WGU C702 OA FINAL EXAM LATEST VERSION | Real Exam
Questions & Correct Answers | Cyberlaw, Regulations, and
Compliance | Pass Guaranteed - A+ Graded
Q1: What is the primary purpose of a write-blocker during evidence
acquisition?
A. To prevent data alteration on the suspect drive
B. To encrypt the evidence for secure transport
C. To ensure the original evidence remains unaltered [CORRECT]
D. To speed up the imaging process
Correct Answer: C
Rationale: Correct because a write-blocker's main function is to prevent any
changes to the original evidence during acquisition, maintaining integrity for
legal admissibility.
Q2: Which Windows artifact tracks recently opened documents and is stored in the
user's AppData folder?
A. Prefetch files
B. Event logs
C. Jump Lists [CORRECT]
D. USN Journal
Correct Answer: C
Rationale: Correct because Jump Lists (automatically generated by Windows)
store shortcuts to recently accessed files, critical for timeline analysis.
Q3: In the SANS PICERL incident response model, what is the first phase after
preparation?
A. Eradication
B. Recovery
C. Identification [CORRECT]
D. Containment
Correct Answer: C
Rationale: Correct because the PICERL model prioritizes identifying the
incident's scope and nature before containment or eradication.
Q4: What is the standard hash algorithm used to verify evidence integrity in digital
forensics?
A. MD5
B. AES
C. SHA-256 [CORRECT]
D. RSA
Correct Answer: C
,Rationale: Correct because SHA-256 is the current industry standard for
cryptographic hashing, providing stronger collision resistance than MD5.
Q5: A forensic investigator finds a deleted file in the unallocated space of an NTFS
drive. Which tool is best for recovering it?
A. Wireshark
B. Volatility
C. FTK Imager [CORRECT]
D. Nmap
Correct Answer: C
Rationale: Correct because FTK Imager supports recovery of deleted files from
unallocated space and is a widely accepted forensic tool.
Q6: Which Linux log file records user authentication attempts?
A. /var/log/syslog
B. /var/log/kern.log
C. /var/log/auth.log [CORRECT]
D. /var/log/dmesg
Correct Answer: C
Rationale: Correct because /var/log/auth.log specifically tracks authentication-
related events, including sudo and SSH logins.
Q7: What is the legal standard for admitting digital evidence in U.S. courts, requiring
reliability and relevance?
A. Frye Standard
B. Hearsay Rule
C. Daubert Standard [CORRECT]
D. Miranda Rights
Correct Answer: C
Rationale: Correct because the Daubert Standard (from Daubert v. Merrell Dow)
governs expert testimony and scientific evidence admissibility.
Q8: Which mobile device acquisition method requires physical access and bypasses
lock screens?
A. Logical acquisition
B. Cloud backup extraction
C. Chip-off acquisition [CORRECT]
D. Over-the-air update
Correct Answer: C
Rationale: Correct because chip-off involves physically removing the memory
chip, allowing direct access without device authentication.
Q9: In email forensics, which header field indicates the originator's IP address?
A. Subject
B. To
C. Received [CORRECT]
D. Message-ID
Correct Answer: C
,Rationale: Correct because the "Received" header tracks the email's path,
including the originating IP address of each server.
Q10: What is the primary challenge in cloud forensics compared to traditional
environments?
A. Lack of encryption
B. Physical access to servers
C. Data jurisdiction and multi-tenancy [CORRECT]
D. Limited log retention
Correct Answer: C
Rationale: Correct because cloud environments often span multiple jurisdictions
and share resources, complicating legal and technical access.
Q11: Which anti-forensics technique involves altering file timestamps to mislead
investigators?
A. Steganography
B. Encryption
C. Timestomping [CORRECT]
D. Wiping
Correct Answer: C
Rationale: Correct because timestomping modifies file metadata (e.g., MAC
times) to obscure the true timeline of events.
Q12: A forensic image is created using the E01 format. What feature does this format
support?
A. Compression only
B. Encryption only
C. Compression and error detection [CORRECT]
D. Password protection only
Correct Answer: C
Rationale: Correct because the E01 format (used by EnCase) supports both
compression and cyclic redundancy checks for data integrity.
Q13: Which Mac OS file system is case-insensitive by default?
