Technician Exam Practice Questions And
Correct Answers (Verified Answers) Plus
Rationale 2026 Q&A| Instant Download
1. A cybercrime investigation technician receives a report of
unauthorized access to a corporate network involving data exfiltration
over several weeks. Which initial action is most critical to preserve the
integrity of digital evidence before analysis begins?
A. Immediately shut down all affected systems
B. Notify all employees about the breach
C. Isolate affected systems and create forensic images using write-
blocking tools
D. Delete suspicious files to prevent further compromise
Rationale: Proper forensic procedure requires isolating systems and
, creating exact forensic images using write-blockers to preserve
original evidence integrity and prevent contamination or alteration.
2. During forensic imaging, which hashing algorithm is commonly used to
verify the integrity of acquired digital evidence?
A. FTP
B. SMTP
C. SHA-256
D. HTTP
Rationale: SHA-256 is a cryptographic hash function widely used in
digital forensics to ensure that evidence remains unchanged by
comparing hash values before and after acquisition.
3. A suspect claims that malware caused unauthorized actions on their
system. Which forensic analysis technique would best help validate
this claim?
A. Network topology mapping
B. Disk defragmentation
C. Malware reverse engineering and behavioral analysis
D. Password cracking
Rationale: Reverse engineering and behavioral analysis of malware
can determine its capabilities and whether it could have performed
the alleged unauthorized actions.
4. What is the primary purpose of maintaining a chain of custody in
cybercrime investigations?
, A. To improve network speed
B. To identify suspects quickly
C. To document evidence handling and ensure admissibility in court
D. To encrypt digital files
Rationale: Chain of custody records every interaction with evidence,
ensuring authenticity and admissibility in legal proceedings.
5. Which type of cyberattack involves intercepting communication
between two parties without their knowledge?
A. Phishing
B. Ransomware
C. Man-in-the-middle attack
D. SQL injection
Rationale: A man-in-the-middle attack involves secretly intercepting
and possibly altering communications between two parties.
6. In digital forensics, what is “volatile data”?
A. Data stored on external drives
B. Data encrypted with strong algorithms
C. Data that is lost when a system is powered off
D. Data stored in backups
Rationale: Volatile data resides in memory (RAM) and is lost when
power is removed, making timely collection critical.
7. Which tool is commonly used for capturing network traffic during an
investigation?
, A. Photoshop
B. Microsoft Word
C. Wireshark
D. Excel
Rationale: Wireshark is a widely used network protocol analyzer that
captures and analyzes network traffic.
8. What is the primary function of a write blocker in digital forensics?
A. Encrypt data
B. Speed up data transfer
C. Prevent modification of original storage media
D. Delete unnecessary files
Rationale: Write blockers ensure that no data is written to the
evidence drive during acquisition, preserving integrity.
9. Which cybercrime involves tricking individuals into revealing
confidential information through deceptive emails?
A. Spoofing
B. DDoS
C. Phishing
D. Rootkit attack
Rationale: Phishing uses fraudulent communications to trick victims
into revealing sensitive information.
10. What is the best method to recover deleted files during forensic
analysis?