WGU C840 Digital Forensics in
Cybersecurity Exam Review (2023/ 2024
Update) Guide with Questions and Verified
Answers| 100% Correct
Q: Sniffers are used to collect digital evidence. Which software package allows the user to map
out what ports are open on a target system and what services are running?
Answer:
Nmap
Q: Denial of service (DoS) attack does the attacker send fragments of packets with bad values
in them, causing the target system to crash when it tries to reassemble the fragments?
Answer:
Teardrop Attack
Q: denial of service (DoS) attack sends a tremendous number of ICMP packets to the target,
hoping to overwhelm it?
Answer:
Ping Flood
Q: Which port does POP3 Secure use for encrypted POP3?
Answer:
Port 995
Q: Which wireless standard obtains a bandwidth of 100 to 140 Mbps, operates at frequencies of
2.4 or 5.0 GHz, and has an indoor range of up to 230 feet?
Answer:
802.11n
Q: How long a system or systems be down before it is impossible for the organization to
recover.
Answer:
Maximum tolerable downtime (MTD)
Q: The basis of Moore’s Law found that the number of components in integrated circuits
doubled every __ and each doubling of capacity was done at half the cost.
Answer:
18 to 24 months
Q: takes snapshots of websites and saves them for posterity.
Answer:
The Wayback Machine
Q: Which certification is open only to law enforcement personnel and government employees
working as system forensics examiners?
Answer:
Certified Forensic Computer Examiner (CFCE)
Q: The manager clicked on a link in an email message that asked him to verify the logon
credentials for the firm’s online bank account.
Which digital evidence should a forensic investigator collect to investigate this incident?
Answer:
Browser cache
Q: Thomas received an email stating that he needed to follow a link and verify his bank account
information to ensure it was secure. Shortly after following the instructions, Thomas noticed
money was missing from his account.
Which digital evidence should be considered to determine how Thomas’ account information
was compromised?
Answer:
Email Messages
Q: A forensic scientist arrives at a crime scene to begin collecting evidence.
What is the first thing the forensic scientist should do?
Answer:
Photograph all evidence in its original place
Q: What are the three basic tasks that a systems forensic specialist must keep in mind when
handling evidence during a cybercrime investigation?
Answer:
1-Find Evidence
2-Preserve Evidence
3-Prepare Evidence
Q: Which characteristic applies to magnetic drives compared to solid-state drives (SSDs)?
Answer:
Lower Cost
Q: Which characteristic applies to solid-state drives (SSDs) compared to magnetic drives?
Answer:
They are less susceptible to damage
Q: Which type of storage format should be transported in a special bag to reduce electrostatic
interference?
Answer:
Magnetic Media
Q: Which Windows component is responsible for reading the boot.ini file and displaying the
boot loader menu on Windows XP during the boot process?
Answer:
NTLDR
Q: The following line of code is an example of how to make a forensic copy of a suspect drive:
dd if=/dev/mem of=/evidence/image.memory1
Which operating system should be used to run this command?
Answer:
LINUX
WGU C840 Digital Forensics in
Cybersecurity Exam (2023/ 2024 Update)
Questions and Verified Answers| 100%
Correct
Q: Which log or folder contains information about printed documents on a computer running
Mac OS X?
A. /var/log/lpr.log
B. /var/spool/cups
C. /var/vm
D. /var/log
Answer:
B.
Q: Which Windows event log should be checked for evidence of invalid logon attempts?
A. Application
B. Security
C. ForwardedEvents
D. System
Answer:
B.
Q: A cyber security organization has issued a warning about a cybercriminal who is using a
known vulnerability to attack unpatched corporate Macintosh systems. A network administrator
decides to examine the software updates logs on a Macintosh system to ensure the system has
been patched.
Which folder contains the software updates logs?
A. /var/spool/cups
B. /var/log
C. /proc
D. /Library/Receipts
Answer:
C.
Q: A forensic investigator wants to image an older BlackBerry smartphone running OS 7.0.
Which tool should the investigator use?
