1. What is the first step in the Digital Forensics Investigation Process?

a) Analysis
b) Collection
c) Identification
d) Documentation

Answer: c) Identification

2. Which of the following is an ethical norm in digital forensics?

a) Changing evidence
b) Keeping information private
c) Breaking laws
d) Sharing secrets

Answer: b) Keeping information private

3. What is the purpose of the Preservation step in digital forensics?

a) Protecting evidence from tampering or loss

b) Presenting findings in court
c) Analyzing the evidence
d) Destroying unnecessary data

Answer: a) Protecting evidence from tampering or loss

4. What does the "Presentation" step in digital forensics involve?

a) Deleting old evidence

b) Presenting findings in court or law enforcement
c) Hiding confidential data
d) Formatting storage devices

Answer: b) Presenting findings in court or law enforcement

5. In the Integrated Digital Investigation Process (IDIP), which step comes before the
Physical Crime Investigation?

a) Review
b) Deployment
c) Readiness
d) Digital Crime Investigation

Answer: b) Deployment

6. What is the purpose of the Reconstruction step in the Abstract Digital Forensic
Model (ADFM)?

a) Analyzing logs
b) Identifying missing links and recreating events
c) Deleting unnecessary data
d) Storing evidence securely

Answer: b) Identifying missing links and recreating events

7. Why is "Record Everything" considered an important ethical norm in digital

forensics?

a) To keep information private

b) To ensure accountability and transparency
c) To delete irrelevant data quickly
d) To protect hackers

Answer: b) To ensure accountability and transparency

8. In the Extended Model of Cybercrime Investigation (EMCI), why is the

"Hypothesis" stage important?

a) It verifies whether the collected evidence supports the investigation theory

b) It helps in erasing unnecessary files
c) It is used for encrypting sensitive data
d) It is only useful for court cases

Answer: a) It verifies whether the collected evidence supports the investigation theory
9. Which of the following is NOT an unethical norm in digital forensics?

a) Changing evidence
b) Not keeping records
c) Using data wrongly
d) Following the law

Answer: d) Following the law

10. A forensic investigator finds a suspicious deleted file on a suspect’s laptop. What
should they do next?

a) Modify the file to see its contents

b) Preserve the file without altering metadata
c) Ignore the file and move to other evidence
d) Upload the file to a public forum for discussion

Answer: b) Preserve the file without altering metadata

11. What is digital evidence?

A) Any information stored on paper that can be used in a court case

B) Any information or data that is stored electronically and can prove something in a legal case
C) Only text messages and emails used in legal investigations
D) A type of physical evidence found at crime scenes

Answer: B) Any information or data that is stored electronically and can prove something in a legal case

12. Which of the following is NOT a form of digital evidence?

A) Text messages
B) Emails
C) Fingerprints
D) Internet search history

Answer: C) Fingerprints
13. What does the Best Evidence Rule state?

A) The most complete and original version of evidence must be presented in court whenever possible
B) Copies of evidence are always preferred over original documents
C) Evidence must be written down to be admissible in court
D) Digital evidence is not considered valid unless printed

Answer: A) The most complete and original version of evidence must be presented in court whenever
possible

14. What is considered original evidence in digital forensics?

A) A printed screenshot of an email

B) The first or primary source of digital data, such as a hard drive or mobile phone
C) A photocopy of a document stored on a computer
D) A handwritten note about digital activity

Answer: B) The first or primary source of digital data, such as a hard drive or mobile phone

15. Why is digital evidence considered fragile?

A) It is too large to store

B) It can be easily altered, deleted, or overwritten
C) It is difficult to read without a computer
D) It is stored in physical form

Answer: B) It can be easily altered, deleted, or overwritten

16. What does Locard’s Exchange Principle state?

A) The best evidence should always be collected first

B) Every contact leaves a trace, even in digital interactions
C) Only physical evidence can be transferred between individuals
D) Digital evidence cannot be traced back to its source

