WGU C702 Forensics and Network Intrusion — Practice Questions (OA + PA 2024)
1. During a forensic investigation, you find that a suspect’s workstation was used to transfer files
to an external USB device. Which Windows artifact is most reliable for determining the exact
USB serial number and first connection date?
A. SetupAPI.dev.log file ✓
B. Windows Event Viewer System logs
C. Prefetch files
D. Master File Table (MFT)
2. While analyzing network intrusion logs, you identify multiple SYN packets sent to different
ports on the same host without completing the TCP handshake. Which type of scan is most likely
taking place?
A. Xmas tree scan
B. TCP connect scan
C. SYN stealth scan ✓
D. FIN scan
3. A company’s IDS detects repeated SQL injection attempts on a public web application. Which
of the following would be the most appropriate immediate step for the incident responder?
A. Reboot the database server
B. Block the attacker’s IP address at the firewall ✓
C. Delete the web application logs
D. Notify all end-users immediately
4. You are reviewing a disk image and notice that unallocated space contains fragments of
deleted documents. Which forensic technique should you use to recover these files?
A. Data carving ✓
B. Live response analysis
C. File hashing
D. Reverse engineering
5. An attacker exploits a buffer overflow in a network service, gaining remote shell access. In
terms of the Cyber Kill Chain, which stage does this event most closely represent?
A. Reconnaissance
B. Weaponization
, C. Exploitation ✓
D. Actions on objectives
6. In volatile memory analysis, which evidence is most critical for identifying active TCP
network connections at the time of acquisition?
A. Windows Registry hives
B. ARP cache
C. netstat output or memory dump of TCP table ✓
D. Prefetch data
7. An investigator uses hashdeep to compare file hashes from an acquired image to a database of
known malicious hashes. What forensic principle does this action support?
A. Chain of custody
B. Hash verification for integrity
C. Hash matching for identification ✓
D. Hash salting
8. During incident handling, the SOC team isolates an infected workstation from the corporate
network. Which NIST incident response phase does this action fall under?
A. Containment ✓
B. Eradication
C. Recovery
D. Identification
9. In email forensics, you are tasked with confirming whether an email claiming to be from the
CEO originated from the corporate mail server. Which header field is most relevant?
A. Subject
B. Received ✓
C. Message-ID
D. X-Mailer
10. A suspect claims that incriminating files found on their hard drive were “planted” through
malware. Which artifact would most likely disprove this claim?
A. Prefetch files indicating the suspect opened the files ✓
B. Windows Event Log
1. During a forensic investigation, you find that a suspect’s workstation was used to transfer files
to an external USB device. Which Windows artifact is most reliable for determining the exact
USB serial number and first connection date?
A. SetupAPI.dev.log file ✓
B. Windows Event Viewer System logs
C. Prefetch files
D. Master File Table (MFT)
2. While analyzing network intrusion logs, you identify multiple SYN packets sent to different
ports on the same host without completing the TCP handshake. Which type of scan is most likely
taking place?
A. Xmas tree scan
B. TCP connect scan
C. SYN stealth scan ✓
D. FIN scan
3. A company’s IDS detects repeated SQL injection attempts on a public web application. Which
of the following would be the most appropriate immediate step for the incident responder?
A. Reboot the database server
B. Block the attacker’s IP address at the firewall ✓
C. Delete the web application logs
D. Notify all end-users immediately
4. You are reviewing a disk image and notice that unallocated space contains fragments of
deleted documents. Which forensic technique should you use to recover these files?
A. Data carving ✓
B. Live response analysis
C. File hashing
D. Reverse engineering
5. An attacker exploits a buffer overflow in a network service, gaining remote shell access. In
terms of the Cyber Kill Chain, which stage does this event most closely represent?
A. Reconnaissance
B. Weaponization
, C. Exploitation ✓
D. Actions on objectives
6. In volatile memory analysis, which evidence is most critical for identifying active TCP
network connections at the time of acquisition?
A. Windows Registry hives
B. ARP cache
C. netstat output or memory dump of TCP table ✓
D. Prefetch data
7. An investigator uses hashdeep to compare file hashes from an acquired image to a database of
known malicious hashes. What forensic principle does this action support?
A. Chain of custody
B. Hash verification for integrity
C. Hash matching for identification ✓
D. Hash salting
8. During incident handling, the SOC team isolates an infected workstation from the corporate
network. Which NIST incident response phase does this action fall under?
A. Containment ✓
B. Eradication
C. Recovery
D. Identification
9. In email forensics, you are tasked with confirming whether an email claiming to be from the
CEO originated from the corporate mail server. Which header field is most relevant?
A. Subject
B. Received ✓
C. Message-ID
D. X-Mailer
10. A suspect claims that incriminating files found on their hard drive were “planted” through
malware. Which artifact would most likely disprove this claim?
A. Prefetch files indicating the suspect opened the files ✓
B. Windows Event Log
