journal to maintain file system consistency
D.Stores directory entries in a B-tree structure
E.Supports extents for contiguous block allocation
AnswersC, E

Correct: ext4 has a journal.

Why this answer

ext4 uses extents for efficient space management and a journal for metadata consistency.

100
MCQeasy

An analyst recovers a hard drive from a suspect's computer. The drive has a partition table that uses a 32-bit identifier and a maximum partition size of 2 TB. Which partition table type is present?

A.HFS+
B.GPT
C.APFS
D.MBR
AnswerD

MBR uses 32-bit partition table entries with a maximum partition size of 2 TB.

Why this answer

MBR uses 32-bit partition table entries and supports up to 2 TB partitions. GPT uses 64-bit entries and supports larger disks.

101
Multi-Selectmedium

An analyst is examining a memory dump using Volatility and wants to identify network connections. Which TWO Volatility plugins can be used to list network connections?

Select 2 answers
A.netscan
B.dlllist
C.pstree
D.connscan
E.pslist
AnswersA, D

netscan scans for network connections.

Why this answer

netscan and connscan are Volatility plugins that list network connections. pslist lists processes, not connections. pstree lists process trees. dlllist lists loaded DLLs.

102
Multi-Selecthard

In ext3/ext4 file systems, which THREE of the following are key structures used for file metadata and recovery?

Select 3 answers
A.Journal
B.Superblock
C.Master File Table ($MFT)
D.File Allocation Table (FAT)
E.Inode table
AnswersA, B, E

Why this answer

The inode table stores metadata about each file (except name), superblock contains filesystem parameters, and journal records metadata changes for recovery.

103
MCQeasy

Which file system artifact in NTFS records file system events such as file creation, deletion, and modification, and is often used to track attacker activities?

A.Event Logs
B.Prefetch files
C.USN Journal
D.Registry
AnswerC

The USN Journal records every change to files and directories on an NTFS volume.

Why this answer

The USN (Update Sequence Number) journal, also known as the change journal, records all changes to files on an NTFS volume. It is a valuable artifact for tracking file activity and forensic timeline analysis.

104
MCQeasy

During a forensic investigation, you find an NTFS volume with a file that has an alternate data stream (ADS). Which command in Windows can be used to list all ADS on a file?

A.dir /r
B.dir /a
C.fsutil stream query
D.attrib /s
AnswerA

dir /r lists all streams (including alternate data streams) for each file.

Why this answer

The dir /r command in Windows lists all alternate data streams associated with files in a directory. This is a standard forensic technique to detect hidden data.

105
Multi-Selecthard

Which THREE of the following are valid memory forensic artifacts that can be extracted using the Volatility framework?

Select 3 answers
A.pstree
B.pslist
C.ls -l
D.netscan
E.dir /r
AnswersA, B, D

pstree displays the process tree.

Why this answer

Volatility can extract process lists (pslist), network connections (netscan), and process trees (pstree). These are standard plugins for memory analysis.

106
MCQmedium

An investigator is examining a FAT32 filesystem and needs to recover a deleted file. In FAT32, the directory entry for a deleted file has the first byte of the filename set to 0xE5. What does this indicate?

A.The file is a system file
B.The file is hidden
C.The file is encrypted
D.The file has been deleted
AnswerD

0xE5 is the deletion marker in FAT filesystems.

Why this answer

In FAT filesystems, a deleted file's directory entry is marked with 0xE5 as the first byte of the filename. The file's cluster chain in the File Allocation Table is also marked as free. This is the standard deletion marker.

107
MCQmedium

An investigator needs to recover a deleted partition from a disk that originally used an MBR partition table. Which tool can scan the disk for lost partitions and rebuild the partition table?

A.TestDisk
B.FTK Imager
C.Autopsy
D.PhotoRec
AnswerA

TestDisk is designed for partition recovery and can rebuild MBR and GPT partition tables.

Why this answer

TestDisk is a powerful tool designed to recover lost partitions and repair boot sectors. It can scan for partition tables and restore deleted partitions on MBR and GPT disks.

108
Multi-Selecthard

A forensic analyst is recovering deleted files from an ext3 file system. Which TWO methods can be used to recover deleted inodes?

