Evidence Category · 13 Questions

Disk and File System

Measures forensic recovery of deleted and hidden data from a disk image.

Questions in This Category

Q001Flag carved from the deleted CONTRACT.DOC?

Q002Owner of the deleted document?

Q003Hidden flag in the last cluster of INVOICE.TXT?

Q004Which anti forensics technique hid the payload in INVOICE.TXT?

Q005Staging flag carved from unallocated space?

Q006Recoverable content of the SHADOW.DB file?

Q088Workstation name?

Q089Invoice number in INVOICE.TXT?

Q090Invoice amount in INVOICE.TXT?

Q091Surname of the RESUME.DOC owner?

Q092Which technique overwrote the wiped region?

Q160First word of README.TXT?

Q161Job title of the RESUME.DOC owner?