Answer: B. The presence of random wear characteristics

Explanation: Individual identification relies on unique, random wear patterns, cuts, or damage that develop over time – not the manufactured design. While size and depth are important for class characteristics, only random imperfections can potentially link a print to a specific shoe.

Answer: B. Dental stone

Explanation: Dental stone (modified gypsum) has largely replaced traditional plaster because it produces sharper detail, sets faster, and creates stronger casts. Its fine particles capture tread wear indicators and subtle tread block features better than other materials.

Answer: A. The tread pitch sequence

Explanation: Manufacturers use unique tread pitch sequences (the arrangement of different tread block shapes) as identifiers. These patterns are deliberately varied to reduce noise and are documented in tire reference databases, making them more reliable for manufacturer identification than wear features.

Answer: A. Electrostatic lifting

Explanation: Electrostatic lifting is ideal for dry, dusty impressions on non-porous surfaces. It uses an electric charge to transfer the dust pattern to a lifting film without disturbing the delicate particles. Gel lifters would compress the dust, while chemical developers work best on porous surfaces.

Answer: A. The wheelbase of the vehicle

Explanation: Stagger refers to the difference in distances between left and right tire marks in a full rotation. Measuring multiple rotation cycles allows calculation of the wheelbase (distance between front and rear axles), which can help identify vehicle class or eliminate certain models.

Answer: C. Pressure distribution within the print

Explanation: The varying depth and material displacement within a print reveals weight distribution during foot strike. Forensic gait analysis examines these pressure patterns to determine if the person was running, limping, or carrying heavy objects – more indicative than static wear patterns.

Answer: D. All of the above

Explanation: Tire evidence has multiple limitations: tires get replaced (removing unique wear), track dimensions change with passenger/load weight, and unlike footwear, comprehensive tire databases with wear patterns don’t exist. This makes absolute identification extremely difficult.

Answer: D. All of the above

Explanation: Proper footwear documentation requires: 1) oblique lighting to enhance detail, 2) scales placed precisely at the impression’s depth to prevent parallax error, and 3) 90-degree overhead shots to avoid distortion. All three techniques are essential for creating forensically valid photographs.

Answer: D. All of the above

Explanation: Snow impressions require unique handling: 1) wax or sulfur-based chemicals must harden the snow first, 2) casting materials generate heat that can melt/expand the impression, and 3) low-angle lighting is needed for photography due to snow’s reflectivity.

Answer: D. SICAR (Shoeprint Image Capture and Retrieval)

Explanation: SICAR is the most widely used commercial system, containing thousands of sole patterns from manufacturers worldwide. It uses pattern coding algorithms to match crime scene impressions to known designs, helping identify shoe brands and models.

Answer: C. Process Monitor

Explanation: Process Monitor is a Windows-based tool that captures real-time file system, registry, and process/thread activity, making it ideal for observing malware behavior during dynamic analysis.

Answer: C. To isolate and monitor malware behavior safely

Explanation: A sandbox provides a controlled and isolated environment where malware can be executed without risk to the host system, allowing analysts to observe its behavior and impact.

Answer: B. Signature-based detection

Explanation: Signature-based detection identifies malware by matching its code to a database of known malware signatures. It’s fast and efficient but ineffective against zero-day threats or obfuscated code.

Answer: C. To hide the malware’s true functionality

Explanation: Obfuscation is a technique used by attackers to make malware code more difficult to read or analyze, thereby evading detection and delaying reverse engineering efforts.

Answer: B. Trojan horse

Explanation: A Trojan horse appears to be a legitimate application but carries malicious payloads that compromise the system once executed by the user.

Answer: B. Unusual section names in PE header

Explanation: Packed executables often have abnormal or custom section names in the PE (Portable Executable) header, such as .UPX or .packed, which are strong indicators of packing or compression.

Answer: C. Convert binary code into assembly code

Explanation: Disassemblers translate compiled binary code into human-readable assembly instructions, helping analysts understand the underlying logic and behavior of the malware.

Answer: B. Registry key entries in Run or RunOnce paths

Explanation: Malware often modifies registry keys such as Run or RunOnce to automatically execute itself upon system startup, maintaining persistence across reboots.

Answer: B. Cannot analyze the network behavior of malware

Explanation: Static analysis examines malware code without execution, so it cannot reveal runtime behaviors such as communication with command-and-control servers or dynamic file creation.

Answer: B. VirtualAllocEx()

Explanation: VirtualAllocEx() is used to allocate memory in another process’s address space, a critical step in process injection techniques like DLL injection or code injection used by malware.