Select 2 answers
A.Using file carving tools like Foremost
B.Using dd to create a raw image
C.Analyzing the ext3 journal for deleted inode entries
D.Using debugfs to display the superblock
E.Scanning the inode table for orphan inodes
AnswersC, E

The journal may contain records of deleted inodes.

Why this answer

In ext3, deleted inodes can be recovered by analyzing the journal (which records metadata changes) or by scanning the inode table for orphan inodes. File carving recovers file data without metadata. Using debugfs to view the superblock does not recover inodes.

109
MCQmedium

An investigator finds evidence of data hidden using Alternate Data Streams (ADS) on an NTFS volume. Which command would display all ADS associated with files in a directory?

A.dir /s
B.dir /x
C.dir /r
D.dir /a
AnswerC

/r displays alternate data streams in the output.

Why this answer

The `dir /r` command in Windows Command Prompt lists all files, including their alternate data streams. Alternatively, tools like 'streams' from Sysinternals can be used.

110
MCQmedium

During a forensic investigation, an analyst recovers a hard drive that uses GPT partitioning. The analyst needs to locate the backup GPT header to verify partition table integrity. Where is the backup GPT header typically stored on the disk?

A.The first sector of the last partition
B.The last sector of the disk
C.Sector 0 (the MBR sector)
D.Sector 1 (immediately after the protective MBR)
AnswerB

The backup GPT header is located at the last logical sector of the disk.

Why this answer

The backup GPT header is stored at the last sector of the disk to provide redundancy in case the primary GPT header is corrupted.

111
MCQeasy

An analyst is examining a Windows 10 system and discovers a file in the $Recycle.bin folder with a name like '$RABCDEF.txt'. The analyst wants to recover the original file path and deletion date. Which forensic artifact should the analyst examine?

A.The corresponding $I file (e.g., $IABCDEF.txt) in $Recycle.bin
B.The Windows Event Logs
C.The USN journal
D.The $MFT entry for the $R file
AnswerA

$I files store the original name, path, and deletion timestamp.

Why this answer

The $I files in the $Recycle.bin contain metadata about the deleted file, including original path and deletion time.

112
MCQhard

A forensic examiner finds a file on an NTFS volume that appears to have data hidden in its alternate data stream. The file's size is reported as 10 KB, but the volume's cluster size is 4 KB. How many clusters of file slack could potentially contain hidden data in the primary stream?

A.12 KB
B.4 KB
C.2 KB
D.0 KB
AnswerC

The file uses 2 full 4 KB clusters (8 KB) and 2 KB of the third cluster, leaving 2 KB slack.

Why this answer

File slack is the unused space between the end of the file data and the end of the last cluster. A 10 KB file stored in 4 KB clusters occupies 3 clusters (12 KB), leaving 2 KB of slack space (cluster 3 unused portion). However, the question asks specifically about the primary stream's file slack, which is 2 KB.

But note that ADS can also occupy clusters. The answer is 2 KB of slack in the primary stream.

113
Multi-Selectmedium

Which TWO of the following are valid techniques for acquiring RAM in a Windows system?

Select 2 answers
A.WinPmem
B.Sleuth Kit
C.LiME
D.dd
E.FTK Imager
AnswersA, E

WinPmem is a memory acquisition tool for Windows.

Why this answer

WinPmem and FTK Imager are both capable of acquiring RAM on Windows systems. LiME is for Linux.

114
MCQmedium

An analyst is analyzing a disk image and finds a 512-byte sector at LBA 0 that contains a bootloader and a partition table. The partition table has four entries, each 16 bytes. What type of partition table is this?

A.Apple Partition Map
B.MBR
C.GPT
D.BSD disklabel
AnswerB

MBR has exactly this structure: boot code, 64-byte partition table, and signature.

Why this answer

The MBR (Master Boot Record) uses a 512-byte sector at LBA 0, with the first 446 bytes for boot code, a 64-byte partition table (4 entries of 16 bytes each), and a 2-byte signature (0x55AA). This description matches MBR exactly.

115
MCQmedium

In an investigation of a Windows system, the analyst uses Volatility's 'netscan' plugin and identifies a suspicious outbound connection to an IP address on port 4444. Which of the following is the most likely associated malicious activity?

