Which OSI layer is most relevant in network forensic investigations involving

packet capture?
A. Application
B. Transport
C. Network
D. Data Link
ANSWER: C

Which protocol is often analyzed in digital forensics to trace email headers?

A. FTP
B. SMTP
C. ICMP
D. ARP
ANSWER: B

What type of forensic evidence can be gathered from the Transport Layer?
A. MAC addresses
B. IP addresses
C. TCP/UDP session details
D. Physical device information
ANSWER: C

Which network device operates at Layer 3 and is crucial for forensic packet
tracing?
A. Switch
B. Router
C. Hub
D. Repeater
ANSWER: B

Which OSI layer is responsible for ensuring reliable data transmission, making it
useful in forensic analysis of dropped packets?
A. Physical
B. Data Link
C. Transport
D. Network
ANSWER: C

Which command is useful in forensic investigations to trace the path packets take
through a network?
A. nslookup
B. traceroute
C. netstat
D. ipconfig
ANSWER: B

What forensic artifact is found at the Data Link Layer?

A. IP address
B. MAC address
C. Domain name
D. HTTP headers
ANSWER: B

Which OSI layer handles encryption and compression, making it significant in

forensic analysis of secure communications?
A. Transport
B. Network
C. Presentation
D. Data Link
ANSWER: C

Which forensic tool is commonly used to analyze network traffic and extract
packets?
A. Wireshark
B. Metasploit
C. Autopsy
D. FTK
ANSWER: A

What digital forensic evidence can be obtained from the Application Layer?
A. Packet fragmentation data
B. TCP sequence numbers
C. HTTP requests and responses
D. Routing tables
ANSWER: C

Which of the following is a primary concern in forensic analysis of wireless

networks?
A. IP packet headers
B. Signal interference
C. MAC address spoofing
D. Bandwidth allocation
ANSWER: C

Which command-line tool helps in forensic analysis by displaying open network

connections?
A. nslookup
B. netstat
C. ping
D. whois
ANSWER: B

Which protocol is most relevant for forensic investigations into real-time

communication applications?
A. FTP
B. SNMP
C. SIP
D. IMAP
ANSWER: C

Which forensic technique is used to analyze network logs for suspicious activities?
A. Memory forensics
B. Log correlation
C. Disk imaging
D. File carving
ANSWER: B

What is the purpose of deep packet inspection in digital forensics?

A. To analyze packet headers only
B. To capture and examine packet contents
C. To encrypt sensitive data
D. To speed up network performance
ANSWER: B

Which forensic challenge arises when analyzing encrypted network traffic?

A. Identifying MAC addresses
B. Deciphering packet payloads
C. Tracing hop counts
D. Detecting IP fragmentation
ANSWER: B

Which OSI layer is responsible for logical addressing, which is critical for
tracking network activity in forensic investigations?
A. Transport
B. Network
C. Data Link
D. Application
ANSWER: B

Which protocol is commonly analyzed in forensic investigations to track domain name

resolution?
A. ICMP
B. DNS
C. SSH
D. Telnet
ANSWER: B

What type of digital forensic evidence can be obtained from packet capture at the
Physical Layer?
A. Signal strength and timing
B. IP routing tables
C. Email headers
D. TCP connection status
ANSWER: A

Which forensic tool is used to extract and analyze email headers in an

investigation?
A. Wireshark
B. ExifTool
C. FTK
D. Xplico
ANSWER: D

Which protocol is used to retrieve emails and is significant in forensic email

investigations?
A. SMTP
B. POP3
C. SNMP
D. ICMP
ANSWER: B

What is the significance of a firewall log in network forensics?

A. It stores encrypted emails
B. It records network traffic passing through a firewall
C. It captures images from network traffic
D. It detects physical device tampering
ANSWER: B

Which attack technique is commonly analyzed in forensic investigations of

unauthorized network access?
A. SQL Injection
B. Man-in-the-middle attack
C. Buffer overflow
D. Social engineering
ANSWER: B

Which OSI layer plays a key role in forensic investigation of intercepted VoIP
communications?
A. Transport
B. Network
C. Data Link
D. Application
ANSWER: D

Which type of log file is most useful in analyzing failed login attempts in a
forensic investigation?
A. HTTP access logs
B. DNS query logs
C. System authentication logs
D. ARP cache logs
ANSWER: C

Which forensic method is used to identify unauthorized devices on a network?

