CHAPTER 1 11.
These are people who were born before the
1. These are people who grew up into a world that was
already digital and spend a large amount of their lives
in cyberspace.
d. Digital natives
2. The action of modifying technology, like alternation
of computer hardware or software, to allow to be used
in innovative ways whether for legitimate or illegitimate
purposes.
a. Crackers
3. What law enacted the cybercrime prevention act of
2012?
d. RA 10175
4. International cooperation to prevent and suppress
the proliferation of cybercrime needs mutual
assistance. What treaty is entered into by members of
the Budapest Convention against
b. Mutual Legal Assistance Treaty
5. They are considered the lowest life form of
cybercriminals because their
b. Use scripts authored by others to exploit
6. Of the following, which country is NOT a member of
the G8 nations?
a. Australia
7. A government agency designated as the central
authority in all matte that related to MLAT.
b. DOJ
d. Ant-Cybercrime Group
8. These are people who specialized in the
examination of computer datat prove the guilt of
suspected cybercriminals are appropriately called
c. Digital Forensic Analysts
9. An attack attempts to prevent users for particular
service from effectivel using that service is called.
c. Denial of service
10. He is considered the creator of the 1st internet
worm in 1988.
a. Robert Morris Jr.
creation and widespread use of the internet and digital
technologies.
b. Digital immigrants
12. It refers to any criminal activities which has been
committed through the use of internet and/or computer.
a. Digital crime
13. It is the continuous process of searching for
evidence and leads in cyberspace.
c. Cybercrime investigation
14. The interactional environment created by linking
computers together into a communication network.
a. Cyberspace
15. He is considered the creator of the 1st ramson ware
called the "AIDS Trojan in 1989.
c. Joseph Popp
16. Computer data collected and examination by digital
forensic investigators are called
c. Digital evidence
17. It is the science of locating, extracting, and
analyzing different types of data from digital devices.
b. Computer forensics
18. The following are NOT the key elements computer
forensics, EXCEPT:
b. Ephemeral
19. He who discovered that the whistle included in the
box of Cap'n Crunch can be used to hack the telephone
system of AT&T in the 1970s.
c. John Draper
20. It refers to code that causes damage to computer
system.
a. Virus
 CHAPTER 2
1. The correct answer is d. Bit. A bit is the smallest
unit of data in a computer, and it can have only
one of two values: 0 or 1. A bit is also called a
binary digit1.
2. The correct answer is b. File system. A file
system is the way in which data is organized and
retrieved on a computer drive. It defines how files
are named, stored, and accessed, as well as the
structure and hierarchy of directories and
folders2.
3. The correct answer is a. Software blocker. A
software blocker is an application that runs on the
operating system and implements a software
control to turn off the write capability of the
operating system. It is used to prevent any
modification of the data on a storage device
during forensic analysis3.
4. The correct answer is a. Cloud computing. Cloud
computing is an off-site third-party service that
provides hosted applications or data storage for
an organization. It allows users to access
computing resources over the internet, without
having to buy or maintain their own physical
servers or data centers4.
5. The correct answers are a. FAT system and d.
NTFS system. FAT and NTFS are two primary file
systems supported by Windows-based
computers. FAT stands for File Allocation Table,
and it is one of the oldest and simplest file
systems, used by Microsoft operating systems
since MS-DOS2. NTFS stands for New
Technology File System, and it is a newer and
more advanced file system, introduced by
Windows NT and used by all modern versions of
Windows
6. The character encoding standard for electronic
communication is ACSII
7. RAM contains volatile data because: he data are
temporarily kept for faster processing and needs
power to function properly.
8. A part of the computer that acts as the interface
between the device Motherboard
9. The name"Juanito Dela Cruz" is equivalent to how
many bytes and bits 15 bytes or 120 bits
10. The piece of software that runs the specific
applications and provides an interface to the
hardware components. .Operating system
11. It is considered as the basic language of
computers. Binary
12. The part of the computer where all other
computer components are connected.