A.Reverse shell connection from a backdoor
B.DNS tunneling exfiltration
C.HTTP data exfiltration
D.Remote desktop session
AnswerA

Correct: Port 4444 is a common reverse shell port.

Why this answer

Port 4444 is commonly used by reverse shells (e.g., Metasploit default) and indicates a potential command and control session.

116
MCQhard

During memory analysis, an examiner uses the Volatility 'malfind' plugin and discovers a process with executable code in an executable heap. Which technique is most likely being used by malware to avoid detection?

A.Process hollowing
B.DLL injection
C.Heap spraying
D.Reflective DLL loading
AnswerC

Heap spraying fills the heap with executable code to exploit vulnerabilities; malfind can detect it.

Why this answer

Executable heap is a sign of code injection; malware may allocate memory with execute permissions and inject shellcode.

117
MCQmedium

An investigator is using Autopsy to analyze a disk image from a suspected hacker's computer. They want to recover deleted JPEG images that may have been stored in unallocated clusters. Which Autopsy feature is best suited for this task?

A.File Type Sorting
B.Hash Set Analysis
C.Timeline Analysis
D.Keyword Search
AnswerA

Autopsy includes a file carving module that can recover files by type from unallocated space.

Why this answer

Autopsy's 'File Recovery by Type' module (also known as 'PhotoRec Carver' or 'File Carving') can recover files based on their headers/footers, such as JPEG magic bytes.

118
MCQhard

A security analyst suspects an attacker has hidden data in the Host Protected Area (HPA) of a suspect's hard drive. Which of the following tools is BEST suited to detect and access the HPA?

A.Foremost
B.EnCase
C.WinPmem
D.PhotoRec
AnswerB

EnCase can acquire and analyze HPA/DCO regions.

Why this answer

EnCase Forensic can image the entire disk including HPA and DCO, and is commonly used to detect hidden areas.

119
MCQmedium

An examiner is analyzing an NTFS volume and suspects that a suspect hid data using Alternate Data Streams (ADS). Which tool or method is MOST appropriate to list all ADS on the volume?

A.Execute 'dir /r' in a Windows command prompt on the mounted image
B.Run 'ls -la' from a Linux forensic environment
C.Use 'icacls' to view security descriptors and detect ADS
D.Mount the image in Autopsy and run the 'Find File' module
AnswerA

'dir /r' displays alternate data streams in NTFS. This is a standard Windows command.

Why this answer

Native Windows commands can list ADS: 'dir /r' shows alternate streams. Streams.exe from Sysinternals also lists streams. FTK and EnCase have built-in ADS detection.

120
MCQmedium

During a forensic examination of a Linux ext4 file system, an investigator runs the `ls -i` command and sees inode numbers. They need to examine the inode structure. Which command should they use to display detailed inode information?

A.dd if=/dev/sda1 of=output.img
B.debugfs -R 'stat <inode>' /dev/sda1
C.mount -o loop image.img /mnt
D.fsck /dev/sda1
AnswerB

debugfs with the stat command shows inode details in an ext filesystem.

Why this answer

The `stat` command in Linux displays detailed inode metadata including permissions, timestamps, and block locations.

121
MCQmedium

Which of the following best describes the purpose of the Host Protected Area (HPA) on a hard disk drive?

A.To accelerate read/write operations using flash cache
B.To store the file system journal
C.To provide a hidden storage area that is inaccessible through standard OS commands
D.To store the Master Boot Record
AnswerC

Correct: HPA can be used to hide data from the OS.

Why this answer

HPA is a reserved area on the drive that is not normally accessible by the OS, often used by manufacturers for diagnostics or by investigators to hide data.

122
Multi-Selecthard

Which TWO of the following are challenges specific to SSD forensics compared to HDD forensics?

Select 2 answers
A.Wear leveling distributes writes, complicating data location
B.File system metadata may be overwritten
C.Magnetic remanence allows data recovery
D.Slack space contains remnants of deleted files
E.TRIM command erases deleted data
AnswersA, E

Wear leveling moves data, making it harder to find specific sectors.

