WGU - D431 DIGITAL FORENSICS IN CYBERSECURITY EXAM (TERMS)2024 WITH 100% CORRECT ANSWERS

1 | P a g e WGU - D431 DIGITAL FORENSICS IN CYBERSECURITY EXAM (TERMS)2024 WITH 100% CORRECT ANSWERS Hosted Protected Area (HPA) - Answer: Designed as an area where computer vendors could store data that is protected from user activities and operating system utilities, such as delete and format. To hide data in the HPA, a person would need to write a program to access the HPA and write the da ta. Master Boot Record (MBR) - Answer: Requires only a single sector, leaving 62 empty sectors of MBR space for hiding data. V olume Slack - Answer: This is the space that remains on the hard drive if the partitions do not use all the available space. For example, suppose that two partitions are filled with data. When you delete one of them, its data is not actually deleted but hidden. Unallocated Space - Answer: An operating system can't access any unallocated space in a partition. That space may contain hidden data. Good blocks marked as bad - Answer: Unused blocks can be manipulated by marking as bad in the metadata. OS would not be able to access these blocks and can be used to hide data. File Slack - Answer: Unused space that is created between the end of the file and the end of the last data cluster assigned to the file. Advanced Forensic Format (AFF) - Answer: Stores all data and metadata in a single file. AFM: Stores data and the metadata in separate files and AFD stores data and metadata in multiple small files. Part of the AFF library and toolkit which is a set of open -source computer forensic programs. Sleuth Kit and Autopsy both support this file format . EnCase - Answer: a proprietary format that is defined by Guidance Software for use in its Encase tool to store hard drive images and individual files. Allows an ethernet cable or null modem cable to be connected to a suspect machine to view the data within machine. 2 | P a g e Evidence File - Answer: An exact copy of the hard drive, Encase calculates an MD5 hash when the drive is acquired. This hash is used to check for changes, alternations or errors. Forensic Toolkit - Answer: - from Access Data. Another widely used forensic analysis tool, popular with law enforcement. Useful for password cracking such as password protected PDF files. Also provides tools to search and analyze the Windows Registry. Disk Forensics - Answer: The process of acquiring and analyzing information stored on physical storage media, such as computer hard drives or smartphones. Includes the recovery of hidden and deleted information and the process of identifying who created the file/message. Email forensics - Answer: The study of source and content of email as evidence. Includes the process of identifying the sender, recipient, date, time and origination location of an email message. Can be used to identify harassment, discrimination or unauthorized activities. Network Forensics - Answer: The process of examining network traffic, including transaction logs and real -time monitoring using sniffers and tracing. Internet Forensics - Answer: The process of piecing together where and when a user has been on the Internet Software Forensics - Answer: Also known as malware forensics, the process of examining malicious computer code. Live System Forensics - Answer: The process of searching memory in real time, typically for working with compromised hosts or to identify system abuse. 3 | P a g e Cellphone Forensics - Answer: The process of searching the contents of a cell phone. Phone forensics include V oIP, traditional phones and may overlap the Foreign Intelligence Surveillance Act of 1978 (FISA), the USA Patriot Act and Communications Assistance for Law Enforcement Act (CAL EA) in the United States. Chain of Custody - Answer: The most important principle in any forensic effort. The chain of physical custody must be maintained. From the time evidence is seized by a law enforcement office or civilian investigator until the moment it is shown in court, the whereabouts and custody of evidence and how it was handled and stored and by whom, must be shown at all times. Can make evidence inadmissable at court if fail to follow Chain of Command. Don't Touch the Suspect Drive - Answer: It's very important to the touch the system as little as possible due to the chance of making changes to the system in the process of examining it. Must make a forensic copy and work with copy using major forensic tools such as AccessData's Forensic Toolki t, Encase or OSForensics Document Trail - Answer: Documenting all aspects of the investigation, who was present when device was seized? Connected peripherals and what was displayed on screen while seized. Who had access to evidence during time of seizure until the time of trial. Secure the Evidence - Answer: It is critical to keep the integrity of investigation as well to maintain the chain of custody that you secure the evidence. Forensic lab must be in a locked room to access only to those who need to enter and secured in a safe. This is prevent evidence tampering. Daubert Standard - Answer: Standard used by a trial judge to make a preliminary assessment of whether an expert's scientific testimony is based on reasoning or methodology that is scientifically valid and can properly be applied to the facts at issue. Any scientific evidence present ed in a trial has to have been reviewed and tested by the relevant scientific community. For a computer forensics investigator, that means any tools, techniques or processes you utilize in your investigation should be ones that are widely accepted in compu ter forensics community. The Federal Privacy Act of 1974 - Answer: establishes a code of information -handling practices that governs the collection, maintenance, use and dissemination of information about individuals that is maintained in the systems of records by US federal agencies.