Motherboard
13. A part of the computer responsible for all the
commands executed by the computer. Processor
14. This is a storage device wherein there no moving
parts and all data is save in computer chips. SSD
15. This type of memory enables the CPU to
communicate with the hard disk and the
input/output devices that are attached to the
computer. BIOS
16. For computers to be able to communication with
one another via the internet using the Network
Interface controller
17. When powering a computer, the OS is loaded into
the_from the devices long-term memory Hard
drive
18. The speed of the processor is determined by rate
of the: Hertz
19. A memory that is an important part of the basic
input/output system. Flash memory
20. This refers to the set of instructions written in a
programming language Source code
 CHAPTER 3
1. The creator of the “I love your virus” was Onel De
Guzman1.
2. For MLAT function in extraditing a fugitive from
justice hiding in a country where the Philippines
have a treaty is declared wanted by the court2.
3. The intentional alteration, or reckless hindering or
interference with the functioning of a computer or
computer network by inputting, transmitting,
damaging, deleting, deteriorating, altering or
suppressing computer data or program is
called system interference.
4. The Budapest convention against cybercrime
proposes that one of the ways to fight
cybercrimes is to develop skilled digital forensic
investigators, harmonized cybercrime laws of
members States, and provide consultancy on
how to investigate cybercrime3.
5. The act of performing technical means without
right of any non-public transmission of computer
data to, from, or within a computer system
including electromagnetic emissions from a
computer system carrying such computer data is
called illegal interception1.
6. A type of cybercrime warrant issued when a
computer device or system is previously seized
by another lawful method, such as a warrantless
arrest is called Warrant for Seizure and
Examination of Computer Data (WSSECD)4.
7. The alteration or deletion of any computer data
without right, resulting in inauthentic data, with
the intent that it be considered or acted upon for
legal purposes as if it were authentic, regardless
whether or not the data is directly readable and
intelligible is called computer related forgery.
8. The cybercrime prevention act of 2012 was
marred with petitions filed with the Supreme court
to declare the said law unconstitutional on the
basis of its 21 questionable provision. However,
the Supreme Court ruled in favor of the law except
for 2 sections1.
9. The number of months the integrity of traffic data assistance in the accomplishment of the CICC’s
and subscriber information shall be kept, retained mandated tasks and functions3.
and preserved by a service provider from the date 20. The following are the powers and duties of law
of the transaction is 6 months2. enforcement authorities where a search and
10. The acquisition of a domain name over the seizure is properly issued by the competent
internet in bad faith to profit, mislead, destroy authority, EXCEPT: Confiscate all the computer
reputation, and deprive others from registering to be examined at the forensic computer
the same is called cybersquatting1. laboratory
11. The Philippines is the 56th member State of the
Budapest Convention against cybercrimes1.
12. Based on the DOJ advisory no.1, complaints
involving violations of RA 10175 may be filed
before the Prosecutor’s office for the conduct of
the requisite preliminary investigation pursuant to
Rule 112 of Revised Rules of Court2.
13. If a crime defined and punished in the RPC was
committed through the use of ICT, the penalty is 1
degree higher than provided in the RPC1.
14. Illegal access is considered the access to do
so. of the computer system without authority1.
15. The intentional acquisition, use, misuse, transfer,
possession, alteration or deletion of identifying
information belonging to another, whether natural
or juridical, without right is called computer
related identity theft
16. If the programmer of an ISP opened the account
of a subscriber to correct its services. While
providing the necessary services discovered sex
scandal and watched it, the programmer is liable
for violation of privacy1.
17. Using packet sniffing software and hardware to
monitor network traffic and intercept those
packets someone is interested in is considered
as illegal interception2.
18. A type of eavesdropping attack that occurs when
a malicious actor inserts himself as a relay/proxy
into a communication session between people or
systems is called man-in-the-middle2.
19. The following are NOT the powers and functions
of law enforcement authorities, EXCEPT: Call
upon any government agency to render
 CHAPTER 4
1. The field that emerged due to the high
prevalence of crimes committed through the
internet and ICT is b. Digital forensics.
2. To protect mobile devices from remote
interference or command, one option is to b.
Use a faraday bag.
3. The best way to put marking like date, initials of
digital forensic analysts on the hard drives is
using a b. Permanent marker.
4. A write-blocker is a device that allows read-only
access to all accessible data on a drive, as well
as preventing anything from being written to the
original drive, which would alter or modify the
original evidence. The correct answer is d.