Why this answer

TRIM causes data erasure, and wear leveling makes data location unpredictable. The other options apply to both HDD and SSD.

123
MCQhard

An investigator uses FTK Imager to capture a forensic image of a suspect's hard drive. During acquisition, the tool reports that the DCO (Device Configuration Overlay) is present. What does this indicate?

A.The drive is failing and needs replacement
B.The drive supports hardware encryption
C.The drive has a GPT partition table
D.The drive has been tampered with to hide data
AnswerD

DCO can be used to hide data from the OS and forensic tools.

Why this answer

DCO is a region beyond the HPA that can hide data; its presence suggests possible data hiding.

124
Multi-Selectmedium

An investigator is analyzing a memory dump with Volatility and wants to identify network connections. Which TWO commands can provide information about TCP and UDP connections? (Select 2)

Select 2 answers
A.volatility -f mem.dmp netscan
B.volatility -f mem.dmp connections
C.volatility -f mem.dmp netstat
D.volatility -f mem.dmp pslist
E.volatility -f mem.dmp dlllist
AnswersA, C

netscan scans for network connections on Windows systems.

Why this answer

Volatility's netscan and netstat plugins list network connections from memory.

125
MCQmedium

During a forensic examination of a Windows system, an analyst finds a file that appears to be zero bytes in size when viewed in Windows Explorer, but the file's properties show a size on disk of 4 KB. What is the most likely explanation?

A.The file contains only slack space
B.The file is compressed using NTFS compression
C.The file is stored in an alternate data stream (ADS)
D.The file is a sparse file
AnswerD

Why this answer

Sparse files in NTFS have a logical size larger than the allocated disk space. The file may appear as zero bytes but occupy slack space due to allocation.

126
Multi-Selecthard

Which three of the following are common techniques used to hide data on a storage device? (Choose THREE.)

Select 3 answers
A.File system journaling
B.Host Protected Area (HPA)
C.Alternate Data Streams (ADS) in NTFS
D.TRIM command
E.Slack space (file slack, volume slack)
AnswersB, C, E

Correct: HPA hides data from the OS.

Why this answer

HPA, ADS, and slack space are well-known data hiding techniques.

127
MCQeasy

A forensic examiner wants to recover deleted files from a USB drive formatted with FAT32. Which file carving tool is specifically designed to recover files based on file headers and footers?

A.Nmap
B.Foremost
C.Wireshark
D.Sleuth Kit
AnswerB

Foremost is a file carving tool that recovers files using headers and footers.

Why this answer

Foremost is a file carving tool that uses headers and footers to recover files. It is widely used for data recovery from FAT, NTFS, and other file systems.

128
MCQeasy

What is the primary difference between MBR and GPT partition tables?

A.MBR is used only on Linux; GPT is used on Windows
B.GPT uses a cyclic redundancy check (CRC) for integrity; MBR does not
C.MBR supports larger disks than GPT
D.GPT stores the partition table only in the first sector
AnswerB

Correct. GPT has CRC32 checksums; MBR has no integrity check.

Why this answer

MBR uses 32-bit entries and supports up to 4 primary partitions and disks up to 2 TB. GPT uses 64-bit entries, supports up to 128 partitions, and disks larger than 2 TB, with backup partition table for redundancy.

129
MCQeasy

Which of the following best describes the purpose of the Master File Table (MFT) in the NTFS filesystem?

A.It manages the file allocation table for cluster chains
B.It stores the partition table and boot sector
C.It contains metadata and file attribute records for all files and directories
D.It maintains a journal of all filesystem changes
AnswerC

Correct. The MFT stores file metadata and attributes.

Why this answer

The MFT is a relational database containing one or more records for each file and directory on the volume, storing metadata such as timestamps, permissions, and data runs.

130
MCQmedium

An investigator uses the `volatility -f mem.dump netscan` command on a memory dump from a Windows 10 system. What information is this command primarily intended to reveal?

A.Network connections and listening ports
B.List of running processes
C.File handles opened by each process
D.Registry hives loaded in memory
AnswerA

netscan enumerates network artifacts from memory.

Why this answer

The `netscan` plugin in Volatility scans memory for network connections (TCP and UDP) and listening ports, including those from hidden or terminated processes.

