Digital Forensics Final

Chapter 13 (Network Forensics), Chapter 8 (Windows Forensics), Chapter 09 (Linux Forensics), and Chapter 12 (Mobile Forensics)

Which statement best explains why journaling file systems (e.g., Ext3/Ext4) are helpful in forensic investigations?

They record pending changes.

In the Linux boot process, which component is responsible for loading the selected kernel into memory?

GRUB

Why is the /etc directory often targeted during an intrusion?

It holds system configuration files.

What is a primary forensic value of the /proc directory?

It contains kernel and process information directly from memory.

A suspicious USB device was plugged into a Linux system. Which command is most useful to identify when it was connected?

dmesg

Which directory contains critical files needed for booting the Linux operating system?

/boot

What does the file command help a forensic investigator determine?

The type of content stored inside the file

Why must /tmp often be examined while the system is still running?

Its contents may be wiped on reboot.

A file appears in /dev. What does this typically indicate?

It is a hardware interface object.

Which command can help map parent–child relationships between running processes?

pstree

Why is /var/log a high-value forensic location?

It maintains system and application logs.

The dd command is most commonly used for which forensic purpose?

Cloning drives bit-by-bit

What does the mount command help an investigator determine?

Which file systems are currently attached

What is the main difference between /tmp and /var/tmp?

/var/tmp persists across reboots; /tmp may be cleared on reboot

When the UE is in idle state, what is it still required to do?

Listen for paging messages

Which forensic evidence helps reconstruct a user’s movement timeline?

UE radio logs showing TAC changes and TAU events

Why does a BS resource-depletion attack block legitimate users?

The attacker consumes all available RRC connection slots.

In a remote deregistration attack, what inconsistency appears in logs?

De-register messages in network logs that do NOT exist in the UE’s logs.

In an authentication bypass attack, which abnormal behavior is observed?

RRC reconfiguration occurs without any completed security procedure.

iOS uses APFS because it allows what feature?

Per-file and multi-key encryption

When investigating a suspected ARP poisoning attack on a LAN, which header/field should you inspect first?

Sender MAC address

To detect overlapping or malformed IP fragments used in teardrop attacks, which header field should you examine?

Fragment Offset, More Fragments (MF) flag, and Total Length

Which header field should an investigator check to determine if injected TCP segments were accepted by a victim?

Sequence and Acknowledgment numbers

Which layer(s) typically contain encrypted data and are not visible to an investigator without decryption keys?

Application and Session layer

Which layer of the OSI model is responsible for data encryption and compression?

Presentation layer

An ARP poisoning attack occurs at which OSI layer?

Data Link

The Ping of Death attack involves

Sending oversized packets

The Teardrop attack exploits

Fragment offsets

The Smurf attack primarily uses which protocol?

ICMP

The Fraggle attack differs from the Smurf attack because it uses

UDP

A MAC address spoofing attack allows an attacker to

Impersonate another device on a LAN

Which attack exhausts DHCP server IP address pools?

DHCP starvation

Log files generally provide

Metadata

Which header should you examine first to detect an HTTP POST attack?

Content-Length header

Which Windows file acts as an extension of physical memory (RAM) and is commonly analyzed for evidence of program execution or credentials?

pagefile.sys

Which Windows registry hive contains information about local user accounts and password hashes?

SAM

The Prefetch files in Windows primarily reveal:

Which programs ran, when, and how often

Which Windows artifact tracks files and folders recently opened by specific applications, helping reconstruct user activity?

Jumplists

Which forensic artifact can confirm that a specific USB drive was connected to a Windows system, along with its serial number?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR