Graded Quiz: Digital Forensics :Incident Response and Digital Forensics (IBM Cybersecurity Analyst Professional Certificate) Answers 2025
1. Question 1 — What data is gathered in cloud forensics?
-
❌ Running processes and encryption keys
-
✅ Access logs, virtual machine snapshots, and storage contents
-
❌ Deleted files from free/slack space
-
❌ GPS locations
Explanation:
Cloud forensics relies heavily on provider logs, snapshots, and cloud storage artifacts.
2. Question 2 — Why is memory forensics crucial?
-
✅ It helps detect malware that only runs in RAM.
-
❌ Reveals exact attack origin
-
❌ Recovers deleted files
-
❌ Provides metadata
Explanation:
Advanced malware (fileless malware) exists only in volatile memory, making RAM analysis essential.
3. Question 3 — What is recoverable from free space?
-
❌ Corrupted system files
-
✅ Fragments of deleted files not overwritten
-
❌ Entire deleted files
-
❌ Permanently deleted files
Explanation:
Deleted files remain recoverable until overwritten; only fragments typically remain in free space.
4. Question 4 — Imaging vs logical backup?
-
❌ Logical backups are bit-for-bit
-
❌ Logical backups are for legal reasons
-
❌ Imaging is faster
-
✅ Imaging captures free + slack space; logical backups do not
Explanation:
Disk imaging collects all sectors, including deleted data; logical backups only capture active files.
5. Question 5 — Primary goal of DFIR
-
❌ Delay evidence collection
-
✅ Stop threats while preserving evidence
-
❌ Respond only after evidence collected
-
❌ Prevent incidents before they happen
Explanation:
DFIR balances incident containment with evidence integrity.
6. Question 6 — Purpose of chain of custody
-
❌ Ensure only computer data analyzed
-
❌ Avoid physical evidence contamination
-
❌ Speed up investigation
-
✅ Maintain integrity and trustworthiness of digital evidence
Explanation:
Chain of custody ensures evidence is verifiable and admissible.
7. Question 7 — Technique using live systems
-
✅ Live analysis
-
❌ Data carving
-
❌ Disk imaging
-
❌ Reverse steganography
Explanation:
Live analysis captures volatile data such as RAM, running processes, and active network sessions.
8. Question 8 — MAC Data meaning
-
✅ Modification, Access, Creation times — helps create a timeline
-
❌ Media Access Control
-
❌ Multiple Access Connections
-
❌ Mainframe/Access/Configuration
Explanation:
MAC timestamps build chronological evidence of user activity.
9. Question 9 — Why gather cloud data after a breach?
-
❌ Cloud data irrelevant
-
❌ Cloud needs no security
-
❌ Only local devices matter
-
✅ Helps identify unauthorized access and track data movement
Explanation:
Cloud logs reveal who accessed what, when, and how.
10. Question 10 — Why communication is crucial during reporting
-
❌ Analysts work alone
-
✅ They must explain technical findings to non-technical stakeholders
-
❌ They write scientific papers
-
❌ They need to sell findings
Explanation:
Reports must be clear, actionable, and understandable by leadership, legal teams, etc.
🧾 Summary Table
| Q | Correct Answer | Key Concept |
|---|---|---|
| 1 | Logs, snapshots, storage | Cloud forensics data |
| 2 | Detect RAM-only malware | Memory forensics |
| 3 | Deleted fragments | Free-space recovery |
| 4 | Imaging captures slack/free | Imaging vs logical |
| 5 | Stop threats + preserve evidence | DFIR |
| 6 | Evidence integrity | Chain of custody |
| 7 | Live analysis | Running-system forensics |
| 8 | Modification/Access/Creation | MAC timestamps |
| 9 | Track unauthorized access | Cloud evidence |
| 10 | Explain to non-technical | Reporting clarity |