2
WGU D431 OA Exam with precise detailed || || || || || ||
solutions
||
Disk Forensics ||
The process of acquiring and analyzing information stored on physical storage media, such as
|| || || || || || || || || || || || || ||
computer hard drives, smartphones, GPS systems, and removable media. Includes both the
|| || || || || || || || || || || ||
recovery of hidden and deleted information and the process of identifying who created a file or
|| || || || || || || || || || || || || || || ||
message.
|| || ||
Email Forensics ||
The study of the source and content of email as evidence, including the identification of the
|| || || || || || || || || || || || || || || ||
sender, recipient, date, time, and origination location of an email message.
|| || || || || || || || || ||
|| || ||
Network Forensics ||
the process of examining network traffic, including transaction logs and real-time monitoring
|| || || || || || || || || || || ||
using sniffers and tracing. || || ||
|| || ||
Internet Forensics ||
is the process of piecing together where and when a user has been on the internet. For example,
|| || || || || || || || || || || || || || || || || ||
you can use internet forensics to determine whether inappropriate internet content access and
|| || || || || || || || || || || || ||
downloading were accidental. || ||
|| || ||
Software Forensics ||
,2
also known as malware forensics, is the process of examining malicious computer code
|| || || || || || || || || || || ||
|| || ||
Live system forensics || ||
The process of searching memory in real time, typically for working with compromised hosts or
|| || || || || || || || || || || || || || ||
to identify system abuse.
|| || ||
|| || ||
Cell-Phone Forensics ||
is the process of searching the contents of cell phones. A few years ago, this was just not a big
|| || || || || || || || || || || || || || || || || || || ||
issue, but with the ubiquitous nature of cell phones today, cell-phone
|| || || || || || || || || ||
forensics is a very important topic. A cell phone can be a treasure trove of evidence. Modern
|| || || || || || || || || || || || || || || ||
cell phones are essentially computers with processors, memory, even hard drives and operating
|| || || || || || || || || || || ||
systems, and they operate on networks. Phone forensics also includes VoIP and traditional phones
|| || || || || || || || || || || || || ||
and may overlap the Foreign Intelligence Surveillance Act of 1978 (FISA), the USA
|| || || || || || || || || || || ||
PATRIOT Act, and the Communications Assistance for Law Enforcement Act (CALEA) in the
|| || || || || || || || || || || || ||
United States. ||
|| || ||
Chain of Custody || ||
From the time the evidence is first seized by a law
|| || || || || || || || || ||
enforcement officer or civilian investigator until the moment it is shown in court, the whereabouts|| || || || || || || || || || || || || ||
and custody of the evidence, and how it was handled and stored and by whom, must be able to be
|| || || || || || || || || || || || || || || || || || || || ||
shown at all times. Failure to maintain the proper chain of custody can lead to evidence being
|| || || || || || || || || || || || || || || || ||
excluded from trial. || ||
|| || ||
, 2
Don't Touch the Suspect Drive || || || ||
One very important principle is to touch the system as little as possible. It is possible to make
|| || || || || || || || || || || || || || || || || ||
changes to the system in the process of examining it, which is very undesirable. Obviously, you
|| || || || || || || || || || || || || || || ||
have to interact with the system to investigate it. The answer is to make a forensic copy and work
|| || || || || || || || || || || || || || || || || || ||
with that copy. You can make a forensic copy with most major forensic tools such as AccessData's
|| || || || || || || || || || || || || || || ||
Forensic Toolkit, Guidance Software's EnCase, or PassMark's OSForensics. There are also open
|| || || || || || || || || || || || ||
source software products that allow copying of original source information. To be specific, make
|| || || || || || || || || || || || || ||
a copy and analyze the copy.
|| || || || ||
|| || ||
Document trail ||
The next issue is documentation. The rule is that you document everything. Who was present
|| || || || || || || || || || || || || || ||
when the device was seized? What was connected to the device or showing on the screen when
|| || || || || || || || || || || || || || || || ||
you seized it? What specific tools and techniques did you use? Who had access to the evidence
|| || || || || || || || || || || || || || || || ||
from the time of seizure until the time of trial? All of this must be documented. And when in
|| || || || || || || || || || || || || || || || || || ||
doubt, err on the side of over-documentation. It really is not possible to document too much
|| || || || || || || || || || || || || || || ||
information about an investigation. || || ||
|| || ||
Secure the Evidence || ||
It is absolutely critical to the integrity of your investigation as well as to maintaining the chain of
|| || || || || || || || || || || || || || || || || ||
custody that you secure the evidence. It is common to have the forensic lab be a locked room with
|| || || || || || || || || || || || || || || || || || ||
access given only to those who must enter. Then, evidence is usually secured in a safe, with
|| || || || || || || || || || || || || || || || ||
access given out only on a need-to-know basis. You have to take every reasonable precaution to
|| || || || || || || || || || || || || || || ||
ensure that no one can tamper with the evidence. || || || || || || || ||
|| || ||
Daubert Standard ||
Standard used by a trial judge to make a preliminary assessment of whether an expert's scientific
|| || || || || || || || || || || || || || || ||
testimony is based on reasoning or methodology that is scientifically valid and can || || || || || || || || || || || ||
WGU D431 OA Exam with precise detailed || || || || || ||
solutions
||
Disk Forensics ||
The process of acquiring and analyzing information stored on physical storage media, such as
|| || || || || || || || || || || || || ||
computer hard drives, smartphones, GPS systems, and removable media. Includes both the
|| || || || || || || || || || || ||
recovery of hidden and deleted information and the process of identifying who created a file or
|| || || || || || || || || || || || || || || ||
message.
