WGU Master's Course C702 Forensics
and Network Intrusion
Which computer crime forensics step requires an investigator to duplicate and image
the collected digital information?
A Securing evidence
B Acquiring data
C Analyzing data
D Assessing evidence - CORRECT ANSWERS B
What is the last step of a criminal investigation that requires the involvement of a
computer forensic investigator?
A Analyzing the data collected
B Testifying in court
C Assessing the evidence
D Performing search and seizure - CORRECT ANSWERS B
How can a forensic investigator verify an Android mobile device is on, without potentially
changing the original evidence or interacting with the operating system?
A Check to see if it is plugged into a computer
B Tap the screen multiple times
C Look for flashing lights
D Hold down the power button - CORRECT ANSWERS C
What should a forensic investigator use to protect a mobile device if a Faraday bag is
not available?
A Aluminum foil
B Sturdy container
C Cardboard box
D Bubble wrap - CORRECT ANSWERS A
Which criterion determines whether a technology used by government to obtain
information in a computer search is considered innovative and requires a search
warrant?
A Availability to the general public
B Dependency on third-party software
C Implementation based on open source software
D Use of cloud-based machine learning - CORRECT ANSWERS A
Which situation allows a law enforcement officer to seize a hard drive from a residence
without obtaining a search warrant?
,WGU Master's Course C702 Forensics
and Network Intrusion
A The computer is left unattended.
B The front door is wide open.
C The occupant is acting suspicious.
D The evidence is in imminent danger. - CORRECT ANSWERS D
Which legal document contains a summary of findings and is used to prosecute?
A Investigation report
B Search warrant
C Search and seizure
D Chain of custody - CORRECT ANSWERS A
What should an investigator use to prevent any signals from reaching a mobile phone?
A Faraday bag
B Dry bag
C Anti-static container
D Lock box - CORRECT ANSWERS A
A forensic investigator is called to the stand as a technical witness in an internet
payment fraud case.
Which behavior is considered ethical by this investigator while testifying?
A Providing and explaining facts found during the investigation
B Interpreting the findings and offering a clear opinion to the jury
C Helping the jury arrive at a conclusion based on the facts
D Assisting the attorney in compiling a list of essential questions - CORRECT
ANSWERS A
A government agent is testifying in a case involving malware on a system.
What should this agent have complied with during search and seizure?
A Fourth Amendment
B Stored Communications Act
C Net Neutrality Bill
D Federal Rules of Evidence - CORRECT ANSWERS A
Which path should a forensic investigator use to look for system logs in a Mac?
A /var/log/cups/access_log
B /var/log/
,WGU Master's Course C702 Forensics
and Network Intrusion
C /var/audit/
D /var/log/install.log - CORRECT ANSWERS B
Which tool should a forensic investigator use to view information from Linux kernel ring
buffers?
A arp
B dmesg
C fsck
D grep - CORRECT ANSWERS B
A forensic investigator makes a bit-stream copy of a Windows hard drive that has been
reformatted. The investigator needs to locate only the Adobe PDF files on the hard
drive.
Which tool should this investigator use?
A Quick Recovery
B Handy Recovery
C EaseUS Data Recovery
D Stellar Data Recovery - CORRECT ANSWERS C
Which hexadecimal value should an investigator search for to find JPEG images on a
device?
A 0x424D
B 0xD0CF11E0A1B11AE1
C 0x504B030414000600
D 0xFFD8 - CORRECT ANSWERS D
Which type of steganography allows the user to physically move a file but keep the
associated files in their original location for recovery?
A Whitespace
B Folder
C Image
D Web - CORRECT ANSWERS B
An employee steals a sensitive text file by embedding it into a PNG file. The employee
then sends this file via an instant chat message to an accomplice.
Which type of steganography did this employee use?
A Document
, WGU Master's Course C702 Forensics
and Network Intrusion
B Image
C Text
D Web - CORRECT ANSWERS B
Which method is used when an investigator has access to the plaintext and an image
file with the hidden information?
A Stego-only
B Known-stego
C Known-message
D Chosen-message - CORRECT ANSWERS C
Which method is used when an investigator takes a plaintext message, uses various
tools against it, and finds the algorithm used to hide information?
A Stego-only
B Known-stego
C Known-message
D Chosen-message - CORRECT ANSWERS D
Which operating system is targeted by the DaveGrohl password cracker?
A Linux
B OS X
C UNIX
D Windows - CORRECT ANSWERS B
Which password cracker is used to recover passwords on an OS X operating system?
A Cain and Abel
B DaveGrohl
C L0phtCrack
D Ophcrack - CORRECT ANSWERS B
Which tool allows a forensic investigator to process Transmission Control Protocol
(TCP) streams for analysis of malicious traffic?
A Kibana
B OSSEC
C Syslog-ng
D Wireshark - CORRECT ANSWERS D
Which tool allows an investigator to review or process information in a Windows
environment but does not rely on the Windows API?
and Network Intrusion
Which computer crime forensics step requires an investigator to duplicate and image
the collected digital information?
