WGU C840 Digital Forensics questions and correct answers at hand
expert report - correct answer-A formal document prepared by a forensics specialist to
document an investigation, including a list of all tests conducted as well as the specialist's
own curriculum vitae (CV). Anything the specialist plans to testify about at a trial must be
included in the expert report.
Testimonial evidence - correct answer-Information that forensic specialists use to support
or interpret real or documentary evidence; for example, to demonstrate that the
fingerprints found on a keyboard are those of a specific individual.
Daubert standard - correct answer-The standard holding that only methods and tools
widely accepted in the scientific community can be used in court.
If the computer is turned on when you arrive, what does the Secret Service recommend
you do? - correct answer-Shut down according to the recommended Secret Service
procedure.
Communications Assistance to Law Enforcement Act of 1994 - correct answer-The
Communications Assistance to Law Enforcement Act of 1994 is a federal wiretap law for
traditional wired telephony. It was expanded to include wireless, voice over packet, and
other forms of electronic communications, including signaling traffic and metadata.
Digital evidence - correct answer-Digital evidence is information processed and
assembled so that it is relevant to an investigation and supports a specific finding or
determination.
Federal Privacy Act of 1974 - correct answer-The Federal Privacy Act of 1974, a United
States federal law that establishes a code of Fair Information Practice that governs the
collection, maintenance, use, and dissemination of information about individuals that is
maintained in systems of records by U.S. federal agencies.
Power Spy, Verity, ICU, and WorkTime - correct answer-Spyware
good fictitious e-mail response rate - correct answer-1-3%
Which crime is most likely to leave e-mail evidence? - correct answer-Cyberstalking
Where would you seek evidence that ophcrack had been used on a Windows Server 2008
machine? - correct answer-In the logs of the server; look for the reboot of the system
A SYN flood is an example of what? - correct answer-DoS attack
definition of a virus, in relation to a computer? - correct answer-a type of malware that
requires a host program or human help to propagate
,What is the starting point for investigating the denial of service attacks? - correct answer-
Tracing the packets
China Eagle Union - correct answer-The cyberterrorism group, the China Eagle Union,
consists of several thousand Chinese hackers whose stated goal is to infiltrate Western
computer systems. Members and leaders of the group insist that not only does the
Chinese government have no involvement in their activities, but that they are breaking
Chinese law and are in constant danger of arrest and imprisonment. However, most
analysts believe this group is working with the full knowledge and support of the Chinese
government.
Rules of evidence - correct answer-Rules that govern whether, when, how, and why proof
of a legal case can be placed before a judge or jury.
file slack - correct answer-The unused space between the logical end of the file and the
physical end of the file. It is also called slack space.
The Analysis Plan - correct answer-Before forensic examination can begin, an analysis plan
should be created. This plan guides work in the analysis process. How will you gather
evidence? Are there concerns about evidence being changed or destroyed? What tools are
most appropriate for this specific investigation? A standard data analysis plan should be
created and customized for specific situations and circumstances.
What is the most important reason that you not touch the actual original evidence any
more than you have to? - correct answer-Each time you touch digital data, there is some
chance of altering it.
You should make at least two bitstream copies of a suspect drive. - correct answer-TRUE
To preserve digital evidence, an investigator should - correct answer-make two copies of
each evidence item using different imaging tools
What would be the primary reason for you to recommend for or against making a DOS
Copy - correct answer-A simple DOS copy will not include deleted files, file slack, and
other information.
Which starting-point forensic certification covers the general principles and techniques of
forensics, but not specific tools such as EnCase or FTK? - correct answer-(CHFI) EC
Council Certified Hacking Forensic Investigator
This forensic certification is open to both the public and private sectors and is specific to
the use and mastery of FTK. Requirements for taking the exam include completing the boot
, camp and Windows forensic courses. - correct answer-AccessData Certified Examiner.
AccessData is the creator of Forensic Toolkit (FTK) software.
Federal Rules of Evidence (FRE) - correct answer-The Federal Rules of Evidence (FRE) is a
code of evidence law. The FRE governs the admission of facts by which parties in the U.S.
federal court system may prove their cases. The rules of evidence, encompasses the rules
and legal principles that govern the proof of facts in a legal proceeding. These rules
determine what evidence must or must not be considered by the trier of fact in reaching its
decision
The DoD Cyber Crime Center (DC3) - correct answer-DC3 is involved with DoD
investigations that require computer forensics support to detect, enhance, or recover
digital media. DC3 provides computer investigation training. It trains forensic examiners,
investigators, system administrators, and others. It also ensures that defense information
systems are secure from unauthorized use, criminal and fraudulent activities, and foreign
intelligence service exploitation. DC3 ets standards for digital evidence processing,
analysis, and diagnostics.
Expert testimony - correct answer-Expert testimony involves the authentication of
evidence-based upon scientific or technical knowledge relevant to cases. Forensic
examiners are often called upon to authenticate evidence between given specimens and
other items. Forensic specialists should not undertake an examination that is beyond their
knowledge and skill.
temporary data - correct answer-Data that an operating system creates and overwrites
without the computer user taking direct action to save this data.
Physical analysis - correct answer-Offline analysis conducted on an evidence disk or
forensic duplicate after booting from a CD or another system.
Logical analysis - correct answer-Analysis involving using the native operating system, on
the evidence disk or a forensic duplicate, to peruse the data.
sweepers - correct answer-A kind of software that cleans unallocated space. Also called a
scrubber.
It is acceptable, when you have evidence in a vehicle, to stop for a meal, if the vehicle is
locked. - correct answer-FALSE
What Linux command can be used to create a hash? - correct answer-MD5sum
EnCase Format - correct answer-The EnCase format is a proprietary format that is defined
by Guidance Software for use in its forensic tool to store hard drive images and individual
expert report - correct answer-A formal document prepared by a forensics specialist to
document an investigation, including a list of all tests conducted as well as the specialist's
own curriculum vitae (CV). Anything the specialist plans to testify about at a trial must be
included in the expert report.
