Which type of analysis is used to examine deleted files on a hard drive?
Correct!
Wrong!
File carving allows forensic experts to retrieve deleted files by analyzing unallocated space on storage devices.
What does a hash value indicate in forensic analysis?
Correct!
Wrong!
A hash value ensures that the integrity of the digital evidence remains intact by serving as a unique identifier for a file.
Which tool is commonly used to analyze Windows registry artifacts?
Correct!
Wrong!
Registry Viewer is widely used to examine Windows registry files for evidence of user activity and system configuration.
What type of evidence is volatile and must be collected immediately?
Correct!
Wrong!
RAM (volatile memory) contains valuable live data such as running processes and network connections, and must be collected before shutdown.
What does a timeline analysis help investigators determine?
Correct!
Wrong!
Timeline analysis reconstructs the sequence of events during an incident based on file system metadata and logs.
Which artifact is best for identifying external devices connected to a system?
Correct!
Wrong!
The Windows registry contains USBSTOR keys that provide a history of USB devices that have been connected to the system.