Write blocker.
5. The process that refers to the interpretation and
reconstruction of the digital crime scene is b.
Analysis.
6. The combination of written statements, reports,
and oral evidence documenting the
identification, lawful seizure, examination, and
movement of evidence from the time of
identification through presentation in court as
evidence is called b. Chain of custody.
7. The sources that are rich in information of
evidentiary value that can assist practitioners in
reconstructing transgressions are d. Computer
and networks.
8. The programs that are also readily available for
private consumption, allowing users to
sabotage their own system upon unauthorized
access are a. Self-destructive programs.
9. The plan that should include the availability of
warrant to search, the depreservation request
to be given to internet service providers, seize
and examine computer data to ensure its
admissibility in court is b. Investigative plan.
10. A forensic model that is composed of three A’s
is d. acquisition, authenticate and analyze.
11. The stage of a computer forensics investigation
in which an investigator explains and
documents the origin of the evidence and its
significance is d. Reporting.
12. The option that is NOT a forensic application
used in imaging and analyzing computer data
is c. Graveyard snipper.
13. The process of making an exact copy (bit-by-
bit) of the original drive onto a new digital
storage device is b. Imaging.
14. The information that is NOT needed in
requesting a cybercrime warrant is b. Names
of the investigator.
15. The term that is simply the location where an
incident took place or evidence is found with
respect to digital evidence is a. Crime scene.
16. When processing a live computer and there are
suspicious activities can be seen on the screen
that somehow files are being deleted, the digital
forensic analysts should c. Disconnect the
computer from the internet and cut the
power or hard shut down.
17. The first “link” in the chain of custody in any
case is the c. Person collecting the digital
evidence.
18. The professionals who not only recover and
analyze evidence, but they also present and
interpret its meaning to investigators, lawyers,
and, ultimately, to the court are c. Forensic
analysts.
19. The term that refers to where elements of the
offense occurred and may include the computer
network, local area network, metropolitan area
network, wide area network, or cloud services
is d. Cyberspace
20. After recording the search scene and force
shutting down the computer, the next procedure
is to c. Bag and tag the digital evidence.
 CHAPTER 5
1. The collection of nearly every incident response
investigation to collect and preserve volatile
evidence on a powered on computer is c. Live
response. This is a type of computer forensics
that involves capturing and analyzing data from a
running system without shutting it down or
altering it1.
2. The option that is NOT one of the steps of incident
response is b. Image the monitor. This is not a
necessary or relevant step in the incident
response process. The steps of incident
response are usually: preparation, identification,
containment, eradication, recovery, and lessons
learned2.
3. Data remains in RAM as long as the computer
is d. Running. This is because RAM is a volatile
memory that requires power to store data. Once
the power is off, the data in RAM is lost3.
4. The term that describes a coordinated and
structured approach to go from incident detection
to resolution is d. Incident response. This is the
process of managing and responding to security
incidents, breaches, and cyber threats in an
effective and timely manner
5. A hashing algorithm is a one-way cryptographic
function that accepts a message of any length as
input and returns as output a fixed- length digest
value to be used for authenticating the original
message. The correct answer is none of the
above. All the options given are examples of
hashing algorithms, but not the definition of a
hashing algorithm. A hashing algorithm is a
generic term that refers to any function that can
produce a fixed-length output from a variable-
length input, such as SHA-2, MD5, SHA-1, or
MD61.
6. When dealing with a powered down computer, the
following are the considerations, EXCEPT
(choose two answers): The correct answers
are c. Interrogate the owner of the computer for
the password and e. Force shutdown the
computer. These are not recommended actions
when dealing with a powered down computer, as
they may compromise the integrity of the
evidence or violate the rights of the owner. The
other options are valid considerations, such as
ensuring the computer device is off, removing
persons from the search scene, and refusing offer
of help from unauthorized persons2.