A. CopyQM Plus
B. BlackBerry Extractor
C. The Sleuth Kit
D. BlackBerry Desktop Manager
Answer:
C.
Q: An investigator wants to extract information from a mobile device by connecting it to a
computer.
What should the investigator take great care to ensure?
A. That proper step information is written to the mobile device
B. That the mobile device is updated with the latest operating system
C. That current time stamps of forensics activities are written to the device
D. That the mobile device does not synchronize with the computer
Answer:
C.
Q: Which state is a device in if it is powered on, performing tasks, and able to be manipulated
by the user?
A. Guest-mode
B. Nascent
C. Quiescent
D. Active
Answer:
C.
Q: Rules of evidence can be defined as _.
A. term that refers to how long evidence will last
B. formal document prepared by a forensics specialist to document an investigation, including a
list of all tests conducted as well as the specialist’s own curriculum vitae (CV)
C. rules that govern whether, when, how, and why proof of a legal case can be placed before a
judge or jury
D. information that has been processed and assembled so that it is relevant to an investigation
and supports a specific finding or determination
Answer:
C.
Q: The Windows Registry is organized into five sections. The _ section contains
those settings common to the entire machine, regardless of the individual user.
A. HKEY_CURRENT_USER (HKCU)
B. HKEY_CLASSES_ROOT (HKCR)
C. HKEY_LOCAL_MACHINE (HKLM)
D. HKEY_USERS (HKU)
Answer:
C.
Q: There are specific laws in the United States that are applicable to e-mail investigations.
__ is a U.S. law that prescribes procedures for the physical and electronic surveillance
and collection of “foreign intelligence information” between foreign powers and agents of
foreign powers, which may include American citizens and permanent residents suspected of
espionage or terrorism.
A. The Electronic Communications Privacy Act (ECPA)
B. The USA Patriot Act
C. Foreign Intelligence Surveillance Act (FISA)
D. 18 U.S.C. 2252B
Answer:
C.
Q: Identification, preservation, collection, examination, analysis, and presentation are six
classes in the matrix of _.
A. the Rules of Evidence
B. the DFRWS framework
C. the Forensic Toolkit
D. the Certified-Forensic-Analyst
Answer:
B.
Q: One of the first steps in any forensic examination should be to check the logs. If you need to
know what documents have been printed from the Macintosh, the _ folder can give
you that information.
A. /Library/Receipts
B. /Users//.bash_history log
C. var/vm
D. /var/spool/cups
Answer:
C.
Q: What name is given to the result of acquiring a file as it is being updated?
A. slurred image
B. master boot record (MBR)
C. hive
D. dump
Answer:
A.
Q: At which phase of the incident response does computer forensics begin?
A. follow-up
WGU C840 Digital Forensics in
Cybersecurity Final Exam (2023/ 2024
Update) Questions and Verified Answers|
100% Correct
Q: If a camera is available and the computer is on
Answer:
Take pics of the screen, if its off take pics of the pc, the location, and any electronic media
attached
Q: The SAM file is found
Answer:
Windows/System32 directory
Q: What contains every conceivable combination of keyboard characters under the rainbow and
their associated hashed versions
Answer:
Rainbow table
Q: What prohibits the use of telecommunications to annoy, abuse, threaten or harass anyone?
Answer:
Title 47 of U.S Code 223
Q: The first step in any investigation is to
Answer:
Make a copy of the suspected storage device. (Bit-level copy)
Q: EnCase, Forensic Toolkit, and OSForensics can be used to
Answer:
Make bit-level copies of hard drives (ideally two copies)
Q: What three main technical data collection considerations must be kept in mind?
Answer:
Understanding the life span of information, collecting information quickly, and collecting bitlevel information
Q: Life span in forensics refers to
Answer:
How long information is valid
Q: What enables an investigator to reconstruct file fragments if files have been deleted or
overwritten?
Answer:
Bit-level tools
Q: What sets standards for digital evidence processing, analysis, and diagnostics?