A. Traffic shaping
B. Network scanning
C. Disk imaging
D. Steganography
ANSWER: B

Which of the following is an indicator of potential network-based cyber threats?

A. Frequent ARP requests
B. High CPU temperature
C. Low disk space
D. File permission changes
ANSWER: A

Which forensic tool is used to analyze TCP/IP connections and find malicious
network activity?
A. Nmap
B. FTK Imager
C. Volatility
D. Autopsy
ANSWER: A

What is the primary challenge when performing forensic analysis on cloud-based

network traffic?
A. Lack of physical evidence
B. Low storage capacity
C. Unreliable timestamps
D. Slow data transfer speeds
ANSWER: A

Which OSI layer is crucial when analyzing VPN traffic in a forensic investigation?
A. Data Link
B. Network
C. Transport
D. Application
ANSWER: C
Which protocol is most commonly analyzed in forensic investigations of web traffic?
A. FTP
B. HTTP
C. SMTP
D. SNMP
ANSWER: B

Which forensic tool is used to capture and analyze network traffic?

A. Wireshark
B. Metasploit
C. Autopsy
D. Volatility
ANSWER: A

Which Internet service is commonly investigated in forensic analysis of social

media activity?
A. DNS
B. HTTP
C. VPN
D. FTP
ANSWER: B

What forensic information can be extracted from an email header?

A. IP address of the sender
B. Encrypted attachments
C. Contents of the email body
D. MAC address of the sender
ANSWER: A

Which command is used to determine the IP address of a domain in forensic analysis?

A. ping
B. nslookup
C. netstat
D. traceroute
ANSWER: B

Which log file is useful in tracing web activity in forensic investigations?

A. System log
B. HTTP access log
C. DNS cache log
D. Event viewer log
ANSWER: B

Which forensic technique is used to track an IP address to its approximate

location?
A. Traceroute
B. Whois lookup
C. Geolocation tracking
D. ARP poisoning
ANSWER: C

What digital forensic evidence can be obtained from a DNS query log?
A. Websites visited
B. MAC address of the user
C. Physical location of the device
D. Email sender details
ANSWER: A

Which of the following can be used to trace the ownership of an IP address?

A. Whois lookup
B. Ping
C. Netstat
D. ARP table
ANSWER: A

Which protocol is used to transfer files and is often analyzed in forensic

investigations?
A. FTP
B. SMTP
C. SNMP
D. DHCP
ANSWER: A

Which of the following is a challenge in forensic investigations of VPN traffic?

A. Lack of encryption
B. Obfuscation of real IP addresses
C. Easy decryption of traffic
D. Lack of authentication logs
ANSWER: B

Which forensic artifact is useful in tracing an attacker's identity in an HTTP

request?
A. User-Agent string
B. File size
C. MAC address
D. Packet sequence number
ANSWER: A

Which protocol is commonly used to send emails and is relevant in forensic email
investigations?
A. HTTP
B. FTP
C. SMTP
D. IMAP
ANSWER: C

Which tool can be used to check domain registration details in a forensic

investigation?
A. netstat
B. whois
C. ifconfig
D. ping
ANSWER: B

Which digital forensic evidence is typically extracted from browser history?

A. Visited websites
B. MAC addresses
C. Physical memory dumps
D. BIOS settings
ANSWER: A

What information can be obtained from a forensic analysis of an IP packet header?