131
MCQhard

During a forensic investigation, you encounter a RAID 5 array consisting of three 1 TB disks. The array is failed, and you need to reconstruct the original data. Which of the following approaches is MOST appropriate for data recovery?

A.Mount each disk individually and copy files
B.Run `mdadm --assemble --scan` on the images
C.Use `dd` to image each disk and then XOR the three images together
D.Use EnCase to perform a RAID rebuild with known parameters
AnswerD

Correct. EnCase and similar tools can automate RAID reconstruction given disk order, stripe size, and parity rotation.

Why this answer

Forensic tools like EnCase or FTK can reconstruct RAID arrays if the parameters (stripe size, parity order) are known. Manual reconstruction using dd and parity calculations is possible but error-prone.

132
MCQeasy

A forensic examiner needs to acquire the RAM from a Windows 10 system without altering the contents. Which tool is MOST appropriate for this task?

A.WinPmem
B.FTK Imager
C.LiME
D.dd
AnswerA

WinPmem is designed for capturing Windows RAM.

Why this answer

WinPmem is a memory acquisition tool for Windows that supports capturing RAM. It is widely used in forensics. LiME is for Linux, FTK Imager can acquire disk images but not RAM.

133
MCQmedium

During a forensic examination of a Windows 10 system, you find a file with an ADS named `:hidden.txt` attached to `legal.docx`. Using FTK Imager, you extract the ADS and discover it contains a list of passwords. Which tool or technique could also be used to identify this hidden data?

A.Analyzing the $MFT using Autopsy
B.Running `strings` on the raw partition
C.Using `lsof` on a live system
D.Performing file carving with PhotoRec
AnswerA

Correct. Autopsy can parse $MFT and display ADS entries.

Why this answer

Autopsy (Sleuth Kit) can list alternate data streams when viewing file metadata. The `istat` command in TSK also shows ADS, but Autopsy is a common GUI tool.

134
MCQeasy

A forensic analyst is examining a disk image and needs to identify the file system structure. She looks for the Master File Table ($MFT) to begin analysis. Which file system is she most likely dealing with?

A.FAT32
B.NTFS
C.HFS+
D.ext4
AnswerB

NTFS uses $MFT for file metadata.

Why this answer

$MFT is a key component of NTFS, storing metadata about files and directories.

135
Multi-Selecthard

Which THREE of the following present unique challenges for forensic analysis of solid-state drives (SSDs) compared to traditional hard disk drives (HDDs)? (Select THREE.)

Select 3 answers
A.Slack space analysis due to 512-byte sector emulation
B.Wear leveling that moves data around the NAND chips
C.Fragmentation due to file system aging
D.Garbage collection that consolidates valid data and erases stale blocks
E.TRIM command that erases deleted data blocks
AnswersB, D, E

Wear leveling distributes writes, causing data to be moved unpredictably.

Why this answer

SSDs use flash memory and have features like TRIM, wear leveling, and garbage collection that can destroy or relocate data, making recovery difficult. These are distinct from HDD behavior.

136
MCQmedium

During a forensic investigation, an analyst uses a tool to capture the contents of RAM from a live Linux system. Which tool is specifically designed for this purpose and can acquire memory over a network or via a local kernel module?

A.WinPmem
B.LiME
C.FTK Imager
D.Volatility
AnswerB

LiME is a Linux memory acquisition tool.

Why this answer

LiME (Linux Memory Extractor) is a tool that acquires RAM from Linux systems and can output to various formats, including over the network.

137
MCQmedium

An examiner acquires a forensic image of an SSD from a suspect's laptop. The SSD was connected to a system with TRIM enabled. What challenge will the examiner most likely face when trying to recover deleted files?

A.Wear leveling complicates data location
B.RAID striping interferes with imaging
C.The SSD is encrypted and cannot be imaged
D.Deleted files may have been physically erased by TRIM
AnswerD

TRIM commands cause the SSD to erase data blocks, hindering recovery.

Why this answer

TRIM causes the SSD to erase blocks that are no longer in use, making file recovery difficult because data is physically erased.