Answer:
The DoD Cyber Crime Center (DC3)
Q: The three basic tasks of handling evidence are
Answer:
Find, preserve and prepare evidence
Q: A server for used for storage should have a minimum of
Answer:
RAID 1 (Disk mirroring) but RAID 5 is recommended
Q: What customized Linux Live CD is used for computer forensics?
Answer:
Helix
Q: BackTrack is now known as
Answer:
Kali Linux
Q: What is AnaDisk?
Answer:
A tool that turns a PC into a sophisticated disk analysis tool
WGU C840 Pre-Assessment: Digital
Forensics in Cybersecurity (2023/ 2024)
Actual Questions and Verified Answers|
Grade A
Q: What are the three basic tasks that a systems forensic specialist must keep in mind when
handling evidence during a cybercrime investigation?
Answer:
Find evidence, Preserve evidence, and Prepare evidence
Q: How do forensic specialists show that digital evidence was handled in a protected, secure
manner during the process of collecting and analyzing the evidence?
Answer:
Chain of custody
Q: Which characteristic applies to magnetic drives compared to solid-state drives (SSDs)?
Answer:
Lower cost
Q: Which characteristic applies to solid-state drives (SSDs) compared to magnetic drives?
Answer:
They are less susceptible to damage.
Q: Which type of storage format should be transported in a special bag to reduce electrostatic
interference?
Answer:
Magnetic media
Q: Which Windows component is responsible for reading the boot.ini file and displaying the
boot loader menu on Windows XP during the boot process?
Answer:
NTLDR
Q: The following line of code is an example of how to make a forensic copy of a suspect drive:
dd if=/dev/mem of=/evidence/image.memory1
Which operating system should be used to run this command?
Answer:
Linux
Q: Which file system is supported by Mac?
Answer:
Hierarchical File System Plus (HFS+)
Q: Which law requires both parties to consent to the recording of a conversation?
Answer:
Electronic Communications Privacy Act (ECPA)
WGU C840 Practice Assessment: Digital
Forensics in Cybersecurity (2023/ 2024)
Questions and Verified Answers| 100%
Correct
Q: Which Windows component is responsible for reading the boot.ini file and displaying the
boot loader menu on Windows XP during the boot process?
Answer:
NTLDR
Q: The following line of code is an example of how to make a forensic copy of a suspect drive:
dd if=/dev/mem of=/evidence/image.memory1
Which operating system should be used to run this command?
Answer:
Linux
Q: Which file system is supported by Mac?
Answer:
Hierarchical File System Plus (HFS+)
Q: Which law requires both parties to consent to the recording of a conversation?
Answer:
Electronic Communications Privacy Act (ECPA)
Q: Which law is related to the disclosure of personally identifiable protected health information
(PHI)?
Answer:
Health Insurance Portability and Accountability Act (HIPAA)
Q: Which U.S. law criminalizes the act of knowingly using a misleading domain name with the
intent to deceive a minor into viewing harmful material?
Answer:
18 U.S.C. 2252B
Q: Which U.S. law protects journalists from turning over their work or sources to law
enforcement before the information is shared with the public?
Answer:
The Privacy Protection Act (PPA)
Q: Which law or guideline lists the four states a mobile device can be in when data is extracted
from it?
Answer:
NIST SP 800-72 Guidelines
Q: Which law includes a provision permitting the wiretapping of VoIP calls?
Answer:
Communications Assistance to Law Enforcement Act (CALEA)
Q: Which policy is included in the CAN-SPAM Act?
Answer:
The email sender must provide some mechanism whereby the receiver can opt out of future
emails and that method cannot require the receiver to pay in order to opt out.
Q: Which United States law requires telecommunications equipment manufacturers to provide
built-in surveillance capabilities for federal agencies?
Answer:
Communication Assistance to Law Enforcement Act (CALEA)
Q: Which law requires a search warrant or one of the recognized expectations to the search
warrant requirements for searching email messages on a computer?
Answer:
The Fourth Amendment to the U.S. Constitution
Q: What is one purpose of steganography?
Answer:
To deliver information secretly
Q: Which method is used to implement steganography through pictures?
Answer:
LSB