WGU C840 Digital Forensics QUESTIONS WITH COMPLETE SOLUTIONS
expert report Correct Answer: A formal document prepared by a forensics specialist to document an
investigation, including a list of all tests conducted as well as the specialist's own curriculum vitae (CV).
Anything the specialist plans to testify about at a trial must be included in the expert report.
Testimonial evidence Correct Answer: Information that forensic specialists use to support or interpret
real or documentary evidence; for example, to demonstrate that the fingerprints found on a keyboard
are those of a specific individual.
Daubert standard Correct Answer: The standard holding that only methods and tools widely accepted in
the scientific community can be used in court.
If the computer is turned on when you arrive, what does the Secret Service recommend you do? Correct
Answer: Shut down according to the recommended Secret Service procedure.
Communications Assistance to Law Enforcement Act of 1994 Correct Answer: The Communications
Assistance to Law Enforcement Act of 1994 is a federal wiretap law for traditional wired telephony. It
was expanded to include wireless, voice over packet, and other forms of electronic communications,
including signaling traffic and metadata.
Digital evidence Correct Answer: Digital evidence is information processed and assembled so that it is
relevant to an investigation and supports a specific finding or determination.
Federal Privacy Act of 1974 Correct Answer: The Federal Privacy Act of 1974, a United States federal law
that establishes a code of Fair Information Practice that governs the collection, maintenance, use, and
dissemination of information about individuals that is maintained in systems of records by U.S. federal
agencies.
Power Spy, Verity, ICU, and WorkTime Correct Answer: Spyware
good fictitious e-mail response rate Correct Answer: 1-3%
Which crime is most likely to leave e-mail evidence? Correct Answer: Cyberstalking
Where would you seek evidence that ophcrack had been used on a Windows Server 2008 machine?
Correct Answer: In the logs of the server; look for the reboot of the system
A SYN flood is an example of what? Correct Answer: DoS attack
definition of a virus, in relation to a computer? Correct Answer: a type of malware that requires a host
program or human help to propagate
What is the starting point for investigating the denial of service attacks? Correct Answer: Tracing the
packets
, China Eagle Union Correct Answer: The cyberterrorism group, the China Eagle Union, consists of several
thousand Chinese hackers whose stated goal is to infiltrate Western computer systems. Members and
leaders of the group insist that not only does the Chinese government have no involvement in their
activities, but that they are breaking Chinese law and are in constant danger of arrest and imprisonment.
However, most analysts believe this group is working with the full knowledge and support of the
Chinese government.
Rules of evidence Correct Answer: Rules that govern whether, when, how, and why proof of a legal case
can be placed before a judge or jury.
file slack Correct Answer: The unused space between the logical end of the file and the physical end of
the file. It is also called slack space.
The Analysis Plan Correct Answer: Before forensic examination can begin, an analysis plan should be
created. This plan guides work in the analysis process. How will you gather evidence? Are there concerns
about evidence being changed or destroyed? What tools are most appropriate for this specific
investigation? A standard data analysis plan should be created and customized for specific situations and
circumstances.
What is the most important reason that you not touch the actual original evidence any more than you
have to? Correct Answer: Each time you touch digital data, there is some chance of altering it.
You should make at least two bitstream copies of a suspect drive. Correct Answer: TRUE
To preserve digital evidence, an investigator should Correct Answer: make two copies of each evidence
item using different imaging tools
What would be the primary reason for you to recommend for or against making a DOS Copy Correct
Answer: A simple DOS copy will not include deleted files, file slack, and other information.
Which starting-point forensic certification covers the general principles and techniques of forensics, but
not specific tools such as EnCase or FTK? Correct Answer: (CHFI) EC Council Certified Hacking Forensic
Investigator
This forensic certification is open to both the public and private sectors and is specific to the use and
mastery of FTK. Requirements for taking the exam include completing the boot camp and Windows
forensic courses. Correct Answer: AccessData Certified Examiner. AccessData is the creator of Forensic
Toolkit (FTK) software.
Federal Rules of Evidence (FRE) Correct Answer: The Federal Rules of Evidence (FRE) is a code of
evidence law. The FRE governs the admission of facts by which parties in the U.S. federal court system
may prove their cases. The rules of evidence, encompasses the rules and legal principles that govern the
proof of facts in a legal proceeding. These rules determine what evidence must or must not be
considered by the trier of fact in reaching its decision
The DoD Cyber Crime Center (DC3) Correct Answer: DC3 is involved with DoD investigations that require
computer forensics support to detect, enhance, or recover digital media. DC3 provides computer
investigation training. It trains forensic examiners, investigators, system administrators, and others. It
expert report Correct Answer: A formal document prepared by a forensics specialist to document an
investigation, including a list of all tests conducted as well as the specialist's own curriculum vitae (CV).