A. Source and destination IP addresses
B. Email attachments
C. File metadata
D. Password hashes
ANSWER: A

Which of the following is a common method attackers use to hide their real IP
address?
A. VPN
B. Ping flood
C. ARP spoofing
D. DNS poisoning
ANSWER: A
What forensic challenge is associated with tracing Tor network activity?
A. Lack of encryption
B. Frequent IP address changes
C. Open network traffic
D. Lack of HTTP logs
ANSWER: B

Which log file is critical in forensic investigations of unauthorized remote

access?
A. Firewall logs
B. Printer logs
C. USB access logs
D. Bluetooth logs
ANSWER: A

Which forensic tool is used to map the route that packets take to a destination?
A. nslookup
B. traceroute
C. whois
D. netstat
ANSWER: B

Which type of log can help trace phishing attempts in an email investigation?
A. Web server logs
B. Email server logs
C. Printer logs
D. Bluetooth logs
ANSWER: B

What is the primary forensic concern when investigating cloud-based email services?
A. Local storage limitations
B. Lack of encryption
C. Data stored on third-party servers
D. Absence of browser history
ANSWER: C

Which forensic technique is useful for detecting hidden communications within

normal network traffic?
A. Steganography analysis
B. File carving
C. Hash analysis
D. Disk imaging
ANSWER: A

What can forensic investigators use to determine if a suspect has used an

anonymizing proxy?
A. Checking browser cache
B. Analyzing User-Agent strings
C. Investigating IP address inconsistencies
D. Reviewing printer logs
ANSWER: C

Which of the following is a potential source of forensic evidence for tracing an

email scam?
A. Email headers
B. USB device logs
C. CPU temperature logs
D. RAM dumps
ANSWER: A
Which digital forensic technique is used to reconstruct deleted web browsing
history?
A. Memory forensics
B. Cache analysis
C. Hash comparison
D. Live system analysis
ANSWER: B

Which protocol is typically examined in forensic investigations of instant

messaging applications?
A. FTP
B. SIP
C. XMPP
D. SNMP
ANSWER: C

Which forensic method helps identify the geographic location of an attacker?

A. IP geolocation
B. MAC address lookup
C. Packet fragmentation analysis
D. Hash value comparison
ANSWER: A

Which of the following is a challenge when investigating DNS-based cyber attacks?

A. Lack of DNS records
B. Encrypted DNS queries
C. Slow DNS resolution
D. Lack of WHOIS data
ANSWER: B
Which of the following is the primary goal of the collection phase in digital
forensics?
A. Analyzing digital evidence
B. Identifying and preserving digital evidence
C. Modifying system files
D. Deleting redundant data
ANSWER: B

What is the first step in local acquisition of digital evidence?

A. Creating a forensic image
B. Turning off the device
C. Running an antivirus scan
D. Formatting the storage media
ANSWER: A

Which forensic technique is used to create an exact replica of a storage device

without modifying the original data?
A. File carving
B. Disk imaging
C. Steganography
D. Data wiping
ANSWER: B

Which tool is commonly used for disk imaging in forensic investigations?

A. Wireshark
B. Autopsy
C. FTK Imager
D. Nessus
ANSWER: C
Which of the following best describes volatile data?
A. Data stored in cloud services
B. Data that remains after a system shutdown
C. Data lost when a system is powered off
D. Data saved on external hard drives
ANSWER: C

Which command is used to collect network connection details during network

acquisition?
A. ipconfig
B. netstat
C. whois
D. tracert
ANSWER: B

Which network forensic technique captures real-time network traffic?

A. Packet sniffing
B. Disk imaging
C. Steganography
D. Hashing
ANSWER: A

Which tool is commonly used for network packet capture in forensic analysis?
A. EnCase
B. Wireshark
C. FTK
D. Autopsy
ANSWER: B

What is the primary purpose of hashing in local acquisition?

A. To encrypt evidence
B. To compare data integrity
C. To delete duplicate files
D. To compress forensic images
ANSWER: B

Which of the following is an example of non-volatile data?

A. RAM contents
B. Running processes
C. Open network connections
D. Hard drive contents
ANSWER: D

Which forensic tool is used to collect live memory data?

A. Wireshark
B. Volatility
C. Nmap
D. Nessus
ANSWER: B

Which acquisition method captures all active network connections?