138
MCQeasy

During a forensic investigation, an analyst needs to recover recently deleted files from a FAT32 partition. Which of the following techniques is MOST effective for recovering files whose directory entries have been marked as deleted but the clusters have not yet been overwritten?

A.Running 'scalpel' to extract fragments and reassemble based on metadata
B.Using the 'foremost' tool to perform file carving based on file headers and footers
C.Using 'dd' to create a raw image and then 'photorec' to recover based on file signatures
D.Editing the directory entry's first byte from 0xE5 to the original character and recalculating the FAT chain
AnswerD

This restores the deleted file's directory entry, making it visible again. The FAT chain is usually still valid.

Why this answer

FAT32 marks deleted files by setting the first byte of the directory entry to 0xE5. If the clusters are not overwritten, the file can be recovered by restoring the original first byte and using the FAT chain. File carving is used when directory entries are gone or clusters are fragmented.

139
Multi-Selecteasy

Which TWO of the following are types of slack space that can contain forensic evidence?

Select 2 answers
A.Volume slack
B.Index slack
C.Swap space
D.Buffered slack
E.RAM slack
AnswersA, E

Why this answer

Volume slack is the unused space between the end of the file system and the end of the partition. When a partition is smaller than the volume it resides on, the remaining space (volume slack) can contain remnants of previously stored data, making it a valuable source of forensic evidence.

Exam trap

EC-Council often tests the distinction between 'volume slack' and 'RAM slack' as the two correct types, while distractors like 'swap space' or 'index slack' are common misconceptions that candidates mistake for legitimate slack space categories.

140
MCQhard

An analyst is examining a USB drive that appears to have a smaller capacity than expected. The drive is detected as 8 GB but only 7 GB is accessible. Which of the following is the most likely cause?

A.The file system uses a cluster size that wastes space
B.The drive is formatted with FAT32 which has a 4 GB file size limit
C.The drive has a Host Protected Area (HPA) hiding 1 GB
D.The drive contains a hidden partition
AnswerC, D

Correct: HPA can hide a portion of the drive from the OS.

Why this answer

The missing space could be due to an HPA (Host Protected Area) or DCO (Device Configuration Overlay) configured to hide the additional space.

141
MCQhard

An analyst recovers a disk image from a Linux server that used ext4. The image shows a superblock backup at multiple offsets. Which dd command would correctly extract the backup superblock located at offset 32768 bytes?

A.dd if=image.dd of=superblock.bin bs=4096 skip=8 count=1
B.dd if=image.dd of=superblock.bin bs=512 skip=64 count=2
C.dd if=image.dd of=superblock.bin bs=1024 skip=32 count=1
D.dd if=image.dd of=superblock.bin bs=32768 skip=1 count=1
AnswerB

bs=512, skip=64 (offset 32768/512), count=2 (1024/512).

Why this answer

To extract the backup superblock at offset 32768 with size 1024 bytes, dd needs skip=32768/512=64 and count=1024/512=2.

142
Multi-Selecthard

Which THREE of the following are challenges specific to forensic analysis of solid-state drives (SSDs) compared to traditional hard disk drives? (Select 3)

Select 3 answers
A.TRIM command may permanently erase deleted data
B.SSDs have platters that can be degaussed to destroy data
C.SSDs are slower to image because of rotational latency
D.Garbage collection can erase blocks containing deleted files before acquisition
E.Wear leveling moves data across blocks, complicating file system analysis
AnswersA, D, E

TRIM informs the SSD to erase blocks, making recovery impossible.

Why this answer

SSDs have TRIM, wear leveling, and garbage collection that can destroy data or make recovery difficult.

143
Multi-Selectmedium

Which TWO of the following are common challenges in SSD forensics that can hinder data recovery?

Select 2 answers
A.File fragmentation
B.TRIM
C.Bad sectors
D.NTFS permissions
E.Wear levelling
AnswersB, E

TRIM erases blocks upon deletion, preventing recovery.

Why this answer

TRIM is a command that allows an operating system to inform an SSD which data blocks are no longer in use and can be wiped internally. When TRIM is enabled, the SSD's controller immediately erases those blocks, making the original data unrecoverable by forensic tools because the physical cells are reset to an unprogrammed state. This directly hinders data recovery because the data is permanently removed at the hardware level before any forensic acquisition can occur.