Testimonial evidence - correct answer-Information that forensic specialists use to support
or interpret real or documentary evidence; for example, to demonstrate that the
fingerprints found on a keyboard are those of a specific individual.
Daubert standard - correct answer-The standard holding that only methods and tools
widely accepted in the scientific community can be used in court.
If the computer is turned on when you arrive, what does the Secret Service recommend
you do? - correct answer-Shut down according to the recommended Secret Service
procedure.
Communications Assistance to Law Enforcement Act of 1994 - correct answer-The
Communications Assistance to Law Enforcement Act of 1994 is a federal wiretap law for
traditional wired telephony. It was expanded to include wireless, voice over packet, and
other forms of electronic communications, including signaling traffic and metadata.
Digital evidence - correct answer-Digital evidence is information processed and
assembled so that it is relevant to an investigation and supports a specific finding or
determination.
Federal Privacy Act of 1974 - correct answer-The Federal Privacy Act of 1974, a United
States federal law that establishes a code of Fair Information Practice that governs the
collection, maintenance, use, and dissemination of information about individuals that is
maintained in systems of records by U.S. federal agencies.
Power Spy, Verity, ICU, and WorkTime - correct answer-Spyware
good fictitious e-mail response rate - correct answer-1-3%
Which crime is most likely to leave e-mail evidence? - correct answer-Cyberstalking
Where would you seek evidence that ophcrack had been used on a Windows Server 2008
machine? - correct answer-In the logs of the server; look for the reboot of the system
A SYN flood is an example of what? - correct answer-DoS attack
definition of a virus, in relation to a computer? - correct answer-a type of malware that
requires a host program or human help to propagate
,What is the starting point for investigating the denial of service attacks? - correct answer-
Tracing the packets
China Eagle Union - correct answer-The cyberterrorism group, the China Eagle Union,
consists of several thousand Chinese hackers whose stated goal is to infiltrate Western
computer systems. Members and leaders of the group insist that not only does the
Chinese government have no involvement in their activities, but that they are breaking
Chinese law and are in constant danger of arrest and imprisonment. However, most
analysts believe this group is working with the full knowledge and support of the Chinese
government.
Rules of evidence - correct answer-Rules that govern whether, when, how, and why proof
of a legal case can be placed before a judge or jury.
file slack - correct answer-The unused space between the logical end of the file and the
physical end of the file. It is also called slack space.
The Analysis Plan - correct answer-Before forensic examination can begin, an analysis plan
should be created. This plan guides work in the analysis process. How will you gather
evidence? Are there concerns about evidence being changed or destroyed? What tools are
most appropriate for this specific investigation? A standard data analysis plan should be
created and customized for specific situations and circumstances.
What is the most important reason that you not touch the actual original evidence any
more than you have to? - correct answer-Each time you touch digital data, there is some
chance of altering it.
You should make at least two bitstream copies of a suspect drive. - correct answer-TRUE
To preserve digital evidence, an investigator should - correct answer-make two copies of
each evidence item using different imaging tools
What would be the primary reason for you to recommend for or against making a DOS
Copy - correct answer-A simple DOS copy will not include deleted files, file slack, and
other information.
Which starting-point forensic certification covers the general principles and techniques of
forensics, but not specific tools such as EnCase or FTK? - correct answer-(CHFI) EC
Council Certified Hacking Forensic Investigator
This forensic certification is open to both the public and private sectors and is specific to
the use and mastery of FTK. Requirements for taking the exam include completing the boot
, camp and Windows forensic courses. - correct answer-AccessData Certified Examiner.
AccessData is the creator of Forensic Toolkit (FTK) software.
Federal Rules of Evidence (FRE) - correct answer-The Federal Rules of Evidence (FRE) is a
code of evidence law. The FRE governs the admission of facts by which parties in the U.S.
federal court system may prove their cases. The rules of evidence, encompasses the rules
and legal principles that govern the proof of facts in a legal proceeding. These rules
determine what evidence must or must not be considered by the trier of fact in reaching its
decision
The DoD Cyber Crime Center (DC3) - correct answer-DC3 is involved with DoD
investigations that require computer forensics support to detect, enhance, or recover
digital media. DC3 provides computer investigation training. It trains forensic examiners,
investigators, system administrators, and others. It also ensures that defense information
systems are secure from unauthorized use, criminal and fraudulent activities, and foreign
intelligence service exploitation. DC3 ets standards for digital evidence processing,
analysis, and diagnostics.
Expert testimony - correct answer-Expert testimony involves the authentication of
evidence-based upon scientific or technical knowledge relevant to cases. Forensic
examiners are often called upon to authenticate evidence between given specimens and
other items. Forensic specialists should not undertake an examination that is beyond their
knowledge and skill.
temporary data - correct answer-Data that an operating system creates and overwrites
without the computer user taking direct action to save this data.
Physical analysis - correct answer-Offline analysis conducted on an evidence disk or
forensic duplicate after booting from a CD or another system.
Logical analysis - correct answer-Analysis involving using the native operating system, on
the evidence disk or a forensic duplicate, to peruse the data.
sweepers - correct answer-A kind of software that cleans unallocated space. Also called a
scrubber.
It is acceptable, when you have evidence in a vehicle, to stop for a meal, if the vehicle is
locked. - correct answer-FALSE
What Linux command can be used to create a hash? - correct answer-MD5sum
EnCase Format - correct answer-The EnCase format is a proprietary format that is defined
by Guidance Software for use in its forensic tool to store hard drive images and individual