Answer: B) Every contact leaves a trace, even in digital interactions

17. Which of the following is an example of digital evidence transfer?

A) A suspect leaving fingerprints on a door handle

B) A hacker’s IP address being recorded in system logs
C) A witness giving testimony in court
D) A suspect’s blood sample being collected at a crime scene

Answer: B) A hacker’s IP address being recorded in system logs

18. How do forensic experts ensure digital evidence remains unaltered?

A) By using forensic imaging tools to create exact copies of the data

B) By printing the evidence and storing it physically
C) By allowing unrestricted access to the data
D) By manually rewriting the data on a new hard drive

Answer: A) By using forensic imaging tools to create exact copies of the data

19. What does a "digital stream of bits" refer to?

A) A method of encrypting digital files

B) A continuous flow of binary data (0s and 1s) that forms digital content
C) A type of internet service for forensic investigators
D) A technique used to erase digital evidence

Answer: B) A continuous flow of binary data (0s and 1s) that forms digital content

20. How does digital evidence help in criminal investigations?

A) It replaces the need for physical evidence

B) It allows investigators to track activities, communications, and online behaviours
C) It only helps in financial fraud cases
D) It makes cases more complicated by adding unnecessary information

Answer: B) It allows investigators to track activities, communications, and online behaviours

21. Which of the following is an example of electronic evidence?

A) Printed contract
B) CCTV footage
C) DNA sample
D) Handwritten letter

Answer: B) CCTV footage

22. What is an example of explanatory evidence?

A) A contract signed by both parties

B) A doctor explaining an injury report in court
C) A fingerprint found at a crime scene
D) A CCTV recording of an accident

Answer: B) A doctor explaining an injury report in court

23. What is the primary purpose of maintaining a chain of custody?

A) To ensure evidence is stored securely

B) To prove evidence has not been tampered with
C) To make evidence look more credible in court
D) To allow multiple people access to the evidence

Answer: B) To prove evidence has not been tampered with

24. What happens if the chain of custody is broken?

A) Evidence may be ruled inadmissible in court

B) Evidence becomes more reliable
C) The case gets stronger
D) The evidence is considered more authentic

Answer: A) Evidence may be ruled inadmissible in court

25. What is MD5 commonly used for in digital forensics?

A) Encrypting emails
B) Generating a unique hash to verify data integrity
C) Compressing digital files
D) Changing file formats

Answer: B) Generating a unique hash to verify data integrity

26. Why is it important to work with a copy of digital evidence instead of the original?

A) To allow modification of evidence

B) To protect the original from accidental changes
C) To improve evidence quality
D) To save storage space

Answer: B) To protect the original from accidental changes

27. Preservation of digital evidence can involve which of the following?
A) Collecting computer hardware
B) Making a forensic image of storage media
C) Copying the files that are needed from storage media
D) All of the above

Answer: D) All of the above

28. A suspect's email was recovered from a deleted folder, but the metadata shows an
access time after the warrant was issued. What could be a potential issue?

A) The email is not admissible in court due to the chain of custody breach
B) Digital evidence cannot be recovered once deleted
C) The email is fake and cannot be used in an investigation
D) Metadata does not affect the authenticity of digital evidence

Answer: A) The email is not admissible in court due to the chain of custody breach

29. From the two given statements, select the correct option
1) Original media can be used to carry out digital investigation process.
2) By default, every part of the victim’s computer is considered unreliable.
A) 1) and 2) both are correct
B) 1) is true 2) is false
C) 1) and 2) both are false
D) 1) is false and 2) is true

Answer:D) 1) is false and 2) is true

30. If two copies of the same digital evidence have different hash values, what does this
indicate?

A) One of the copies has been altered or corrupted

B) Hash values are unreliable and should not be used
C) The examiner used the wrong forensic tool
D) The evidence is still valid if the content looks the same

Answer: A) One of the copies has been altered or corrupted