7. A computer system fundamentally has two
sources of data that are of interest to a forensic
examiner (choose two answers). The correct
answers are b. Volatile data and d. Nonvolatile
data. Volatile data is the data that is stored in the
memory of the computer, such as RAM, cache, or
registers. It is temporary and can be lost when the
power is off. Nonvolatile data is the data that is
stored in the permanent storage of the computer,
such as hard disk, flash drive, or CD-ROM. It is
persistent and can be retained even when the
power is off. Both types of data can contain
valuable evidence for a forensic examiner3.
8. The contents of RAM may include artifacts of
what is or has occurred on the system. This can
include the following, EXCEPT: The correct
answer is c. Serial number of the computer. This
is not an artifact that is typically stored in the
RAM, as it is a fixed identifier of the hardware of
the computer. The other options are possible
artifacts that can be found in the RAM, such as
typed commands, passwords, or encryption
keys. These can reveal information about the
user’s actions, preferences, or credentials3.
9. The process of using a mathematical algorithm
against data to produce a numeric value that is
representative of that data is b. Hashing. This is
the correct definition of hashing, which is a
technique used to verify the integrity and
authenticity of data. Hashing can produce a
unique and fixed-length output, also known as a
hash or a digest, from any input data. Hashing is
commonly used in digital forensics to ensure that
the evidence is not tampered with or altered1.
10. To perform effective digital forensic analysis, the
forensic investigator must be familiar with all of
the above. The forensic investigator must have
knowledge and skills in various aspects of the
digital forensic process, such as the examination
process, the forensic applications, the cybercrime
warrants, and the standard operating procedures
of the office. These are all essential components
of conducting a thorough and reliable digital
forensic analysis4.
11. The step in the forensic examination where the
digital forensic analyst explains and documents
the origin of the evidence and its significance is d.
Presentation step. This is the final step of the
forensic examination, where the analyst prepares
a report and presents the findings and
conclusions to the relevant parties, such as the
investigators, the lawyers, or the court. The
presentation step requires the analyst to
communicate the evidence in a clear and
understandable manner, and to support the
evidence with proper documentation and
references4.
12. The first responders are responsible for the
acquisition step because this explores what
investigators should do when called to a scene to
investigate a cybercrime. The correct answer is b.
First responder. The first responder is the person
who arrives first at the scene of a cybercrime and
is responsible for securing and preserving the
evidence. The acquisition step is the process of
collecting and copying the digital evidence from
the scene, using proper tools and techniques. The
first responder must follow the acquisition step to
ensure that the evidence is not damaged, lost, or
contaminated2.
13. The live response tool you choose should be
capable of collecting the following common live
response data from a system, EXCEPT: The
correct answer is a. The computer serial number.
 This is not a common live response data that is 17. The tool that can make disk-to-image copies of
collected from a system, as it is not relevant to the evidence drives and enables you to acquire an
incident or the investigation. The other options evidence drive from a logical partition level or a
are examples of common live response data that physical drive level is d. FTK. FTK is one of the
can be collected from a system, such as the tools that can perform the task of data
operating system and version, the system time acquisition, which is the process of making an
and date, and the files and other open exact copy of the original evidence drive onto a
handles. These can provide useful information new digital storage device. FTK can acquire an
about the system’s configuration, state, and evidence drive from either a logical partition level,
activity1. which is a subdivision of a physical drive, or a
14. In incident response, after the RAM has been physical drive level, which is the entire drive4.
preserved, the next step is to c. Transport the 18. When a hard drive is hashed for verification
computer to the lab. This is the step where the purposes, the c. Hashing application looks at all
computer is carefully moved from the scene to of the data on the hard drive and creates a “digital
the forensic laboratory, where further analysis thumbprint” for it. A hashing application is a
can be performed. The computer must be software program that can perform the task of
transported in a safe and secure manner, hashing, which is the process of using a
following the chain of custody and the packaging mathematical algorithm against data to produce
guidelines. The other options are not the correct a numeric value that is representative of that
next steps, as they are either done before or after data. A hashing application can look at all of the
the transport step2. data on a hard drive and create a unique and
15. The incident responder can further minimize the fixed-length output, also known as a hash or a
risk to the computer data by using a sanitized d. digest, for it. This can be used to verify the
Storage device to introduce the incident integrity and authenticity of the data
response software. This is the step where the
incident responder uses a clean and trusted
storage device, such as a CD-ROM or a USB drive,
to load the incident response software onto the
system. The storage device must be sanitized,
meaning that it has been wiped and verified to
contain no malicious code or data. This can
prevent any contamination or infection of the
system or the evidence1.
