ACFE - Association of Certified Fraud Examiners Digital Forensics and Evidence Questions and Answers

Question 1

A Certified Fraud Examiner arrives to seize a computer that is currently powered on and is suspected of containing evidence of an ongoing data exfiltration scheme. To ensure that crucial, time-sensitive evidence is not lost, which of the following actions should be performed FIRST?

Accepted Answer

Perform a live acquisition to capture the contents of RAM.

Answer

Volatile data, such as the contents of Random Access Memory (RAM), is lost when a computer loses power. [1, 4] A live acquisition captures this data, which can include running processes, active network connections, encryption keys, and passwords—all of which are critical evidence in a data exfiltration case and would be lost if the machine were powered down first. [1, 3]

Question 2

In digital forensics, what is the primary purpose of creating a cryptographic hash (e.g., MD5 or SHA-256) of a digital evidence file immediately after acquisition?

Accepted Answer

To verify the integrity of the evidence and prove it has not been altered. [6, 8]

Answer

A cryptographic hash function generates a unique, fixed-size string of characters, often called a "digital fingerprint," from a digital file. [6] This is used to verify the integrity and authenticity of the evidence. [8, 19] If the original evidence and a forensic copy have the same hash value, it proves that the copy is an exact duplicate and that the original has not been tampered with since collection. [6, 17]

Question 3

Which of the following is the MOST critical component for maintaining the chain of custody for a piece of digital evidence to ensure its admissibility in court?

Accepted Answer

A detailed, chronological log documenting everyone who handled the evidence, when they handled it, and for what purpose. [2, 16]

Answer

The chain of custody is a formal, written record that documents the complete history of the evidence, from seizure to presentation in court. [2, 16] This chronological log, detailing every person who handled the evidence, the dates and times of transfer, and the purpose of the handling, is essential to demonstrate that the evidence has not been tampered with or compromised. [2, 10, 15]

Question 4

A fraud examiner needs to analyze an employee's hard drive for evidence, including files the employee may have recently deleted. Which data acquisition method is MOST appropriate for this task?

Accepted Answer

Creating a bit-stream image of the entire hard drive.

Answer

A bit-stream image (or forensic image) is an exact, bit-for-bit copy of an entire storage device, including deleted files, file fragments in slack space, and unallocated clusters. [5, 13, 23] This is the only method that preserves all potential evidence. A logical copy or standard backup only captures active, non-deleted files and would miss crucial artifacts necessary for the investigation. [5, 18]

Question 5

When examining a suspicious electronic document, a fraud examiner analyzes its metadata. Which of the following pieces of information is an example of what could be found in the file's metadata?

Accepted Answer

The dates the file was created and last modified. [31, 35]

Answer

Metadata is "data about data." For a file, it includes properties such as the file creation date, last modification date, last access date, and the author's name or user account. [31, 32, 35] This information can be critical in a fraud investigation to establish a timeline of events and determine who was responsible for the document's contents. [33, 34]

(ACFE) Association of Certified Fraud Examiners Practice Test

(ACFE) Association of Certified Fraud Examiners Practice Test

ACFE - Association of Certified Fraud Examiners Digital Forensics and Evidence Questions and Answers