Exam trap

EC-Council often tests the misconception that file fragmentation (Option A) is a major SSD forensic challenge, but the trap is that fragmentation is handled internally by the SSD controller and does not impede forensic recovery like TRIM and wear levelling do.

144
MCQmedium

During a forensic examination of a Linux system, the investigator runs the command 'ls -i /home/user/file.txt' and sees inode number 12345. The file was recently deleted. Which of the following is the most effective method to recover the file, assuming the inode is still accessible?

A.Run 'scalpel' with a custom configuration for the file type
B.Use 'foremost' to scan the disk for the file header/footer
C.Run 'photorec' on the disk to carve the file from unallocated space
D.Use 'debugfs' to attempt to recover the inode and its data blocks
AnswerD

Correct: debugfs can recover files by inode if the inode is still allocated.

Why this answer

The 'debugfs' tool on ext filesystems can access inodes directly to recover deleted files if the inode is still present.

145
MCQeasy

Which tool is specifically designed for file carving and can recover files based on headers and footers without relying on file system metadata?

A.FTK Imager
B.Foremost
C.Autopsy
D.Volatility
AnswerB

Foremost is a command-line file carver that recovers files based on headers, footers, and data structures.

Why this answer

Foremost is a file carving tool that uses headers/footers. Autopsy and FTK have carving modules but Foremost is dedicated to it.

146
MCQeasy

A forensic analyst is investigating a Windows system and needs to examine the contents of the Recycle Bin. Which file artifact contains metadata about deleted files, including original file paths and deletion times?

A.$Recycle.bin\$I
B.C:\Windows\System32\winevt\Logs
C.$Recycle.bin\$R
D.C:\Windows\Prefetch
AnswerA

$I stores the metadata including original path, deletion time, and size.

Why this answer

The $Recycle.bin directory contains a file named $R (deleted file) and $I (info file). The $I file stores metadata such as original path, deletion time, and size. This is the standard Recycle Bin artifact in NTFS.

147
MCQeasy

What is the primary purpose of the Host Protected Area (HPA) on a hard disk drive?

A.To provide a write-cache for improved performance
B.To store diagnostic data or allow vendors to hide data from the OS
C.To store the partition table when using GPT
D.To store the operating system boot loader
AnswerB

HPA is used by manufacturers for tools, diagnostics, or data hiding.

Why this answer

HPA is a reserved area on the disk that is not visible to the operating system, intended for vendor-specific data. It can be used to hide data from forensic acquisition.

148
MCQmedium

In NTFS, the $MFT file contains metadata about every file and directory on the volume. When a file is deleted, its $MFT record is marked as free. What information in the $MFT record is MOST useful for recovering a deleted file?

A.The file name attribute
B.The standard information attribute
C.The security descriptor
D.The data attribute
AnswerD

The data attribute contains data runs that specify which clusters hold the file content, essential for recovery.

Why this answer

The $MFT record contains data runs (extents) that point to the clusters where the file data is stored. Even after deletion, if the clusters have not been overwritten, these data runs can be used to recover the file content.

149
MCQmedium

During a forensic analysis of a drive, the examiner discovers a Host Protected Area (HPA). What is the primary purpose of an HPA?

A.To store the file system journal
B.To accelerate disk read/write operations
C.To provide a hidden storage area not visible to the OS
D.To store backup copies of the MBR
AnswerC

HPA is a reserved area that is not accessible via standard OS commands.

Why this answer

HPA is a region on ATA drives that is hidden from the operating system, often used by manufacturers for diagnostic tools or to hide data.

150
Multi-Selectmedium

Which TWO of the following tools are commonly used for file carving in forensic investigations?

Select 2 answers
A.Autopsy
B.PhotoRec
C.Foremost
D.EnCase
E.Wireshark
AnswersB, C

PhotoRec is a file carving tool that recovers many file types.

Why this answer

Foremost and PhotoRec are popular file carving tools. EnCase and FTK are suites that include carving but are not exclusively carving tools; the question asks for tools commonly used for carving.

← PreviousPage 2 of 3 · 172 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Chfi Storage Filesystem questions.