Question 1

When marking evidence that has been collected with the aa/ddmmyy/nnnn/zz format, what does the nnn denote?

Options :

A : The year the evidence was taken

B : The sequence number for the parts of the same exhibit

C : The initials of the forensics analyst

D : The sequential number of the exhibits seized

Answer: D

Question 2

If the partition size is 4 GB, each cluster will be 32 K. Even if a file needs only 10 K, the entire 32 K will be allocated, resulting in 22 K of ________.

Options :

A : Slack space

B : Deleted space

C : Sector space

D : Cluster space

Answer: A

Question 3

When operating systems mark a cluster as used but not allocated, the cluster is considered as _________

Options :

A : Corrupt

B : Bad

C : Lost

D : Unallocated

Answer: C

Question 4

Consider a scenario where a forensic investigator is performing malware analysis on a memory dump acquired from a victims computer. The investigator uses Volatility Framework to analyze RAM contents; which plugin helps investigator to identify hidden processes or injected code/DLL in the memory dump?

Options :

A : pslist

B : malscan

C : mallist

D : malfind

Answer: D

Question 5

A breach resulted from a malware attack that evaded detection and compromised the machine memory without installing any software or accessing the hard drive. What technique did the adversaries use to deliver the attack?

Options :

A : Fileless

B : Trojan

C : JavaScript

D : Spyware

Answer: A