A. APFS
B. HFS+
C. HFS+ (Journaled) [CORRECT]
D. exFAT
Correct Answer: C
Rationale: Correct because HFS+ (Journaled) is the default Mac file system,
which is case-insensitive but preserves case.
Q14: What is the purpose of the USN Journal in NTFS?
A. Track user logins
B. Record file deletion events
C. Log changes to files and directories [CORRECT]
D. Store alternate data streams
Correct Answer: C
, Rationale: Correct because the USN Journal (Update Sequence Number) logs all
modifications to files and directories, critical for timeline analysis.
Q15: In memory forensics, which Volatility plugin detects hidden processes?
A. pslist
B. netscan
C. psscan [CORRECT]
D. cmdline
Correct Answer: C
Rationale: Correct because the psscan plugin identifies processes not listed in
the active process list, revealing potential malware.
Q16: Which network forensics tool is used to analyze packet captures (PCAP files)?
A. Splunk
B. OSSEC
C. Wireshark [CORRECT]
D. Nessus
Correct Answer: C
Rationale: Correct because Wireshark is the industry-standard tool for
dissecting and analyzing network traffic in PCAP files.
Q17: A company's incident response team isolates a compromised system. Which
phase of PICERL does this represent?
A. Eradication
B. Recovery
C. Containment [CORRECT]
D. Lessons learned
Correct Answer: C
Rationale: Correct because containment involves isolating affected systems to
prevent further damage during an incident.
Q18: What is the correct order of volatility in digital forensics?
A. Disk > RAM > Network
B. RAM > Disk > Network
C. RAM > Network > Disk [CORRECT]
D. Network > RAM > Disk
Correct Answer: C
Rationale: Correct because RAM is most volatile (lost on power-off), followed
by network data (transient), then disk (persistent).
Q19: Which database forensic tool is used to analyze SQLite databases?
A. MySQL Workbench
B. Oracle SQL Developer
C. SQLite Forensic Explorer [CORRECT]
D. pgAdmin
Correct Answer: C
Rationale: Correct because SQLite Forensic Explorer is specifically designed to
recover and analyze data from SQLite databases.
Questions & Correct Answers | Cyberlaw, Regulations, and
Compliance | Pass Guaranteed - A+ Graded
Q1: What is the primary purpose of a write-blocker during evidence
acquisition?
A. To prevent data alteration on the suspect drive
B. To encrypt the evidence for secure transport
C. To ensure the original evidence remains unaltered [CORRECT]
D. To speed up the imaging process
Correct Answer: C
Rationale: Correct because a write-blocker's main function is to prevent any
changes to the original evidence during acquisition, maintaining integrity for
legal admissibility.
Q2: Which Windows artifact tracks recently opened documents and is stored in the
user's AppData folder?
A. Prefetch files
B. Event logs
C. Jump Lists [CORRECT]
D. USN Journal
Correct Answer: C
Rationale: Correct because Jump Lists (automatically generated by Windows)
store shortcuts to recently accessed files, critical for timeline analysis.
Q3: In the SANS PICERL incident response model, what is the first phase after
preparation?
A. Eradication
B. Recovery
C. Identification [CORRECT]
D. Containment
Correct Answer: C
Rationale: Correct because the PICERL model prioritizes identifying the
incident's scope and nature before containment or eradication.
Q4: What is the standard hash algorithm used to verify evidence integrity in digital
forensics?
A. MD5
B. AES
C. SHA-256 [CORRECT]
D. RSA
Correct Answer: C
,Rationale: Correct because SHA-256 is the current industry standard for
cryptographic hashing, providing stronger collision resistance than MD5.
Q5: A forensic investigator finds a deleted file in the unallocated space of an NTFS
drive. Which tool is best for recovering it?
A. Wireshark
B. Volatility
C. FTK Imager [CORRECT]
D. Nmap
Correct Answer: C
Rationale: Correct because FTK Imager supports recovery of deleted files from
unallocated space and is a widely accepted forensic tool.
Q6: Which Linux log file records user authentication attempts?
A. /var/log/syslog
B. /var/log/kern.log
C. /var/log/auth.log [CORRECT]
D. /var/log/dmesg
Correct Answer: C
Rationale: Correct because /var/log/auth.log specifically tracks authentication-
related events, including sudo and SSH logins.