|| || ||
Email Forensics ||
The study of the source and content of email as evidence, including the identification of the
|| || || || || || || || || || || || || || || ||
sender, recipient, date, time, and origination location of an email message.
|| || || || || || || || || ||
|| || ||
Network Forensics ||
the process of examining network traffic, including transaction logs and real-time monitoring
|| || || || || || || || || || || ||
using sniffers and tracing. || || ||
|| || ||
Internet Forensics ||
is the process of piecing together where and when a user has been on the internet. For example,
|| || || || || || || || || || || || || || || || || ||
you can use internet forensics to determine whether inappropriate internet content access and
|| || || || || || || || || || || || ||
downloading were accidental. || ||
|| || ||
Software Forensics ||
,2
also known as malware forensics, is the process of examining malicious computer code
|| || || || || || || || || || || ||
|| || ||
Live system forensics || ||
The process of searching memory in real time, typically for working with compromised hosts or
|| || || || || || || || || || || || || || ||
to identify system abuse.
|| || ||
|| || ||
Cell-Phone Forensics ||
is the process of searching the contents of cell phones. A few years ago, this was just not a big
|| || || || || || || || || || || || || || || || || || || ||
issue, but with the ubiquitous nature of cell phones today, cell-phone
|| || || || || || || || || ||
forensics is a very important topic. A cell phone can be a treasure trove of evidence. Modern
|| || || || || || || || || || || || || || || ||
cell phones are essentially computers with processors, memory, even hard drives and operating
|| || || || || || || || || || || ||
systems, and they operate on networks. Phone forensics also includes VoIP and traditional phones
|| || || || || || || || || || || || || ||
and may overlap the Foreign Intelligence Surveillance Act of 1978 (FISA), the USA
|| || || || || || || || || || || ||
PATRIOT Act, and the Communications Assistance for Law Enforcement Act (CALEA) in the
|| || || || || || || || || || || || ||
United States. ||
|| || ||
Chain of Custody || ||
From the time the evidence is first seized by a law
|| || || || || || || || || ||
enforcement officer or civilian investigator until the moment it is shown in court, the whereabouts|| || || || || || || || || || || || || ||
and custody of the evidence, and how it was handled and stored and by whom, must be able to be
|| || || || || || || || || || || || || || || || || || || || ||
shown at all times. Failure to maintain the proper chain of custody can lead to evidence being
|| || || || || || || || || || || || || || || || ||
excluded from trial. || ||
|| || ||
, 2
Don't Touch the Suspect Drive || || || ||
One very important principle is to touch the system as little as possible. It is possible to make
|| || || || || || || || || || || || || || || || || ||
changes to the system in the process of examining it, which is very undesirable. Obviously, you
|| || || || || || || || || || || || || || || ||
have to interact with the system to investigate it. The answer is to make a forensic copy and work
|| || || || || || || || || || || || || || || || || || ||
with that copy. You can make a forensic copy with most major forensic tools such as AccessData's
|| || || || || || || || || || || || || || || ||
Forensic Toolkit, Guidance Software's EnCase, or PassMark's OSForensics. There are also open
|| || || || || || || || || || || || ||
source software products that allow copying of original source information. To be specific, make
|| || || || || || || || || || || || || ||
a copy and analyze the copy.
|| || || || ||
|| || ||
Document trail ||
The next issue is documentation. The rule is that you document everything. Who was present
|| || || || || || || || || || || || || || ||
when the device was seized? What was connected to the device or showing on the screen when
|| || || || || || || || || || || || || || || || ||
you seized it? What specific tools and techniques did you use? Who had access to the evidence
|| || || || || || || || || || || || || || || || ||
from the time of seizure until the time of trial? All of this must be documented. And when in
|| || || || || || || || || || || || || || || || || || ||
doubt, err on the side of over-documentation. It really is not possible to document too much
|| || || || || || || || || || || || || || || ||
information about an investigation. || || ||
|| || ||
Secure the Evidence || ||
It is absolutely critical to the integrity of your investigation as well as to maintaining the chain of
|| || || || || || || || || || || || || || || || || ||
custody that you secure the evidence. It is common to have the forensic lab be a locked room with
|| || || || || || || || || || || || || || || || || || ||
access given only to those who must enter. Then, evidence is usually secured in a safe, with
|| || || || || || || || || || || || || || || || ||
access given out only on a need-to-know basis. You have to take every reasonable precaution to
|| || || || || || || || || || || || || || || ||
ensure that no one can tamper with the evidence. || || || || || || || ||
|| || ||
Daubert Standard ||
Standard used by a trial judge to make a preliminary assessment of whether an expert's scientific
|| || || || || || || || || || || || || || || ||
testimony is based on reasoning or methodology that is scientifically valid and can || || || || || || || || || || || ||
