1
WGU C702 FORENSIC SCIENCE & DIGITAL FORENSICS OA
FINAL EXAM 2026/2027 | Latest Version | Complete 200
Questions with Verified Answers | Brand New | Pass
Guaranteed - A+ Graded
[Section 1: Digital Forensics Fundamentals & Legal Compliance (Q1-25)]
Q1. A forensic examiner is tasked with imaging a suspect's 4TB hard drive. Before
creating the forensic image, the examiner connects the drive to a write-blocker and
computes an MD5 hash. Which NIST SP 800-86 guideline principle does this action
primarily satisfy?
A. Evidence preservation through chain of custody documentation
B. Data integrity verification via cryptographic hashing
C. Legal compliance with search warrant execution protocols
D. Expert witness qualification under Daubert standards
B. Data integrity verification via cryptographic hashing [CORRECT]
Rationale: NIST SP 800-86 emphasizes cryptographic hashing (MD5, SHA-1, SHA-
256) before and after imaging to verify that the forensic copy is bit-for-bit identical
to the original evidence. While chain of custody is critical, hashing specifically
addresses data integrity. Search warrant execution and Daubert standards relate to
legal admissibility but not the technical hashing process.
Correct Answer: B
Q2. During a criminal investigation, law enforcement seizes a laptop without a
warrant from a suspect's vehicle parked in a public street. The laptop is in plain view
on the passenger seat. Under which legal doctrine is this seizure most likely lawful?
A. Exigent circumstances doctrine
B. Plain view doctrine
C. Search incident to arrest
D. Consent exception
,2
B. Plain view doctrine [CORRECT]
Rationale: The plain view doctrine allows seizure of evidence without a warrant when
officers are lawfully present in a location, the item's incriminating character is
immediately apparent, and the officer has lawful access to the object. A laptop in
plain view on a public street meets these criteria. Exigent circumstances require
immediate danger or destruction of evidence; search incident to arrest requires a
lawful arrest; consent was not obtained.
Correct Answer: B
Q3. A forensic examiner is testifying as an expert witness in federal court. Under the
Daubert standard, which factor will the judge most likely consider when determining
the admissibility of the examiner's forensic methodology?
A. The examiner's years of law enforcement experience
B. Whether the methodology has been tested, peer-reviewed, and has known error
rates
C. The examiner's personal opinion of the defendant's guilt
D. The number of cases the examiner has previously testified in
B. Whether the methodology has been tested, peer-reviewed, and has known
error rates [CORRECT]
Rationale: Daubert v. Merrell Dow (1993) established that federal judges must
evaluate whether expert testimony is based on scientifically valid reasoning,
including: (1) whether the theory/technique can be tested, (2) peer
review/publication, (3) known error rates, (4) standards, and (5) general acceptance.
Experience volume and personal opinions are not Daubert factors.
Correct Answer: B
,3
Q4. An investigator receives a subpoena duces tecum requiring production of email
server logs. Which statement accurately distinguishes a subpoena from a search
warrant?
A. A subpoena requires probable cause; a search warrant does not
B. A search warrant requires probable cause and is executed by law enforcement; a
subpoena compels testimony/document production without probable cause
C. A subpoena authorizes physical seizure of evidence; a search warrant only permits
observation
D. Both require the same judicial standard of reasonable suspicion
B. A search warrant requires probable cause and is executed by law enforcement;
a subpoena compels testimony/document production without probable cause
[CORRECT]
Rationale: A search warrant requires probable cause under the Fourth Amendment
and authorizes law enforcement to search/seize. A subpoena duces tecum compels a
person to produce documents or testify and does not require probable cause,
though it may be challenged for relevance or burden. Subpoenas do not authorize
physical seizure by investigators.
Correct Answer: B
Q5. A forensic examiner documents the chain of custody for a seized smartphone.
Which element is most critical to maintain for legal admissibility?
A. Detailed notes about the suspect's criminal history
B. Unbroken documentation of who handled the evidence, when, where, and for
what purpose
C. The examiner's personal opinion about the evidence significance
D. Copies of the search warrant served on the suspect
B. Unbroken documentation of who handled the evidence, when, where, and for
what purpose [CORRECT]
Rationale: Chain of custody requires an unbroken documented record of evidence
collection, transfer, analysis, and storage, including date/time, individuals involved,
, 4
locations, and purpose. This ensures evidence integrity and admissibility. Criminal
history, personal opinions, and warrant copies are not chain of custody elements.
Correct Answer: B
Q6. Under the ACPO (Association of Chief Police Officers) Good Practice Guide for
Digital Evidence, which principle states that an individual is responsible for ensuring
digital evidence is preserved and its integrity maintained?
A. Principle 1: No action taken should change data held on a digital device
B. Principle 2: In exceptional circumstances, a person may access original data if they
are competent
C. Principle 3: An audit trail or record of all processes applied to digital evidence
must be created and preserved
D. Principle 4: The person in charge of the investigation has overall responsibility for
ensuring these principles are followed
D. Principle 4: The person in charge of the investigation has overall responsibility
for ensuring these principles are followed [CORRECT]
Rationale: ACPO Principle 4 assigns ultimate responsibility to the senior
investigating officer for ensuring all digital evidence principles are adhered to.
Principle 1 addresses data preservation; Principle 2 addresses exceptional access;
Principle 3 requires audit trails. Only Principle 4 establishes accountability hierarchy.
Correct Answer: D
Q7. A forensic examiner is analyzing evidence in a civil litigation case involving trade
secret theft. Which standard of proof applies to the admissibility of digital evidence
in this civil context?