Q7: What is the legal standard for admitting digital evidence in U.S. courts, requiring
reliability and relevance?
A. Frye Standard
B. Hearsay Rule
C. Daubert Standard [CORRECT]
D. Miranda Rights
Correct Answer: C
Rationale: Correct because the Daubert Standard (from Daubert v. Merrell Dow)
governs expert testimony and scientific evidence admissibility.
Q8: Which mobile device acquisition method requires physical access and bypasses
lock screens?
A. Logical acquisition
B. Cloud backup extraction
C. Chip-off acquisition [CORRECT]
D. Over-the-air update
Correct Answer: C
Rationale: Correct because chip-off involves physically removing the memory
chip, allowing direct access without device authentication.
Q9: In email forensics, which header field indicates the originator's IP address?
A. Subject
B. To
C. Received [CORRECT]
D. Message-ID
Correct Answer: C
,Rationale: Correct because the "Received" header tracks the email's path,
including the originating IP address of each server.
Q10: What is the primary challenge in cloud forensics compared to traditional
environments?
A. Lack of encryption
B. Physical access to servers
C. Data jurisdiction and multi-tenancy [CORRECT]
D. Limited log retention
Correct Answer: C
Rationale: Correct because cloud environments often span multiple jurisdictions
and share resources, complicating legal and technical access.
Q11: Which anti-forensics technique involves altering file timestamps to mislead
investigators?
A. Steganography
B. Encryption
C. Timestomping [CORRECT]
D. Wiping
Correct Answer: C
Rationale: Correct because timestomping modifies file metadata (e.g., MAC
times) to obscure the true timeline of events.
Q12: A forensic image is created using the E01 format. What feature does this format
support?
A. Compression only
B. Encryption only
C. Compression and error detection [CORRECT]
D. Password protection only
Correct Answer: C
Rationale: Correct because the E01 format (used by EnCase) supports both
compression and cyclic redundancy checks for data integrity.
Q13: Which Mac OS file system is case-insensitive by default?
A. APFS
B. HFS+
C. HFS+ (Journaled) [CORRECT]
D. exFAT
Correct Answer: C
Rationale: Correct because HFS+ (Journaled) is the default Mac file system,
which is case-insensitive but preserves case.
Q14: What is the purpose of the USN Journal in NTFS?
A. Track user logins
B. Record file deletion events
C. Log changes to files and directories [CORRECT]
D. Store alternate data streams
Correct Answer: C
, Rationale: Correct because the USN Journal (Update Sequence Number) logs all
modifications to files and directories, critical for timeline analysis.
Q15: In memory forensics, which Volatility plugin detects hidden processes?
A. pslist
B. netscan
C. psscan [CORRECT]
D. cmdline
Correct Answer: C
Rationale: Correct because the psscan plugin identifies processes not listed in
the active process list, revealing potential malware.
Q16: Which network forensics tool is used to analyze packet captures (PCAP files)?
A. Splunk
B. OSSEC
C. Wireshark [CORRECT]
D. Nessus
Correct Answer: C
Rationale: Correct because Wireshark is the industry-standard tool for
dissecting and analyzing network traffic in PCAP files.
Q17: A company's incident response team isolates a compromised system. Which
phase of PICERL does this represent?
A. Eradication
B. Recovery
C. Containment [CORRECT]
D. Lessons learned
Correct Answer: C
Rationale: Correct because containment involves isolating affected systems to
prevent further damage during an incident.
Q18: What is the correct order of volatility in digital forensics?
A. Disk > RAM > Network
B. RAM > Disk > Network
C. RAM > Network > Disk [CORRECT]
D. Network > RAM > Disk
Correct Answer: C
Rationale: Correct because RAM is most volatile (lost on power-off), followed
by network data (transient), then disk (persistent).
Q19: Which database forensic tool is used to analyze SQLite databases?
A. MySQL Workbench
B. Oracle SQL Developer
C. SQLite Forensic Explorer [CORRECT]
D. pgAdmin
Correct Answer: C
Rationale: Correct because SQLite Forensic Explorer is specifically designed to
recover and analyze data from SQLite databases.
