WGU C702 – Forensics & Network Intrusion Practice MCQs (1–
300) | TEST BANK
1. In digital forensics, the primary purpose of hashing a forensic image is to:
A. Compress the data for storage efficiency
B. Verify the integrity of the data ✔
C. Encrypt the data for confidentiality
D. Increase processing speed
2. Which hashing algorithm is no longer recommended due to known collisions?
A. SHA-256
B. SHA-1
C. MD5 ✔
D. SHA-512
3. The term chain of custody refers to:
A. A set of security controls for a network
B. Documented history of evidence handling ✔
C. A tool for hashing and imaging data
D. A physical lock used in data centers
4. Which tool is most commonly used for network packet capture and analysis?
A. FTK Imager
B. Volatility
C. Wireshark ✔
D. Autopsy
5. Which of the following is a volatile source of evidence?
A. External hard drive
B. System RAM ✔
C. Network cable
D. DVD-ROM
,6. The process of acquiring digital evidence without altering the original data is called:
A. Data sanitization
B. Forensic imaging ✔
C. Encryption
D. Disk wiping
7. Which Linux command is commonly used to compute an MD5 hash?
A. hashgen
B. md5sum ✔
C. hashcalc
D. chksum
8. What is the first step in the digital forensic process according to standard models?
A. Analysis
B. Identification ✔
C. Documentation
D. Preservation
9. The write blocker in forensics is used to:
A. Prevent malware from executing
B. Prevent modification of the original evidence ✔
C. Encrypt forensic images
D. Speed up imaging process
10. In Windows, the NTUSER.DAT file primarily stores:
A. Boot configuration
B. User-specific registry settings ✔
C. Network logs
D. Pagefile data
11. Which file system is used by most modern Windows systems?
A. FAT32
B. NTFS ✔
,C. EXT4
D. HFS+
12. The order of volatility suggests you should collect which data type first?
A. Removable drives
B. Cache and RAM ✔
C. Email archives
D. Server backups
13. A forensic image is:
A. A compressed copy of only active files
B. A sector-by-sector copy of a storage medium ✔
C. An index of file locations
D. An encrypted version of evidence
14. Which tool specializes in memory analysis?
A. Volatility ✔
B. Autopsy
C. EnCase
D. FTK Imager
15. When analyzing packet captures, which protocol is typically used for secure web traffic?
A. HTTP
B. HTTPS ✔
C. FTP
D. Telnet
16. Which network attack involves sending falsified ARP messages?
A. DDoS
B. ARP spoofing ✔
C. SQL Injection
D. Port scanning
, 17. In forensics, slack space refers to:
A. Empty space at the end of a storage device
B. Unused space in a cluster after a file is saved ✔
C. Space occupied by hidden partitions
D. Memory space reserved for swap files
18. A live acquisition of a system:
A. Can be done without powering on the system
B. Captures volatile data from a running system ✔
C. Is always more accurate than dead acquisition
D. Does not require chain of custody
19. Which log file in Windows often contains login attempts?
A. AppEvent.log
B. Security.evtx ✔
C. Netlogon.log
D. Bootlog.txt
20. A honeypot is used in network security to:
A. Store backup data securely
B. Lure and analyze attackers ✔
C. Encrypt sensitive data
D. Block network ports
21. Which of the following is NOT a standard forensic file format?
A. E01
B. RAW
C. ZIP ✔
D. AFF
22. A MAC address is primarily used to identify:
A. A network's location on the internet
B. A device's physical network interface ✔
300) | TEST BANK
1. In digital forensics, the primary purpose of hashing a forensic image is to:
A. Compress the data for storage efficiency
B. Verify the integrity of the data ✔
C. Encrypt the data for confidentiality
D. Increase processing speed
2. Which hashing algorithm is no longer recommended due to known collisions?
A. SHA-256
B. SHA-1
C. MD5 ✔
D. SHA-512
3. The term chain of custody refers to:
A. A set of security controls for a network
B. Documented history of evidence handling ✔
C. A tool for hashing and imaging data
D. A physical lock used in data centers
4. Which tool is most commonly used for network packet capture and analysis?
A. FTK Imager
B. Volatility
C. Wireshark ✔
D. Autopsy
5. Which of the following is a volatile source of evidence?
A. External hard drive
B. System RAM ✔
C. Network cable
D. DVD-ROM
,6. The process of acquiring digital evidence without altering the original data is called:
A. Data sanitization
B. Forensic imaging ✔
C. Encryption
D. Disk wiping
7. Which Linux command is commonly used to compute an MD5 hash?
A. hashgen
B. md5sum ✔
C. hashcalc
D. chksum
8. What is the first step in the digital forensic process according to standard models?
A. Analysis
B. Identification ✔
C. Documentation
D. Preservation
9. The write blocker in forensics is used to:
A. Prevent malware from executing
B. Prevent modification of the original evidence ✔
C. Encrypt forensic images
D. Speed up imaging process
10. In Windows, the NTUSER.DAT file primarily stores:
A. Boot configuration
B. User-specific registry settings ✔
C. Network logs
D. Pagefile data
11. Which file system is used by most modern Windows systems?
A. FAT32
B. NTFS ✔
,C. EXT4
D. HFS+
12. The order of volatility suggests you should collect which data type first?
A. Removable drives
B. Cache and RAM ✔
C. Email archives
D. Server backups
13. A forensic image is:
A. A compressed copy of only active files
B. A sector-by-sector copy of a storage medium ✔
C. An index of file locations
D. An encrypted version of evidence
14. Which tool specializes in memory analysis?
A. Volatility ✔
B. Autopsy
C. EnCase
D. FTK Imager
15. When analyzing packet captures, which protocol is typically used for secure web traffic?
A. HTTP
B. HTTPS ✔
C. FTP
D. Telnet
16. Which network attack involves sending falsified ARP messages?
A. DDoS
B. ARP spoofing ✔
C. SQL Injection
D. Port scanning
, 17. In forensics, slack space refers to:
A. Empty space at the end of a storage device
B. Unused space in a cluster after a file is saved ✔
C. Space occupied by hidden partitions
D. Memory space reserved for swap files
18. A live acquisition of a system:
A. Can be done without powering on the system
B. Captures volatile data from a running system ✔
C. Is always more accurate than dead acquisition
D. Does not require chain of custody
19. Which log file in Windows often contains login attempts?
A. AppEvent.log
B. Security.evtx ✔
C. Netlogon.log
D. Bootlog.txt
20. A honeypot is used in network security to:
A. Store backup data securely
B. Lure and analyze attackers ✔
C. Encrypt sensitive data
D. Block network ports
21. Which of the following is NOT a standard forensic file format?
A. E01
B. RAW
C. ZIP ✔
D. AFF
22. A MAC address is primarily used to identify:
A. A network's location on the internet
B. A device's physical network interface ✔