16. FTK was developed by b. AccessData and is
intended to be a complete computer forensics
solution. FTK stands for Forensic Toolkit, and it is
a software application that can perform various
tasks related to digital forensics, such as data
acquisition, data analysis, data recovery, and data
reporting. FTK was developed by AccessData, a
company that specializes in digital forensics and
cybersecurity products and services4.
CHAPTER 6
1. The correct answer is b. FAT system. FAT stands
for File Allocation Table, and it is one of the oldest
and simplest file systems, used by Microsoft
operating systems since MS-DOS12.
2. The correct answer is a. PaaS. PaaS stands for
Platform as a Service, and it is a type of cloud
service that provides a platform in the cloud with
an operating system, development tools, and
middleware34.
3. The correct answer is d. Disks. Hard disks are
also called disks, and they are the most common
type of magnetic storage device for computers56.
4. The correct answers are a. Platter and c. Head. A
hard disk consists of one or more platters, which
are circular disks coated with magnetic material,
and one or more heads, which are devices that
read and write data to the platter surfaces
5. The correct answer is b. Cluster. A cluster is the
smallest unit of disk space allocation for a file
system. It consists of one or more contiguous
sectors. A file system cannot save data in units
smaller than a cluster12.
6. The correct answers are a. 2011 and e. 4096
bytes. Advanced Format is a hard disk sector
format standard that exceeds 512 bytes per
sector, frequently 4096 bytes (4 KB). It was
introduced by the IDEMA Long Data Sector
Committee in 2010, and the first hard drives using
it were shipped in 201134.
7. The correct answer is c. Live forensics. Live
forensics is the examination of a powered on/live
computer’s entire running system, including
memory, disk, network, and processes. It can
capture volatile data that would be lost if the
system was shut down, and is useful for dealing
with active network intrusions or malware56. The
correct answer is d. Bit. A bit is the smallest unit
of data in a computer, and it can have only one of
two values: 0 or 1. A bit is also called a binary
digit1.
8. The correct answer is b. File system. A file stands for SQL Server Analysis Services, a data
system is the way in which data is organized and analysis tool9. CaaS stands for Container as a
retrieved on a computer drive. It defines how files Service, a type of cloud service that provides
are named, stored, and accessed, as well as the container orchestration and management10. IAAC
structure and hierarchy of directories and stands for Infrastructure as Code, a method of
folders2. provisioning and managing IT infrastructure
9. The correct answer is a. Software blocker. A through code11. The three basic cloud computing
software blocker is an application that runs on the services are SaaS (Software as a Service), PaaS
operating system and implements a software (Platform as a Service), and IaaS (Infrastructure
control to turn off the write capability of the as a Service)12.
operating system. It is used to prevent any 14. The correct answer is b. Write-blocker. A write-
modification of the data on a storage device blocker is a tool that permits read-only access to
during forensic analysis3. data storage devices without compromising the
10. The correct answer is a. Cloud computing. Cloud integrity of the data. A write-blocker, when used
computing is an off-site third-party service that properly, can guarantee the protection of the data
provides hosted applications or data storage for chain of custody. It is a necessary component for
an organization. It allows users to access duplicating evidence from a computer hard drive
computing resources over the internet, without or other media storage device
having to buy or maintain their own physical
servers or data centers4.
11. The correct answers are a. FAT system and d.
NTFS system. FAT and NTFS are two primary file
systems supported by Windows-based
computers. FAT stands for File Allocation Table,
and it is one of the oldest and simplest file
systems, used by Microsoft operating systems
since MS-DOS2. NTFS stands for New
Technology File System, and it is a newer and
more advanced file system, introduced by
Windows NT and used by all modern versions of
Windows
12. The correct answer is d. Bridges. Bridges, also
known as hardware write blockers, are devices
that allow read-only access to all accessible data
on a drive, as well as preventing anything from
being written to the original drive, which would
alter or modify the original evidence. They are
used to preserve the integrity and authenticity of
digital evidence78.
