WGU C840 Digital Forensics: Final Exam Questions and Answers Updated 2024/2025 (Graded A+)

The process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts. Deals primarily with the recovery and analysis of latent evidence. Expert Report - Answer A formal document that lists the tests you conducted, what you found, and your conclusions. It also includes your curriculum vita (CV), is very thorough, and tends to be very long. In most cases an expert cannot directly testify about anything not in his or her expert report. Curriculum Vitae (CV) - Answer Like a resume, only much more thorough and specific to your work experience as a forensic investigator. Deposition - Answer Testimony taken from a witness or party to a case before a trial; less formal and is typically held in an attorney's office. Digital Evidence - Answer Information that has been processed and assembled so that it is relevant to an investigation and supports a specific finding or determination. Chain of Custody - Answer The continuity of control of evidence that makes it possible to account for all that has happened to evidence between its original collection and its appearance in court, preferably unaltered. Objectives of Computer Forensics - Answer Recover computer-based material Analyze computer-based material Present computer-based material Goals of Opposing Counsel in a Deposition - Answer To find out as much as possible about your position, methods, conclusions, and even your side's legal strategy To get you to commit to a position you may not be able to defend later Real Evidence - Answer A physical object that someone can touch, hold, or directly observe. Examples: include a laptop with a suspect's fingerprints on the keyboard, a hard drive, a universal serial bus (USB) drive, or a handwritten note. Documentary Evidence - Answer Data stored as written matter, on paper or in electronic files; includes memory-resident data and computer files. Examples: e-mail messages, logs, databases, photographs, and telephone call-detail records Testimonial Evidence - Answer Information that forensic specialists use to support or interpret real or documentary evidence Demonstrative Evidence - Answer Information that helps explain other evidence. An example is a chart that explains a technical concept to the judge and jury WGU- C840 Digital Forensics in Cybersecurity, Final Exam Questions and Answers Updated 2024/2025 Graded A+ Disk Forensics - Answer The process of acquiring and analyzing information stored on physical storage media, such as computer hard drives, smartphones, GPS systems, and removable media. includes both the recovery of hidden and deleted information and the process of identifying who created a file or message E-mail Forensics - Answer The study of the source and content of e-mail as evidence. Includes the process of identifying the sender, recipient, date, time, and origination location of an e-mail message. Used to identify harassment, discrimination, or unauthorized activities. Network Forensics - Answer The process of examining network traffic, including transaction logs and real-time monitoring using sniffers and tracing Internet Forensics - Answer The process of piecing together where and when a user has been on the Internet. Software Forensics - Answer The process of examining malicious computer code; also called malware forensics Live System Forensics - Answer The process of searching memory in real time, typically for working with compromised hosts or to identify system abuse. Extended data out dynamic random access memory (EDO DRAM) - Answer Singlecycle EDO has the ability to carry out a complete memory transaction in one clock cycle. Otherwise, each sequential RAM access within the same page takes two clock cycles instead of three, once the page has been selected. Asynchronous dynamic random access memory (ADRAM) - Answer Not synchronized to the CPU clock Synchronous dynamic random access memory (SDRAM) - Answer A replacement for EDO Double data rate (DDR) SDRAM - Answer Later development of SDRAM Read-only memory (ROM) - Answer This is usually used for instructions embedded in chips and controls how the computer, option cards, peripherals, and other devices operate. Cannot be changed Programmable read-only memory (PROM) - Answer Can be programmed only once; data is not lost when power is removed. Erasable programmable read-only memory (EPROM) - Answer Data is not lost when power is removed. Again, this is a technique for storing instructions on chips. Electronically erasable programmable read-only memory (EEPROM) - Answer This is how the instructions in your computer's BIOS are stored. Small Computer System Interface (SCSI) - Answer This has been around for many years, and is particularly popular in high-end servers. Must have a terminator at the end of the chain of devices to work and are limited to 16 chained devices Integrated Drive Electronics (IDE) - Answer This is an older standard but one that was commonly used on PCs for many years. It is obvious you are dealing with this type of drive if you encounter a 40-pin connector on the drive. Parallel Advanced Technology Attachment (PATA) - Answer An enhancement of IDE. It uses either a 40-pin (like IDE) or 80-pin connector. Serial Advanced Technology Attachment (SATA) - Answer This is what you are most likely to find today. These devices are commonly found in workstations and many servers. Does not have jumpers like IDE and EIDE Serial SCSI - Answer An enhancement of SCSI that supports up to 65,537 devices and does not require termination. Solid-state drives - Answer Use microchips that retain data in non-volatile memory chips and contain no moving parts. Use NAND-based flash memory, which retains memory even without power. Generally, require one-half to one-third the power of hard disk drives Sector - Answer The basic unit of data storage on a hard disk, which is usually 512 bytes. Cluster - Answer A logical grouping of sectors; can be 1 to 128 sectors in size; organized by tracks Drive Geometry - Answer This term refers to the functional dimensions of a drive-in terms of the number of heads, cylinders, and sectors per track. Slack Space - Answer This is the space between the end of a file and the end of the cluster, assuming the file does not occupy the entire cluster. This is space that can be used to hide data Low-level format - Answer This creates a structure of sectors, tracks, and clusters. High-level format - Answer This is the process of setting up an empty file system on the disk and installing a boot sector. This is sometimes referred to as a quick format. File Header - Answer Gives you an accurate understanding of the file, regardless of whether the extension has been changed Journaling - Answer The process whereby the file system keeps a record of what file transactions take place so that in the event of a hard drive crash, the files can be recovered Physical Journaling - Answer The system logs a copy of every block that is about to be written to the storage device, before it is written. The log also includes a checksum of those blocks, to make sure there is no error in writing the block. Logical Journaling - Answer Only changes to file metadata are stored