A. Static acquisition
B. Full disk imaging
C. Live network capture
D. Log file analysis
ANSWER: C

Which command is useful for identifying open ports during network acquisition?
A. ping
B. nslookup
C. netstat
D. tracert
ANSWER: C

Which network acquisition technique involves examining router logs for forensic
evidence?
A. Memory forensics
B. Live network capture
C. Log file analysis
D. File carving
ANSWER: C

Which method is used to ensure the integrity of collected forensic data?

A. Modifying file timestamps
B. Using hash values
C. Editing metadata
D. Encrypting data
ANSWER: B

Which type of data collection requires pulling logs from network devices like
firewalls and routers?
A. Local acquisition
B. Network acquisition
C. Memory acquisition
D. Mobile device acquisition
ANSWER: B

Which forensic artifact is commonly collected from volatile memory?

A. Deleted files
B. Running processes
C. System logs
D. Disk partitions
ANSWER: B

Which tool is commonly used to collect logs from remote systems?

A. Netcat
B. Wireshark
C. FTK Imager
D. Volatility
ANSWER: A

Which forensic process involves extracting deleted files from storage media?
A. Network sniffing
B. File carving
C. Packet analysis
D. Log correlation
ANSWER: B

Which command provides details about the current user’s network connections?
A. ifconfig
B. netstat
C. tracert
D. nslookup
ANSWER: B

Which type of evidence is crucial in forensic analysis of a hacking attempt over a

network?
A. Network traffic logs
B. CPU temperature logs
C. Printer logs
D. USB access logs
ANSWER: A

Which acquisition method is preferred when dealing with a powered-on system?

A. Static acquisition
B. Live acquisition
C. Cloud acquisition
D. Hybrid acquisition
ANSWER: B

Which forensic challenge is commonly associated with network acquisition?

A. Lack of log files
B. Data encryption
C. Physical damage to hard drives
D. Lack of disk space
ANSWER: B

Which type of forensic acquisition focuses on collecting data from cloud services?
A. Network acquisition
B. Local acquisition
C. Cloud acquisition
D. Static acquisition
ANSWER: C

Which of the following must be considered when conducting a forensic network

acquisition?
A. Bandwidth usage
B. System boot time
C. File permission changes
D. USB device logs
ANSWER: A

Which digital forensic tool is used to collect logs from a Windows machine?
A. Event Viewer
B. Wireshark
C. Nmap
D. Netcat
ANSWER: A

What is the main challenge when collecting evidence from a live network?
A. Data volatility
B. Hard drive corruption
C. Lack of encryption
D. Printer connectivity
ANSWER: A

Which method is most suitable for forensic acquisition of a router’s configuration?

A. Disk imaging
B. Log file extraction
C. Memory dumping
D. File carving
ANSWER: B

Which type of forensic acquisition is performed when copying an entire hard drive?
A. Live acquisition
B. Static acquisition
C. Cloud acquisition
D. Network acquisition
ANSWER: B
What is the primary objective of the examination phase in network forensics?
A. Identifying and preserving evidence
B. Analyzing collected data for anomalies
C. Destroying unnecessary data
D. Encrypting forensic images
ANSWER: B

Which tool is commonly used for network traffic analysis in forensic

investigations?
A. Wireshark
B. Autopsy
C. FTK Imager
D. Nessus
ANSWER: A

Which log file is most useful for examining unauthorized access attempts in network
forensics?
A. Firewall logs
B. Printer logs
C. USB access logs
D. BIOS logs
ANSWER: A

Which network forensic technique is used to reconstruct web browsing activity?

A. Packet analysis
B. Memory forensics
C. File carving
D. Log correlation
ANSWER: A

Which of the following can indicate a potential network intrusion?

