DIGITAL FORENSCIS SAMPLE QUESTIONS DETAILED SOLUTIONS

FINAL AREAS TO STUDY-

1. Briefly explain why permanently deleted files in a computer could still be accessed on the
hard disk.
Answer:
When a file is “permanently deleted” in a computer:

· The file isn’t immediately erased from the hard disk. Instead, the file system marks the
space as available for reuse.
· The actual data remains intact until the space is overwritten by new data.
Forensic tools can scan for and recover these residual data fragments before overwriting occur

2. Why SSDs does not create slack spaces?

1. Absence of Physical Sectors
In HDDs, data is written in fixed-size sectors (e.g., 512 bytes). If a file is smaller than the sector
size, the remaining space in the sector is called slack space.
SSDs use a logical block addressing (LBA) scheme without physical sectors. Data is stored in
pages (usually 4 KB or larger) within blocks, but SSDs don't handle slack space in the same way
HDDs do due to their architecture.

3. Why are we able to recover deleted files?

We are able to recover deleted files because, in most cases, deleting a file does not immediately
remove its actual data from the storage medium. Instead, it involves changes to the file system's
metadata, leaving the underlying data intact until it is overwritten.

4. What is garbage collection in forensics?

In digital forensics, garbage collection refers to a process used by storage devices, especially
Solid State Drives (SSDs), to manage and optimize storage by reclaiming unused or invalid data
blocks.

5. What is Chain of Custody?

Chain of custody is a crucial process in digital forensics that ensures the integrity and
authenticity of evidence by documenting its handling from the moment it is collected until it is
presented in court or other proceedings.

6. What is formatting and Partitioning?

Partitioning is the process of dividing a storage device into distinct sections, called partitions,
each of which functions as an independent storage unit.

Formatting is the process of preparing a partition for data storage by creating a file system on it.
The file system determines how data is organized and accessed on the storage medium.
7. What is the security of the forensic lab?
The security of a forensic lab is crucial to maintaining the integrity of evidence, ensuring
compliance with legal standards, and preventing unauthorized access or tampering. Proper
security measures safeguard the credibility of forensic investigations and ensure that evidence
remains admissible in court.

8. What are these anti- forensic procedures? Hiding, destruction and configuration.
Hiding Evidence - Hiding involves concealing data or evidence to make it difficult for forensic
tools or investigators to locate.eg. Hidden Partitions, Steganography

Destruction of Evidence - Destruction techniques aim to delete or overwrite data, making it

difficult or impossible to recover. Eg. File deletion, physical destruction.

Configuration Manipulation - Configuration-based anti-forensic techniques involve altering

system or application settings to mislead investigators or prevent data collection. Eg.
Timestamp Manipulation, log file tempering.

9. Explain the process of Defragmentation in forensics?

During defragmentation, the system rearranges these fragmented files to store them in
contiguous blocks, improving access time and performance. The goal is to make file retrieval
faster by reducing the need to access multiple locations on the disk.

10. What technique can be used to recover a formatted drive?

File Carving
File carving is a technique where files are recovered by searching the raw sectors of a disk for
recognizable patterns or signatures, such as headers and footers of file types (e.g., JPEG, DOC,
PDF). This method doesn't rely on the file system and can recover files that are partially or fully
intact, even if the file system structures have been erased.

How it works:
Sectors are scanned for patterns and signatures that match known file types.
Fragmented files can also be reconstructed by searching for these patterns across multiple
sectors.
Tools:
Foremost (Linux-based, open-source)
PhotoRec (cross-platform)
R-Studio (commercial software)
PART A
1. State the Locard’s Exchange Principle and briefly explain its importance to you as a
forensic examiner.
Answer:
Locard’s Exchange Principle states that "every contact leaves a trace." This principle suggests
that when two objects come in contact, there will be an exchange of materials between them,
even if minute.

Importance:
As a forensic examiner, this principle is crucial because:

· It underpins the concept that evidence is always left behind at a crime scene or on a
digital device.
· It helps identify suspects through digital or physical traces left behind during interactions
with the device or network.
· It ensures thorough analysis of all possible areas where evidence could reside, such as file
systems, logs, and metadata.