in the journal. File Allocation Table (FAT) - Answer This is an older system, which was popular with Microsoft operating systems for many years. Stores file locations by sector in a file called the file allocation table. This table contains information about which clusters are being used by which particular files and which clusters are free to be used. Extended file system (EXT) - Answer This was the first file system created specifically for Linux. Supports volume sizes up to 1 exabyte and files with sizes up to 16 terabytes ReiserFS - Answer This is a popular journaling file system, used primarily with Linux. Open source and supported journaling from its inception. The Berkeley Fast File System - Answer This is also known as the UNIX file system; uses a bitmap to track free clusters, indicating which clusters are available and which are not. Anti-forensics - Answer The actions that perpetrators take to conceal their locations, activities, or identities Anti-Forensics Techniques - Answer Data Destruction Data Hiding Data Transformation Data Contraception Data Fabrication File System Altercation Data Contraception - Answer Storage of data where a forensic specialist cannot analyze it Data Fabrication - Answer Uses false positives and false leads extensively File System Altercation - Answer Corruption of data structures and files that organize data. Fraud - Answer A broad category of crime that can encompass many different activities. Essentially, any attempt to gain financial reward through deception. Data Piracy - Answer Distribution of illegally copied materials; frequently addressed via civil court rather than criminal. Telephony Denial of Service (TDoS) - Answer Occurs when a call center or business receives so many inbound calls that the equipment and staff are overwhelmed and unable to do business. Virus - Answer Any software that self-replicates; easy to locate, but hard to trace back FakeAV86 - Answer Purports to be a free antivirus scanner, but is really itself a virus Flame - Answer Spyware specifically designed for espionage that can monitor network traffic and take screenshots of the infected system. This malware stores data in a local database that is heavily encrypted. Uses fraudulent Microsoft certificate The first step in investigating a virus - Answer Document the virus Rules of Evidence - Answer Govern whether, when, how, and why proof of a legal case can be placed before a judge or jury Federal Rules of Evidence (FRE) - Answer A code of evidence law; governs the admission of facts by which parties in the U.S. federal court system may prove their cases. It also provides guidelines for the authentication and identification of evidence for admissibility under rules 901 and 902 Life Span - Answer How long information is valid Bit-Level Information - Answer Information at the level of actual 1s and 0s stored in memory or on the storage device, as opposed to going through the file system's interpretation File Slack Space - Answer Unused space between the logical end of file and the physical end of file Subclasses of Fraud - Answer Investment Offers Data Piracy Daubert standard - Answer Standard used by a trial judge to make a preliminary assessment of whether an expert's scientific testimony is based on reasoning or methodology that is scientifically valid and can properly be applied to the facts at issue. The Federal Privacy Act of 1974 - Answer Establishes a code of informationhandling practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by U.S. federal agencies. The Privacy Protection Act of 1980 - Answer Protects journalists from being required to turn over to law enforcement any work product and documentary materials, including sources, before it is disseminated to the public. The Communications Assistance to Law Enforcement Act (CALEA) of 1994 - Answer A federal wiretap law for traditional wired telephony. It was expanded to include wireless, voice over packet, and other forms of electronic communications, including signaling traffic and metadata. The Electronic Communications Privacy Act of 1986 - Answer Governs the privacy and disclosure, access, and interception of content and traffic data related to electronic communications. The Computer Security Act of 1987 - Answer Passed to improve the security and privacy of sensitive information in federal computer systems. The law requires the establishment of minimum acceptable security practices, creation of computer security plans, and training of system users or owners of facilities that house sensitive information. The Foreign Intelligence Surveillance Act of 1978 (FISA) - Answer A law that allows for collection of "foreign intelligence information" between foreign powers and agents of foreign powers using physical and electronic surveillance. The Child Protection and Sexual Predator Punishment Act of 1998 - Answer Requires service providers that become aware of the storage or transmission of child pornography to report it to law enforcement. The Children's Online Privacy Protection Act of 1998 (COPPA) - Answer Protects children 13 years of age and under from the collection and use of their personal information by Web sites. It is noteworthy that COPPA replaces the Child Online Protection Act of 1988 (COPA), which was determined to be unconstitutional. The Communications Decency Act of 1996 - Answer Designed to protect persons 18 years of age and under from downloading or viewing material considered indecent. This act has been subject to court cases that subsequently changed some definitions and penalties. The Wireless Communications and Public Safety Act of 1999 - Answer Allows for collection and use of "empty" communications, which means nonverbal and non-text communications, such as GPS information. The Sarbanes-Oxley Act of 2002 - Answer Contains many provisions about record keeping and destruction of electronic records relating to the management and operation of publicly held companies. Denial of Service (DoS) Software - Answer Low Orbit Ion Cannon Trin00 (DoS) Tribal Flood Network (DDoS) Identity Theft - Answer Any use of another person's identity Ophcrack - Answer A tool to crack the local passwords on Windows systems. Can be detected by a logout followed immediately by an administrator login. Cyberstalking - Answer Using electronic communications to harass or threaten another person. Swap File - Answer Might contain data that was live in memory and not stored on the hard drive. The swap file is used to optimize the use of random access memory (RAM). DoD Cyber Crime Center (DC3) - Answer Sets standards for digital evidence processing, analysis, and diagnostics Provides computer investigation training to forensic examiners, investigators, system administrators, and others. The Digital Forensic Research Workshop (DFRWS) Framework - Answer A nonprofit volunteer organization whose goal is to enhance the sharing of knowledge and ideas about digital forensics research. DFRWS Classes - Answer Identification Preservation Collection Examination Analysis Presentation Event-Based Digital Forensics Investigation Framework - Answer Readiness Phase Deployment Phase Physical Crime Scene Investigation Phase Digital Crime Scene Investigation Phase