A. Increased CPU temperature
B. Multiple failed login attempts
C. A decrease in available RAM
D. Frequent printer access
ANSWER: B

What type of evidence is most critical when analyzing a Distributed Denial of

Service (DDoS) attack?
A. Network traffic logs
B. USB device logs
C. Email metadata
D. File system timestamps
ANSWER: A

Which forensic tool is used for deep packet inspection in network analysis?
A. Snort
B. Metasploit
C. VeraCrypt
D. Recuva
ANSWER: A

Which network forensic artifact helps in identifying an attacker's geographical

location?
A. DNS cache
B. IP address logs
C. RAM dumps
D. File system metadata
ANSWER: B

Which of the following is an important aspect of log file analysis in network

forensics?
A. Identifying anomalies in event logs
B. Changing timestamps of network events
C. Deleting old log files
D. Encrypting all network packets
ANSWER: A

Which forensic method is used to detect hidden communication channels in a network?

A. Steganography analysis
B. File carving
C. Disk imaging
D. Hash comparison
ANSWER: A

What is the purpose of session reconstruction in network forensics?

A. To analyze user activities
B. To delete log files
C. To encrypt traffic logs
D. To create new network packets
ANSWER: A

Which of the following is an example of non-volatile network evidence?

A. RAM contents
B. Open network connections
C. Log files
D. Running processes
ANSWER: C

Which of the following is a key challenge in network forensic analysis?

A. Log file corruption
B. Lack of encrypted data
C. Easy identification of attackers
D. Limited forensic tools
ANSWER: A

Which network forensic technique helps in detecting unauthorized data transfers?

A. Packet sniffing
B. Hard disk cloning
C. USB forensics
D. File hashing
ANSWER: A

Which protocol is often examined in forensic investigations of email-based

cybercrimes?
A. SMTP
B. FTP
C. SNMP
D. ARP
ANSWER: A

Which tool is commonly used to detect network intrusions?

A. Snort
B. FTK Imager
C. Autopsy
D. Recuva
ANSWER: A

Which forensic artifact can help trace an attacker using a proxy?

A. IP logs
B. Printer queue logs
C. BIOS logs
D. System restore points
ANSWER: A

Which of the following is a key forensic challenge when examining encrypted network
traffic?
A. Lack of encryption keys
B. Unreliable hashing algorithms
C. Incomplete network logs
D. Excessive log storage
ANSWER: A

Which method is used to detect anomalies in network traffic?

A. Intrusion Detection System (IDS)
B. USB forensic analysis
C. Memory carving
D. Password cracking
ANSWER: A

Which type of analysis helps in reconstructing an attack timeline in network

forensics?
A. Event correlation
B. File hashing
C. Physical disk imaging
D. RAM analysis
ANSWER: A

Which tool is commonly used for examining firewall logs in forensic investigations?
A. Splunk
B. VeraCrypt
C. Nmap
D. GIMP
ANSWER: A

Which forensic approach is used to identify compromised devices on a network?

A. Network traffic analysis
B. USB forensics
C. Hard drive imaging
D. File carving
ANSWER: A

Which of the following is a common indicator of malware activity in a network?

A. Unusual outbound traffic
B. Increased system uptime
C. Low CPU usage
D. Frequent user logouts
ANSWER: A

What is the purpose of analyzing DNS logs in network forensics?

A. To identify malicious domain requests
B. To change the MAC address
C. To disable network encryption
D. To remove user credentials
ANSWER: A

Which network forensic technique is used to analyze past network activity?

A. Log file examination
B. Real-time packet capture
C. Network latency testing
D. Disk wiping
ANSWER: A

Which type of attack can be detected through network log correlation?

A. Man-in-the-Middle attack
B. USB injection attack
C. BIOS firmware attack
D. Physical tampering attack
ANSWER: A

Which forensic artifact can indicate an exfiltration attempt?

A. Large outbound data transfers
B. Frequent software updates
C. Decreased network bandwidth usage
D. Increased print queue logs
ANSWER: A

Which forensic method is used to examine a suspect’s browsing history on a network?

A. Proxy log analysis
B. File system examination
C. Physical memory dump
D. Hash verification
ANSWER: A

Which of the following helps in detecting lateral movement in a compromised

network?
A. Network session analysis
B. Disk imaging
C. Steganography detection
D. USB activity monitoring
ANSWER: A