1.  You are a member of a digital forensics team. You arrive at a crime scene and collect data from a compromised computer system. Which of the following is the correct order in which you should collect the data?
    A.     RAM, CPU cache, remote logging data, paging/swap files
    B.     CPU cache, paging/swap files, RAM, remote logging data
    C.     RAM, paging/swap files, CPU cache, remote logging data
    D.     CPU cache, RAM, paging/swap files, remote logging data

2.  What is collecting and analyzing information for long term goals?
    A.     Non-repudiation
    B.     E-discovery
    C.     Strategic intelligence
    D.     Counterintelligence

3.  This is a type of hash function that is typically used in network communications. It is quick to calculate and is often transmitted with the data.
    A.     Artifact
    B.     Checksum
    C.     Snapshot
    D.     Non-repudiation

4.  What is the difference between the time on a device and the actual time?
    A.     Timestamp
    B.     Time offset
    C.     Tag
    D.     Timeline
5.  You are a member of a digital forensics team. You must prove that the contents of the disk drive are exactly the same as the image of the disk drive. How do you go about doing this?
    A.     Reconstruct the disk drive and the image from the captured network traffic
    B.     Take a hash of the disk drive and a hash of the image
    C.     Encrypt the disk drive and encrypt the image
    D.     Take a hash of the CPU cache and a hash of the RAM

6.  What is a court order to maintain different types of data as evidence? It is a legal technique to preserve information relevant to a legal case that is initiated by legal counsel.
    A.     Chain of custody
    B.     Order of volatility
    C.     Legal hold
    D.     Digital forensics

7.  Which of the following must be done for evidence to be admissible in court?
    A.     E-discovery
    B.     Order of volatility
    C.     Legal hold
    D.     Chain of custody

8.  What include the tactics, techniques, and procedures (TTP) used in the attack? It documents the findings of digital forensic experts about the event. It often includes lists of forensic tools, evidence, analysis, findings, and recommendations.
    A.     Right-to-audit clauses
    B.     Reports
    C.     Provenance
    D.     Witness interviews

9.  What is a list of events in chronological order
    A.     Tag
    B.     Time offset
    C.     Timeline
    D.     Timestamp

10.  Digital data is subject to the regulations and jurisdiction of the country where the evidence is located. What do we call this?
    A.     Data breach notification laws
    B.     Non-repudiation
    C.     Right-to-audit clauses
    D.     Data sovereignty