A Securing evidence
B Acquiring data
C Analyzing data
D Assessing evidence - CORRECT ANSWERS B
What is the last step of a criminal investigation that requires the involvement of a
computer forensic investigator?
A Analyzing the data collected
B Testifying in court
C Assessing the evidence
D Performing search and seizure - CORRECT ANSWERS B
How can a forensic investigator verify an Android mobile device is on, without potentially
changing the original evidence or interacting with the operating system?
A Check to see if it is plugged into a computer
B Tap the screen multiple times
C Look for flashing lights
D Hold down the power button - CORRECT ANSWERS C
What should a forensic investigator use to protect a mobile device if a Faraday bag is
not available?
A Aluminum foil
B Sturdy container
C Cardboard box
D Bubble wrap - CORRECT ANSWERS A
Which criterion determines whether a technology used by government to obtain
information in a computer search is considered innovative and requires a search
warrant?
A Availability to the general public
B Dependency on third-party software
C Implementation based on open source software
D Use of cloud-based machine learning - CORRECT ANSWERS A
Which situation allows a law enforcement officer to seize a hard drive from a residence
without obtaining a search warrant?
,WGU Master's Course C702 Forensics
and Network Intrusion
A The computer is left unattended.
B The front door is wide open.
C The occupant is acting suspicious.
D The evidence is in imminent danger. - CORRECT ANSWERS D
Which legal document contains a summary of findings and is used to prosecute?
A Investigation report
B Search warrant
C Search and seizure
D Chain of custody - CORRECT ANSWERS A
What should an investigator use to prevent any signals from reaching a mobile phone?
A Faraday bag
B Dry bag
C Anti-static container
D Lock box - CORRECT ANSWERS A
A forensic investigator is called to the stand as a technical witness in an internet
payment fraud case.
Which behavior is considered ethical by this investigator while testifying?
A Providing and explaining facts found during the investigation
B Interpreting the findings and offering a clear opinion to the jury
C Helping the jury arrive at a conclusion based on the facts
D Assisting the attorney in compiling a list of essential questions - CORRECT
ANSWERS A
A government agent is testifying in a case involving malware on a system.
What should this agent have complied with during search and seizure?
A Fourth Amendment
B Stored Communications Act
C Net Neutrality Bill
D Federal Rules of Evidence - CORRECT ANSWERS A
Which path should a forensic investigator use to look for system logs in a Mac?
A /var/log/cups/access_log
B /var/log/
,WGU Master's Course C702 Forensics
and Network Intrusion
C /var/audit/
D /var/log/install.log - CORRECT ANSWERS B
Which tool should a forensic investigator use to view information from Linux kernel ring
buffers?
A arp
B dmesg
C fsck
D grep - CORRECT ANSWERS B
A forensic investigator makes a bit-stream copy of a Windows hard drive that has been
reformatted. The investigator needs to locate only the Adobe PDF files on the hard
drive.
Which tool should this investigator use?
A Quick Recovery
B Handy Recovery
C EaseUS Data Recovery
D Stellar Data Recovery - CORRECT ANSWERS C
Which hexadecimal value should an investigator search for to find JPEG images on a
device?
A 0x424D
B 0xD0CF11E0A1B11AE1
C 0x504B030414000600
D 0xFFD8 - CORRECT ANSWERS D
Which type of steganography allows the user to physically move a file but keep the
associated files in their original location for recovery?
A Whitespace
B Folder
C Image
D Web - CORRECT ANSWERS B
An employee steals a sensitive text file by embedding it into a PNG file. The employee
then sends this file via an instant chat message to an accomplice.
Which type of steganography did this employee use?
A Document
, WGU Master's Course C702 Forensics
and Network Intrusion
B Image
C Text
D Web - CORRECT ANSWERS B
Which method is used when an investigator has access to the plaintext and an image
file with the hidden information?
A Stego-only
B Known-stego
C Known-message
D Chosen-message - CORRECT ANSWERS C
Which method is used when an investigator takes a plaintext message, uses various
tools against it, and finds the algorithm used to hide information?
A Stego-only
B Known-stego
C Known-message
D Chosen-message - CORRECT ANSWERS D
Which operating system is targeted by the DaveGrohl password cracker?
A Linux
B OS X
C UNIX
D Windows - CORRECT ANSWERS B
Which password cracker is used to recover passwords on an OS X operating system?
A Cain and Abel
B DaveGrohl
C L0phtCrack
D Ophcrack - CORRECT ANSWERS B
Which tool allows a forensic investigator to process Transmission Control Protocol
(TCP) streams for analysis of malicious traffic?
A Kibana
B OSSEC
C Syslog-ng
D Wireshark - CORRECT ANSWERS D
Which tool allows an investigator to review or process information in a Windows
environment but does not rely on the Windows API?