A. Beyond a reasonable doubt
B. Preponderance of the evidence
WGU C702 FORENSIC SCIENCE & DIGITAL FORENSICS OA
FINAL EXAM 2026/2027 | Latest Version | Complete 200
Questions with Verified Answers | Brand New | Pass
Guaranteed - A+ Graded
[Section 1: Digital Forensics Fundamentals & Legal Compliance (Q1-25)]
Q1. A forensic examiner is tasked with imaging a suspect's 4TB hard drive. Before
creating the forensic image, the examiner connects the drive to a write-blocker and
computes an MD5 hash. Which NIST SP 800-86 guideline principle does this action
primarily satisfy?
A. Evidence preservation through chain of custody documentation
B. Data integrity verification via cryptographic hashing
C. Legal compliance with search warrant execution protocols
D. Expert witness qualification under Daubert standards
B. Data integrity verification via cryptographic hashing [CORRECT]
Rationale: NIST SP 800-86 emphasizes cryptographic hashing (MD5, SHA-1, SHA-
256) before and after imaging to verify that the forensic copy is bit-for-bit identical
to the original evidence. While chain of custody is critical, hashing specifically
addresses data integrity. Search warrant execution and Daubert standards relate to
legal admissibility but not the technical hashing process.
Correct Answer: B
Q2. During a criminal investigation, law enforcement seizes a laptop without a
warrant from a suspect's vehicle parked in a public street. The laptop is in plain view
on the passenger seat. Under which legal doctrine is this seizure most likely lawful?
A. Exigent circumstances doctrine
B. Plain view doctrine
C. Search incident to arrest
D. Consent exception
,2
B. Plain view doctrine [CORRECT]
Rationale: The plain view doctrine allows seizure of evidence without a warrant when
officers are lawfully present in a location, the item's incriminating character is
immediately apparent, and the officer has lawful access to the object. A laptop in
plain view on a public street meets these criteria. Exigent circumstances require
immediate danger or destruction of evidence; search incident to arrest requires a
lawful arrest; consent was not obtained.
Correct Answer: B
Q3. A forensic examiner is testifying as an expert witness in federal court. Under the
Daubert standard, which factor will the judge most likely consider when determining
the admissibility of the examiner's forensic methodology?
A. The examiner's years of law enforcement experience
B. Whether the methodology has been tested, peer-reviewed, and has known error
rates
C. The examiner's personal opinion of the defendant's guilt
D. The number of cases the examiner has previously testified in
B. Whether the methodology has been tested, peer-reviewed, and has known
error rates [CORRECT]
Rationale: Daubert v. Merrell Dow (1993) established that federal judges must
evaluate whether expert testimony is based on scientifically valid reasoning,
including: (1) whether the theory/technique can be tested, (2) peer
review/publication, (3) known error rates, (4) standards, and (5) general acceptance.
Experience volume and personal opinions are not Daubert factors.
Correct Answer: B
,3
Q4. An investigator receives a subpoena duces tecum requiring production of email
server logs. Which statement accurately distinguishes a subpoena from a search
warrant?
A. A subpoena requires probable cause; a search warrant does not
B. A search warrant requires probable cause and is executed by law enforcement; a
subpoena compels testimony/document production without probable cause
C. A subpoena authorizes physical seizure of evidence; a search warrant only permits
observation
D. Both require the same judicial standard of reasonable suspicion
B. A search warrant requires probable cause and is executed by law enforcement;
a subpoena compels testimony/document production without probable cause
[CORRECT]
Rationale: A search warrant requires probable cause under the Fourth Amendment
and authorizes law enforcement to search/seize. A subpoena duces tecum compels a
person to produce documents or testify and does not require probable cause,
though it may be challenged for relevance or burden. Subpoenas do not authorize
physical seizure by investigators.
Correct Answer: B
Q5. A forensic examiner documents the chain of custody for a seized smartphone.
Which element is most critical to maintain for legal admissibility?
A. Detailed notes about the suspect's criminal history
B. Unbroken documentation of who handled the evidence, when, where, and for
what purpose
C. The examiner's personal opinion about the evidence significance
D. Copies of the search warrant served on the suspect
B. Unbroken documentation of who handled the evidence, when, where, and for
what purpose [CORRECT]
Rationale: Chain of custody requires an unbroken documented record of evidence
collection, transfer, analysis, and storage, including date/time, individuals involved,
, 4
locations, and purpose. This ensures evidence integrity and admissibility. Criminal
history, personal opinions, and warrant copies are not chain of custody elements.
Correct Answer: B
Q6. Under the ACPO (Association of Chief Police Officers) Good Practice Guide for
Digital Evidence, which principle states that an individual is responsible for ensuring
digital evidence is preserved and its integrity maintained?
A. Principle 1: No action taken should change data held on a digital device
B. Principle 2: In exceptional circumstances, a person may access original data if they
are competent
C. Principle 3: An audit trail or record of all processes applied to digital evidence
must be created and preserved
D. Principle 4: The person in charge of the investigation has overall responsibility for
ensuring these principles are followed
D. Principle 4: The person in charge of the investigation has overall responsibility
for ensuring these principles are followed [CORRECT]
Rationale: ACPO Principle 4 assigns ultimate responsibility to the senior
investigating officer for ensuring all digital evidence principles are adhered to.
Principle 1 addresses data preservation; Principle 2 addresses exceptional access;
Principle 3 requires audit trails. Only Principle 4 establishes accountability hierarchy.
Correct Answer: D
Q7. A forensic examiner is analyzing evidence in a civil litigation case involving trade
secret theft. Which standard of proof applies to the admissibility of digital evidence
in this civil context?
A. Beyond a reasonable doubt
B. Preponderance of the evidence