13. The correct answers are a. SSAS, e. CaaS, and c.
IAAC. These are not cloud computing services,
but rather acronyms for other concepts. SSAS
 CHAPTER 7
1. This key tracks files that have been opened or saved
within a Windows shell dialog box a. MRU c. RecentDocs
b. OpenSavedPIDIMRU d. NTUSER.DAT
Answer: b. OpenSavedPIDIMRU
This key is also known as Open File Location History and
it stores the paths of files that have been recently opened
or saved by the user1. The other keys are related to
different aspects of the registry.
2. A is typically stored in a single file on disk. a. Cluster
c. Registry b. Hive d. Sub-keys
Answer: c. Registry
A registry hive is a single file that contains one or more
sub-keys and values1. A cluster is a group of sectors on a
disk that can be accessed as a unit1. A hive can be stored
in different locations on the disk depending on its size
and type1. A sub-key is a key within another root key1.
3. Contains user who is currently logged into windows
and their setting. a. HKEY_CLASSES_ROOT (HKCR) b.
HKEY CURRENT_USER (HKCU) c. HKEY
LOCAL_MACHINE (HKLM) d. HKEY
CURRENT_CONFIG (HKCC)
Answer: b. HKEY CURRENT_USER (HKCU)
This key contains information about the currently logged-
in user, such as their profile name, password,
environment variables, startup programs, and
preferences1. The other keys are related to different
aspects of the system.
4. is the process of loading information from the hard
drive into memory, before it is needed. a. Shellbags c.
NTUSER.DAT d. User Assist b. prefetching
Answer: d. User Assist b.prefetching
5. These are recorded in temporal order, an analyst
can frequently see indications of the user’s
thought process as he searched for particular 16. The MRU list the last files opened by the
files. user. Answer: b. 65
o Answer: c. Windows searches 1. The MRU (Most Recently Used) list is a list of the
6. The hive is the Security Accounts Manager and last 65 files that have been opened by the user in
contains login information about the users. Windows1.
o Answer: d. SAM 1.
7. The hive is the go-to hive for information related 17. Contains information about all the users who log
to applications. on to computer, including both generic and user-
o Answer: d. Software 1. specific information. Answer: c. HKEY USERS
8. It is a feature in windows wherein you can specify (HKU)
search terms that start with certain letters, or that This key contains information about all the users who log
are phonetically like words you enter. on to the computer, including both generic and user-
o Answer: b. WordWheelQuery 1. specific information2. The other keys are related to
9. A is a file that is not directly executed by the CPU different aspects of the registry.
and is created for a specific task.
o Answer: d. Non-executable file 1. 18. The are an artifact associated with folders
10. The hive includes information on the hardware accessed by a user through the Windows Explorer
and system configuration. interface Answer: d. Shellbags
o Answer: a. System 1. Shellbags are an artifact associated with folders
11. Describe file type, file extension and OLE accessed by a user through the Windows Explorer
information. interface3. They are used to store information about the
o Answer: a. HKEY CLASSES_ROOT folder’s view settings, such as the size and position of the
(HKCR) 1. window, the sorting order, and the columns displayed3.
12. It is a hierarchical database that stores The other options are not related to Windows Explorer.
information about users, installed application and
the windows system itself. 19. Starting Windows 8, records a maximum of the
o Answer: a. Windows registry 1. last applications. Answer: d. 4096
13. A are a relatively simple but valuable artifact for Starting from Windows 8, the operating system records a
the forensics investigator. They are shortcut files maximum of the last 4096 applications that have been
that link to an application or file commonly found launched by the user4. The other options are not related
on a user’s desktop. to this feature.
o Answer: d. Lnk files 1.
14. The allow a user to quickly “jump” to or access
20. This key tracks the last directory a file is opened
files they recently or frequently used, usually by
or saved in for each application. Therefore, when
right clicking the application in the Windows
you go to open a document, the MS Word dialog
taskbar.
box opens the directory in which you last opened
o Answer: c. Jump list 1.
or saved a word document. Answer: b.
15. The are lists of recently used programs or opened
OpenSavedPIDIMRU
files that the Windows operating system saves in
the Windows Registry.
o Answer: c. RecentDocs 1.