WGU C702 FORENSICS AND NETWORK INTRUSION
FINAL EXAM COMPLETE ACTUAL EXAM REAL
QUESTIONS AND CORRECT DETAILED ANSWERS
(CORRECT VERIFIED ANSWERS) LATEST UPDATED
VERSION |ALREADY GRADED A+ (REVISED EXAM)
Stego-only - ANSWER: Only the stego-object is available for analysis.
Known cover attack: - ANSWER: The stego-object as well as the original medium is
available. The stego-object is compared with the original cover object to detect any
hidden information.
Known message attack - ANSWER: The hidden message and the corresponding
stego-image are known. The analysis of patterns that correspond to the hidden
information could help decipher such messages in future
Chosen stego attack - ANSWER: The steganography algorithm and stego-object are
known.
Chosen message attack - ANSWER: The steganalyst generates a stego-object from
some steganography tool or algorithm of a chosen message. The goal in this attack is
to determine patterns in the stego-object that may point to the use of specific
steganography tools or algorithms
hexadecimal value should an investigator search for to find JPEG - ANSWER: 0xFFD8 -
Joint Photographic Experts Group
Which computer crime forensics step requires an investigator to duplicate and image
the collected digital information? - ANSWER: Acquiring data
A computer forensic investigator finds an unauthorized wireless access point
connected to an organization's network switch. This access point's wireless network
has a random name with a hidden service set identifier (SSID). - ANSWER: Create a
backdoor that a perpetrator can use by connecting wirelessly to the network
Which web-based application attack corrupts the execution stack of a web
application? - ANSWER: Buffer overflow
Known-stego - ANSWER: The hidden message and the corresponding stego-image
are known
During the communication process, active attackers can change cover
Original and stego-object are available and the steganography algorithm is known
Only the steganography medium is available for analysis
, Which path should a forensic investigator use to look for system logs in a Mac? -
ANSWER: /var/log/
Which tool should a forensic investigator use on a Windows computer to locate all
the data on a computer disk, protect evidence, and create evidentiary reports for
use in legal proceedings? - ANSWER: ProDiscover
Which tool should a forensic team use to research unauthorized changes in a
database? - ANSWER: ApexSQL DBA
Which graphical tool should investigators use to identify publicly available
information about a public IP address? - ANSWER: SmartWhois
A first responder arrives at an active crime scene that has several mobile devices.
What should this first responder do while securing the crime scene? - ANSWER:
Leave the devices as found and fill out chain of custody paperwork
A network log from a remote system is entered into evidence, and the proper steps
are taken to protect the integrity of the data. The log contains network intrusion
data but does not contain any information about the log. - ANSWER: Name of the
server
A Mac computer that does not have removeable batteries is powered on. Which
action must a first responder take to preserve digital evidence from the computer
once volatile information is collected? - ANSWER: Press the power switch for 30
seconds
First responders arrive at a company and determine that a non-company Windows 7
computer was used to breach information systems. The computer is still powered
on. What is the correct procedure for powering off this computer once the volatile
information has been collected? - ANSWER: Unplug the electrical cord from the wall
socket
RAID 0 - ANSWER: also known as a stripe set or striped volume) splits ("stripes") data
evenly across two or more disks, without parity information, redundancy, or fault
tolerance
RAID 1 - ANSWER: consists of an exact copy (or mirror) of a set of data on two or
more disks; a classic RAID 1 mirrored pair contains two disks. This configuration
offers no parity, striping, or spanning of disk space across multiple disks,
RAID 2 - ANSWER: Stripes data at the bit (rather than block) level, and uses a with
dedicated Hamming-code parity. OBSOLETE.
RAID 3 - ANSWER: Information is written at byte level across multiple drives, but only
one is dedicated for parity. Rarely used in practice, consists of byte-level striping
with a dedicated parity disk.
FINAL EXAM COMPLETE ACTUAL EXAM REAL
QUESTIONS AND CORRECT DETAILED ANSWERS
(CORRECT VERIFIED ANSWERS) LATEST UPDATED
VERSION |ALREADY GRADED A+ (REVISED EXAM)
Stego-only - ANSWER: Only the stego-object is available for analysis.
Known cover attack: - ANSWER: The stego-object as well as the original medium is
available. The stego-object is compared with the original cover object to detect any
hidden information.
Known message attack - ANSWER: The hidden message and the corresponding
stego-image are known. The analysis of patterns that correspond to the hidden
information could help decipher such messages in future
Chosen stego attack - ANSWER: The steganography algorithm and stego-object are
known.
Chosen message attack - ANSWER: The steganalyst generates a stego-object from
some steganography tool or algorithm of a chosen message. The goal in this attack is
to determine patterns in the stego-object that may point to the use of specific
steganography tools or algorithms
hexadecimal value should an investigator search for to find JPEG - ANSWER: 0xFFD8 -
Joint Photographic Experts Group
Which computer crime forensics step requires an investigator to duplicate and image
the collected digital information? - ANSWER: Acquiring data
A computer forensic investigator finds an unauthorized wireless access point
connected to an organization's network switch. This access point's wireless network
has a random name with a hidden service set identifier (SSID). - ANSWER: Create a
backdoor that a perpetrator can use by connecting wirelessly to the network
Which web-based application attack corrupts the execution stack of a web
application? - ANSWER: Buffer overflow
Known-stego - ANSWER: The hidden message and the corresponding stego-image
are known
During the communication process, active attackers can change cover
Original and stego-object are available and the steganography algorithm is known
Only the steganography medium is available for analysis
, Which path should a forensic investigator use to look for system logs in a Mac? -
ANSWER: /var/log/
Which tool should a forensic investigator use on a Windows computer to locate all
the data on a computer disk, protect evidence, and create evidentiary reports for
use in legal proceedings? - ANSWER: ProDiscover
Which tool should a forensic team use to research unauthorized changes in a
database? - ANSWER: ApexSQL DBA
Which graphical tool should investigators use to identify publicly available
information about a public IP address? - ANSWER: SmartWhois
A first responder arrives at an active crime scene that has several mobile devices.
What should this first responder do while securing the crime scene? - ANSWER:
Leave the devices as found and fill out chain of custody paperwork
A network log from a remote system is entered into evidence, and the proper steps
are taken to protect the integrity of the data. The log contains network intrusion
data but does not contain any information about the log. - ANSWER: Name of the
server
A Mac computer that does not have removeable batteries is powered on. Which
action must a first responder take to preserve digital evidence from the computer
once volatile information is collected? - ANSWER: Press the power switch for 30
seconds
First responders arrive at a company and determine that a non-company Windows 7
computer was used to breach information systems. The computer is still powered
on. What is the correct procedure for powering off this computer once the volatile
information has been collected? - ANSWER: Unplug the electrical cord from the wall
socket
RAID 0 - ANSWER: also known as a stripe set or striped volume) splits ("stripes") data
evenly across two or more disks, without parity information, redundancy, or fault
tolerance
RAID 1 - ANSWER: consists of an exact copy (or mirror) of a set of data on two or
more disks; a classic RAID 1 mirrored pair contains two disks. This configuration
offers no parity, striping, or spanning of disk space across multiple disks,
RAID 2 - ANSWER: Stripes data at the bit (rather than block) level, and uses a with
dedicated Hamming-code parity. OBSOLETE.
RAID 3 - ANSWER: Information is written at byte level across multiple drives, but only
one is dedicated for parity. Rarely used in practice, consists of byte-level striping
with a dedicated parity disk.
