WGU C840 DIGITAL FORENSICS IN CYBERSECURITY
PRACTICE EXAM|QUESTIONS AND ANSWERS WITH
RATIONALE|2026 UPDATE|100% PASS
1. What is the definition of computer forensics?
A) The process of using scientific knowledge for collecting, analyzing, and
presenting evidence to the courts
B) The use of analytical and investigative techniques to identify, collect, examine,
and preserve evidence/information which is magnetically stored or encoded
C) The proliferation of smartphones, smartwatches, and other devices in
computer forensics
D) The process of examining network traffic and transaction logs
Answer: B) The use of analytical and investigative techniques to identify, collect,
examine, and preserve evidence/information which is magnetically stored or
encoded
Rationale: Computer forensics specifically refers to the use of analytical and
investigative techniques to identify, collect, examine, and preserve evidence that is
magnetically stored or encoded. Digital forensics is a broader term that includes
smartphones, smartwatches, and other devices .
2. What are the three objectives of computer forensics?
A) Secure the scene, catalog evidence, and present findings
B) Recover, analyze, and present computerbased material
,C) Identify suspects, preserve data, and testify in court
D) Image drives, examine logs, and write reports
Answer: B) Recover, analyze, and present computerbased material
Rationale: The three primary objectives of computer forensics are to recover
computerbased material, analyze it, and present it in such a way that it can be
used as evidence in a court of law .
3. Which type of evidence is a physical object that someone can touch, hold, or
directly observe?
A) Documentary evidence
B) Testimonial evidence
C) Real evidence
D) Demonstrative evidence
Answer: C) Real evidence
Rationale: Real evidence is a physical object that someone can touch, hold, or
directly observe. Examples include a laptop with a suspect's fingerprints on the
keyboard, a hard drive, a USB drive, or a handwritten note .
4. Data stored as written matter, on paper or in electronic files, is called:
A) Real evidence
B) Documentary evidence
C) Testimonial evidence
D) Demonstrative evidence
,Answer: B) Documentary evidence
Rationale: Documentary evidence is data stored as written matter, on paper or in
electronic files. It includes memoryresident data and computer files such as email
messages, logs, databases, photographs, and telephone calldetail records .
5. Information that forensic specialists use to support or interpret real or
documentary evidence is called:
A) Testimonial evidence
B) Demonstrative evidence
C) Secondary evidence
D) Corroborating evidence
Answer: B) Demonstrative evidence
Rationale: Demonstrative evidence is information that helps explain other
evidence. An example is a chart that explains a technical concept to the judge and
jury .
6. The continuity of control of evidence that makes it possible to account for all
that has happened to evidence between its original collection and its appearance
in court is called the:
A) Evidence log
B) Chain of custody
C) Evidence tracking form
D) Forensic worksheet
, Answer: B) Chain of custody
Rationale: The chain of custody is the continuity of control of evidence that makes
it possible to account for all that has happened to evidence between its original
collection and its appearance in court, preferably unaltered .
7. What is the first thing a forensic scientist should do when arriving at a crime
scene?
A) Turn off the power to the entire area being examined
B) Unplug all network connections so data cannot be deleted remotely
C) Gather up all physical evidence and move it out as quickly as possible
D) Photograph all evidence in its original place
Answer: D) Photograph all evidence in its original place
Rationale: The first step is to photograph all evidence in its original place to
document the scene exactly as it was found. This preserves the context of the
evidence before any collection activities begin .
8. Which method of copying digital evidence ensures proper evidence collection?
A) Make the copy using file transfer
B) Copy files using drag and drop
C) Make the copy at the bitlevel
D) Copy the logical partitions
Answer: C) Make the copy at the bitlevel
PRACTICE EXAM|QUESTIONS AND ANSWERS WITH
RATIONALE|2026 UPDATE|100% PASS
1. What is the definition of computer forensics?
A) The process of using scientific knowledge for collecting, analyzing, and
presenting evidence to the courts
B) The use of analytical and investigative techniques to identify, collect, examine,
and preserve evidence/information which is magnetically stored or encoded
C) The proliferation of smartphones, smartwatches, and other devices in
computer forensics
D) The process of examining network traffic and transaction logs
Answer: B) The use of analytical and investigative techniques to identify, collect,
examine, and preserve evidence/information which is magnetically stored or
encoded
Rationale: Computer forensics specifically refers to the use of analytical and
investigative techniques to identify, collect, examine, and preserve evidence that is
magnetically stored or encoded. Digital forensics is a broader term that includes
smartphones, smartwatches, and other devices .
2. What are the three objectives of computer forensics?
A) Secure the scene, catalog evidence, and present findings
B) Recover, analyze, and present computerbased material
,C) Identify suspects, preserve data, and testify in court
D) Image drives, examine logs, and write reports
Answer: B) Recover, analyze, and present computerbased material
Rationale: The three primary objectives of computer forensics are to recover
computerbased material, analyze it, and present it in such a way that it can be
used as evidence in a court of law .
3. Which type of evidence is a physical object that someone can touch, hold, or
directly observe?
A) Documentary evidence
B) Testimonial evidence
C) Real evidence
D) Demonstrative evidence
Answer: C) Real evidence
Rationale: Real evidence is a physical object that someone can touch, hold, or
directly observe. Examples include a laptop with a suspect's fingerprints on the
keyboard, a hard drive, a USB drive, or a handwritten note .
4. Data stored as written matter, on paper or in electronic files, is called:
A) Real evidence
B) Documentary evidence
C) Testimonial evidence
D) Demonstrative evidence
,Answer: B) Documentary evidence
Rationale: Documentary evidence is data stored as written matter, on paper or in
electronic files. It includes memoryresident data and computer files such as email
messages, logs, databases, photographs, and telephone calldetail records .
5. Information that forensic specialists use to support or interpret real or
documentary evidence is called:
A) Testimonial evidence
B) Demonstrative evidence
C) Secondary evidence
D) Corroborating evidence
Answer: B) Demonstrative evidence
Rationale: Demonstrative evidence is information that helps explain other
evidence. An example is a chart that explains a technical concept to the judge and
jury .
6. The continuity of control of evidence that makes it possible to account for all
that has happened to evidence between its original collection and its appearance
in court is called the:
A) Evidence log
B) Chain of custody
C) Evidence tracking form
D) Forensic worksheet
, Answer: B) Chain of custody
Rationale: The chain of custody is the continuity of control of evidence that makes
it possible to account for all that has happened to evidence between its original
collection and its appearance in court, preferably unaltered .
7. What is the first thing a forensic scientist should do when arriving at a crime
scene?
A) Turn off the power to the entire area being examined
B) Unplug all network connections so data cannot be deleted remotely
C) Gather up all physical evidence and move it out as quickly as possible
D) Photograph all evidence in its original place
Answer: D) Photograph all evidence in its original place
Rationale: The first step is to photograph all evidence in its original place to
document the scene exactly as it was found. This preserves the context of the
evidence before any collection activities begin .
8. Which method of copying digital evidence ensures proper evidence collection?
A) Make the copy using file transfer
B) Copy files using drag and drop
C) Make the copy at the bitlevel
D) Copy the logical partitions
Answer: C) Make the copy at the bitlevel