Anything the specialist plans to testify about at a trial must be included in the expert report.
Testimonial evidence Correct Answer: Information that forensic specialists use to support or interpret
real or documentary evidence; for example, to demonstrate that the fingerprints found on a keyboard
are those of a specific individual.
Daubert standard Correct Answer: The standard holding that only methods and tools widely accepted in
the scientific community can be used in court.
If the computer is turned on when you arrive, what does the Secret Service recommend you do? Correct
Answer: Shut down according to the recommended Secret Service procedure.
Communications Assistance to Law Enforcement Act of 1994 Correct Answer: The Communications
Assistance to Law Enforcement Act of 1994 is a federal wiretap law for traditional wired telephony. It
was expanded to include wireless, voice over packet, and other forms of electronic communications,
including signaling traffic and metadata.
Digital evidence Correct Answer: Digital evidence is information processed and assembled so that it is
relevant to an investigation and supports a specific finding or determination.
Federal Privacy Act of 1974 Correct Answer: The Federal Privacy Act of 1974, a United States federal law
that establishes a code of Fair Information Practice that governs the collection, maintenance, use, and
dissemination of information about individuals that is maintained in systems of records by U.S. federal
agencies.
Power Spy, Verity, ICU, and WorkTime Correct Answer: Spyware
good fictitious e-mail response rate Correct Answer: 1-3%
Which crime is most likely to leave e-mail evidence? Correct Answer: Cyberstalking
Where would you seek evidence that ophcrack had been used on a Windows Server 2008 machine?
Correct Answer: In the logs of the server; look for the reboot of the system
A SYN flood is an example of what? Correct Answer: DoS attack
definition of a virus, in relation to a computer? Correct Answer: a type of malware that requires a host
program or human help to propagate
What is the starting point for investigating the denial of service attacks? Correct Answer: Tracing the
packets
, China Eagle Union Correct Answer: The cyberterrorism group, the China Eagle Union, consists of several
thousand Chinese hackers whose stated goal is to infiltrate Western computer systems. Members and
leaders of the group insist that not only does the Chinese government have no involvement in their
activities, but that they are breaking Chinese law and are in constant danger of arrest and imprisonment.
However, most analysts believe this group is working with the full knowledge and support of the
Chinese government.
Rules of evidence Correct Answer: Rules that govern whether, when, how, and why proof of a legal case
can be placed before a judge or jury.
file slack Correct Answer: The unused space between the logical end of the file and the physical end of
the file. It is also called slack space.
The Analysis Plan Correct Answer: Before forensic examination can begin, an analysis plan should be
created. This plan guides work in the analysis process. How will you gather evidence? Are there concerns
about evidence being changed or destroyed? What tools are most appropriate for this specific
investigation? A standard data analysis plan should be created and customized for specific situations and
circumstances.
What is the most important reason that you not touch the actual original evidence any more than you
have to? Correct Answer: Each time you touch digital data, there is some chance of altering it.
You should make at least two bitstream copies of a suspect drive. Correct Answer: TRUE
To preserve digital evidence, an investigator should Correct Answer: make two copies of each evidence
item using different imaging tools
What would be the primary reason for you to recommend for or against making a DOS Copy Correct
Answer: A simple DOS copy will not include deleted files, file slack, and other information.
Which starting-point forensic certification covers the general principles and techniques of forensics, but
not specific tools such as EnCase or FTK? Correct Answer: (CHFI) EC Council Certified Hacking Forensic
Investigator
This forensic certification is open to both the public and private sectors and is specific to the use and
mastery of FTK. Requirements for taking the exam include completing the boot camp and Windows
forensic courses. Correct Answer: AccessData Certified Examiner. AccessData is the creator of Forensic
Toolkit (FTK) software.
Federal Rules of Evidence (FRE) Correct Answer: The Federal Rules of Evidence (FRE) is a code of
evidence law. The FRE governs the admission of facts by which parties in the U.S. federal court system
may prove their cases. The rules of evidence, encompasses the rules and legal principles that govern the
proof of facts in a legal proceeding. These rules determine what evidence must or must not be
considered by the trier of fact in reaching its decision
The DoD Cyber Crime Center (DC3) Correct Answer: DC3 is involved with DoD investigations that require
computer forensics support to detect, enhance, or recover digital media. DC3 provides computer
investigation training. It trains forensic examiners, investigators, system administrators, and others. It
