A Trivia Quiz On Windows Forensics Analysis!

1.

Which of the below, is the name of one of the two logical root keys, that reside in the system hard drive of the Windows Registry?

A.

HKEY_LOCAL_MAC
B.

HKEY_LOCAL_SYSTEM
C.

HKEY_LOCAL_MACHINE
D.

HKEY_LOCAL_METRO

Correct Answer
C. HKEY_LOCAL_MACHINE

Explanation
HKEY_LOCAL_MACHINE and HKEY_USERS are the two logical root keys on the system's hard drive.

Rate this question:

2.

Which of the statements below, belong to the A.C.P.O Principles?

A.

The person in charge of the investigation (case officer) holds no responsibility whatsoever, for ensuring that the law and these principles are adhered to.
B.

An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An indepedent third party should be able to examine those processes and achieve the same result.
C.

No action taken by law enforcement agencies or their agents should change data held on a computer or storage media, which may subsequently be relied upon in court.
D.

In exceptional circumstances, where a person finds it necessary to access original data held on a computer or storage media, that person is able to do so, regardless of their qualifications or digital forensic knowledge.

Correct Answer(s)
B. An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An indepedent third party should be able to examine those processes and achieve the same result.
C. No action taken by law enforcement agencies or their agents should change data held on a computer or storage media, which may subsequently be relied upon in court.

Explanation
The given answer is correct because it includes two statements that belong to the A.C.P.O Principles. The first statement emphasizes the importance of creating and preserving an audit trail or record of all processes applied to computer-based electronic evidence, which allows an independent third party to examine those processes and achieve the same result. This aligns with the A.C.P.O Principles of maintaining a clear and transparent chain of custody for digital evidence. The second statement highlights the principle that no action should be taken by law enforcement agencies or their agents that could alter the data held on a computer or storage media, as this data may be relied upon in court. This reflects the A.C.P.O Principle of ensuring the integrity and preservation of digital evidence.

Rate this question:

3.

The Examination & Analysis stage is completed before the Collection & Preservation stage, of the Forensic Process.

A.

True
B.

False

Correct Answer
B. False

Explanation
The Examination & Analysis stage is not completed before the Collection & Preservation stage in the Forensic Process. The Collection & Preservation stage is typically the first step in the forensic process, where evidence is collected, documented, and properly preserved to maintain its integrity. Once this stage is complete, the evidence is then examined and analyzed in the subsequent stage. Therefore, the correct answer is False.

Rate this question:

2

0

4.

Which of the following are Registry data types?

A.

REG_DWORD
B.

REG_WINDOWS
C.

REG_HEX
D.

REG_SZ
E.

REG_BINARY
F.

REG_NONE

Correct Answer(s)
A. REG_DWORD
D. REG_SZ
E. REG_BINARY
F. REG_NONE

Explanation
Registry data types are used to define the type of data stored in the Windows registry. REG_DWORD is a data type for storing 32-bit integers. REG_SZ is a data type for storing strings. REG_BINARY is a data type for storing binary data. REG_NONE is a data type for storing data with no particular type. Therefore, the correct answer is REG_DWORD, REG_SZ, REG_BINARY, and REG_NONE.

Rate this question:

5.

What is the file extension name for the Setup logs in Windows 7 (Windows logs)?

A.

.log
B.

.etl
C.

.stp
D.

.set

Correct Answer
B. .etl

Explanation
The file extension name for the Setup logs in Windows 7 (Windows logs) is .etl.

Rate this question:

6.

What is the name of one of the most forensically significant Internet Explorer artifacts?

A.

Index.bat
B.

Index.data
C.

Index.dta
D.

Index.dat

Correct Answer
D. Index.dat

Explanation
Index.dat is one of the most forensically significant Internet Explorer artifacts. This file is a hidden system file that contains information about the websites visited, cookies, and cached data. It is commonly found in the Temporary Internet Files folder and can provide valuable evidence in forensic investigations related to internet browsing activities.

Rate this question:

7.

Thumbnails are graphical images that represent a file or directory.

A.

True
B.

False

Correct Answer
A. True

Explanation
Thumbnails are indeed graphical images that represent a file or directory. They are usually smaller versions of the original image or icon, providing a visual preview or representation of the content. These thumbnails are commonly used in file browsers, image galleries, and other applications to give users a quick overview of the files or directories without having to open them. Therefore, the given answer "True" is correct.

Rate this question:

8.

What is the name of the style given to the Windows 8 GUI (graphical user interface)?

A.

Mento
B.

Metro
C.

Motto
D.

Micro

Correct Answer
B. Metro

Explanation
Metro is the correct answer because it is the name of the style given to the Windows 8 GUI. Metro is characterized by its clean, minimalist design, with bold colors, typography, and a focus on content. It was designed to be simple, intuitive, and touch-friendly, allowing users to easily navigate and interact with the operating system.

Rate this question:

1

0

9.

What are the names of the two paging files used in Windows 8?

A.

Swapfile.sys
B.

Virtualmem.sys
C.

Pagingfile.sys
D.

Pagefile.sys
E.

Pagefile2.sys

Correct Answer(s)
A. Swapfile.sys
D. Pagefile.sys

Explanation
In Windows 8, the two paging files used are swapfile.sys and pagefile.sys. These files are used by the operating system to temporarily store data that cannot fit in the physical memory (RAM). The swapfile.sys file is responsible for managing the system's paging file on the boot drive, while the pagefile.sys file is used to store paging data for each individual user on the system. These paging files play a crucial role in optimizing memory usage and ensuring smooth system performance.

Rate this question:

10.

The $Recycle.Bin folder is located within the Windows. old directory, which is accessible once a machine has been Refreshed, in Windows 8.

A.

True
B.

False

Correct Answer
A. True

Explanation
The $Recycle.Bin folder is indeed located within the Windows.old directory. This directory is accessible after a machine has been refreshed in Windows 8. Therefore, the statement "The $Recycle.Bin folder is located within the Windows.old directory, which is accessible once a machine has been Refreshed, in Windows 8" is true.

Rate this question: