2026/2027 – Complete NIST SP 800-86 Aligned Q&A with
Detailed Rationales | 100% Verified | Pass Guaranteed – A+
Graded
Section A: Digital Forensics Fundamentals & Legal Considerations (8
Questions)
Q1: A forensic investigator responds to a suspected insider threat at a corporate office.
The suspect's computer is powered on and running. According to NIST SP 800-86 and
forensic best practices, which evidence should be collected FIRST?
A. Create a forensic image of the hard drive using a write blocker
B. Capture volatile data from RAM, running processes, and network connections
[CORRECT]
C. Power off the computer and transport it to the lab
D. Search the suspect's desk drawers for physical documents
Correct Answer: B
Rationale: NIST SP 800-86 and forensic best practices prioritize volatile data collection
(RAM, running processes, network connections, system time) before any action that
could alter or destroy it. Volatile data is lost when power is removed. Non-volatile
imaging (A) comes after volatile collection. Powering off (C) destroys volatile evidence.
Physical documents (D) are secondary to digital evidence preservation.
,Q2: During a criminal investigation, a forensic examiner discovers evidence of child
exploitation on a suspect's computer while executing a search warrant for financial
fraud. Under which legal doctrine may this evidence be admissible?
A. Fruit of the poisonous tree
B. Plain view doctrine [CORRECT]
C. Exclusionary rule
D. Double jeopardy
Correct Answer: B
Rationale: The plain view doctrine allows evidence to be seized without a warrant if it is
immediately apparent as contraband or evidence of a crime while lawfully present in a
location. Fruit of the poisonous tree (A) excludes illegally obtained evidence. The
exclusionary rule (C) suppresses unlawfully obtained evidence. Double jeopardy (D)
prevents retrial for the same offense.
Q3: A digital forensic examiner is testifying as an expert witness in federal court. Under
which standard will the judge evaluate the admissibility of the forensic methodology
used?
A. Frye standard (general acceptance test)
B. Daubert standard (relevance, reliability, testing, peer review, error rates, standards)
[CORRECT]
C. Miranda standard
D. Brady standard
,Correct Answer: B
Rationale: Federal courts apply the Daubert standard (Daubert v. Merrell Dow
Pharmaceuticals, 1993), which evaluates scientific methodology based on relevance,
reliability, testability, peer review, known error rates, and general acceptance. Frye (A)
applies in some state courts. Miranda (C) addresses custodial interrogation rights.
Brady (D) requires disclosure of exculpatory evidence.
Q4: Which principle states that when two objects come into contact, there is always a
transfer of material between them, and this applies to digital evidence when a user
interacts with a computer system?
A. Kerckhoffs's principle
B. Locard's Exchange Principle [CORRECT]
C. Moore's Law
D. Occam's Razor
Correct Answer: B
Rationale: Locard's Exchange Principle, originally from physical forensics, applies to
digital forensics: every interaction between a user and a digital system leaves traces
(registry entries, log files, file timestamps, network artifacts). Kerckhoffs's principle (A)
concerns cryptosystem design. Moore's Law (C) describes transistor density. Occam's
Razor (D) is a problem-solving heuristic.
Q5: A forensic investigator is preparing evidence for trial. Which requirement of the
Federal Rules of Evidence (FRE) ensures that digital evidence is what it purports to be?
, A. Hearsay rule
B. Authentication (FRE 901) [CORRECT]
C. Best evidence rule
D. Privilege doctrine
Correct Answer: B
Rationale: FRE 901 requires evidence to be authenticated—demonstrated to be what it
purports to be (e.g., hash values proving file integrity, testimony about collection
procedures). Hearsay (A) addresses out-of-court statements. Best evidence rule (C)
requires original documents. Privilege (D) protects confidential communications.
Q6: During an incident response, a forensic examiner must preserve evidence integrity.
Which cryptographic hash algorithm is currently RECOMMENDED for forensic imaging
verification?
A. MD5
B. SHA-1
C. SHA-256 [CORRECT]
D. CRC-32
Correct Answer: C
Rationale: SHA-256 is currently recommended for forensic imaging integrity verification
due to its resistance to collision attacks. MD5 (A) and SHA-1 (B) are cryptographically
broken and susceptible to collisions, though still used in some legacy systems. CRC-32