2. Briefly explain why permanently deleted files in a computer could still be accessed on the
hard disk.
Answer:
When a file is “permanently deleted” in a computer:

· The file isn’t immediately erased from the hard disk. Instead, the file system marks the
space as available for reuse.
· The actual data remains intact until the space is overwritten by new data.
· Forensic tools can scan for and recover these residual data fragments before overwriting
occurs.

This ability to recover deleted files is critical for forensic investigations, as it can uncover
attempts to hide or destroy evidence.

3. What is Windows Prefetch? Explain the importance of Prefetch files to the forensic
examiner.
Answer:
Windows Prefetch is a mechanism used by the Windows operating system to speed up
application launch times by storing information about the files and data needed to start
applications.

Importance to Forensic Examiners:

· Execution History: Prefetch files provide a record of applications that were run,
including the timestamp of the last execution.
· Corroboration of Evidence: Helps confirm if a suspect used specific software.
· Timeline Analysis: Useful in reconstructing a sequence of activities on a system.
 · Hidden Activity: Can reveal evidence of attempts to run unauthorized or malicious
software.

4. Explain the term Restore Point. What is the importance of restore points to the forensic
examiner?
Answer:
A Restore Point is a snapshot of the system's configuration and settings at a specific point in
time, created by the Windows System Restore feature.

Importance to Forensic Examiners:

· System State Analysis: Allows for reconstruction of the system’s configuration before or
after an incident.
· File Recovery: Helps recover deleted or altered system files.
· Malware Detection: Can identify if malicious software was present or changes were
made to the system.
· Evidence Integrity: Assists in verifying the state of the system at different times,
supporting timelines and evidence validity.

5. During forensic examination, it is always advised to use the process of cloning as compared
to ‘copy and paste’. Give three reasons to justify this assertion.
Answer:

1. Integrity Preservation: Cloning creates an exact bit-by-bit copy of the entire storage
device, preserving metadata, hidden files, and deleted data.
2. Avoid Alteration: Copying and pasting can inadvertently modify timestamps or file
attributes, whereas cloning avoids these changes.
3. Comprehensive Capture: Cloning captures slack space and unallocated space, which
may contain residual data and evidence.

PART B
6.
i. What is a write blocker?
A write blocker is a hardware or software tool that prevents any modification to a storage
device during forensic examination, ensuring data integrity.

ii. Importance of a write blocker to the forensic examiner:

· Preserves Evidence: Prevents accidental or intentional changes to the evidence.

· Ensures Admissibility: Maintains the chain of custody and ensures evidence can be used
in court.
· Integrity Verification: Allows examiners to verify that the original data hasn’t been
altered during analysis.

iii. Explain the term file carving.

File carving is a technique used to recover files from unallocated space on a disk without relying
on file system metadata. It searches for file signatures to reconstruct files.
iv. Three methods of data creation and storage:

1. File-Based Storage: Storing data in files and folders (e.g., Word documents on a PC).
2. Block-Based Storage: Storing data in fixed-size blocks (e.g., databases).
3. Object-Based Storage: Storing data as objects with metadata (e.g., cloud storage
services like AWS S3).

7.
i. Why is imaging/cloning preferred over physical examination of systems?

· Preserves Original Evidence: Physical examination risks altering data.

· Repeatable Analysis: Clones allow multiple analyses without touching the original.
· Integrity Assurance: Ensures forensic integrity and maintains evidence admissibility.

ii. Is it possible to recover deleted files from a flash drive?

Yes, because deletion only marks the file space as reusable. The actual data remains until
overwritten.

iii. Importance of IP addresses:

· Identifies Devices: Traces devices connected to a network.

· Tracking Activity: Helps in tracking the origin of cyberattacks.
· Legal Evidence: Links online actions to specific devices or locations.

PART C
9.
i. Difference between expert witness and witness:

· Expert Witness: Provides specialized knowledge (e.g., a forensic examiner).

· Witness: Provides factual testimony based on personal knowledge.

ii. Procedures at the crime scene:

1. Document Scene: Photograph and record the environment.

2. Seize Devices: Carefully handle and bag evidence.
3. Chain of Custody: Maintain detailed records of evidence handling.

iii. Advantages of live evidence collection:

1. Captures Volatile Data: RAM contents and network connections.

2. Immediate Evidence: Avoids data loss from shutdown.
3. Identifies Running Processes: Detects active malware.