Cybersecurity | Exam Questions &
Verified Practice Answers (Latest
Update)
Description: This document contains comprehensive study and exam preparation
materials for WGU Course C840: Digital Forensics in Cybersecurity. It includes
practice questions with verified correct answers covering core digital forensics
concepts such as evidence acquisition, chain of custody, forensic imaging, data
recovery, file system analysis, network forensics, and investigative procedures. The
material is designed to support exam readiness, course review, and mastery of
foundational cybersecurity forensic principles.
,WGU C840 – Digital Forensics in
Cybersecurity Complete C840 Study
Guide
This guide covers the core competencies most commonly assessed in the Objective
Assessment (OA) for WGU C840.
Scenario-Based Review
1. Order of Volatility
Scenario: You arrive at a scene where a computer is powered on and connected to
the network. Sensitive information may be stored in memory.
Question: What should be collected first?
Correct Answer: Volatile evidence (RAM).
Why: RAM contents disappear when power is lost. Hard drive data can be collected
later.
Remember:
1. CPU cache/registers
2. RAM
3. Network connections
4. Running processes
5. Temporary files
6. Hard drives
7. Remote logs
8. Backups
2. Chain of Custody
,Scenario: An investigator collects a laptop but forgets to document when it changed
hands between analysts.
Question: What is the concern?
Correct Answer: The chain of custody has been compromised.
Why: The defense could argue that evidence was altered or mishandled.
Chain of custody records should include:
● Who collected it
● When it was collected
● Description of evidence
● Every transfer
● Reason for transfer
3. Hashing
Scenario: An examiner creates a forensic image of a hard drive.
Question: How can they prove the image is identical to the original?
Correct Answer: Compare hash values.
Example:
● Original SHA-256 hash: ABC123
● Image SHA-256 hash: ABC123
Matching hashes indicate integrity.
Exam Tip:
Hashing detects changes but does not encrypt data.
4. Physical vs. Logical Acquisition
Scenario: Investigators need access to deleted files and unallocated space.
Question: Which acquisition method should be used?
Correct Answer: Physical acquisition.
Physical Acquisition:
, ● Entire disk
● Deleted files
● Slack space
● Unallocated space
Logical Acquisition:
● Active files only
● Faster
● Less comprehensive
5. Write Blockers
Scenario: You need to examine a suspect's hard drive without modifying it.
Question: What device should be used?
Correct Answer: A write blocker.
Purpose:
Prevents accidental writes to evidence.
6. Windows Artifacts
Scenario: Investigators want to know whether a program was executed recently.
Question: Which artifact would be most useful?
Correct Answer: Prefetch files.
Other Important Artifacts:
Artifact Purpose
Event System/security
Logs activity