WGU C702 – FORENSICS AND NETWORK INTRUSION
EXAM COMPLETE QUESTIONS AND 100% VERIFIED
ANSWERS (LATEST VERSION)
1. What is digital forensics?
o The scientific process of identifying, preserving, analyzing, and
presenting digital evidence in a legally acceptable manner.
2. What are the four main phases of digital forensics?
o Collection, Examination, Analysis, and Reporting.
3. What is the principle of Locard's Exchange Principle in digital
forensics?
o Every contact leaves a trace; when a crime is committed, there is
always a transfer of evidence between the perpetrator and the crime
scene.
4. What is a chain of custody?
o A documented chronological record that tracks the seizure,
custody, control, transfer, analysis, and disposition of evidence.
5. Why is chain of custody important?
o It ensures evidence integrity and admissibility in court by proving
the evidence hasn't been tampered with or altered.
6. What is write blocking in forensics?
o A technique that prevents any data from being written to a storage
device during forensic acquisition, ensuring the original evidence
remains unchanged.
7. What is a forensic image?
, o A bit-by-bit copy of a storage device that captures all data,
including deleted files and unallocated space.
8. What is the difference between physical and logical acquisition?
o Physical acquisition copies all data bit-by-bit including deleted
files; logical acquisition copies only active, accessible files.
9. What is hashing in digital forensics?
o Creating a unique digital fingerprint of data using algorithms like
MD5 or SHA to verify data integrity.
10.Why are hash values important in forensics?
o They prove that evidence hasn't been altered from the time it was
collected to when it's presented in court.
11.What is volatile data?
o Data that is lost when power is removed, such as RAM contents,
running processes, and network connections.
12.What is non-volatile data?
o Data that persists after power is removed, such as hard drive
contents, USB drives, and solid-state storage.
13.What is the order of volatility?
o A guideline for collecting evidence from most volatile to least:
registers/cache, RAM, network connections, running processes,
disk storage, remote logs, physical configuration.
14.What is live forensics?
o The analysis of a system while it is still running to capture volatile
data before shutdown.
15.What is dead forensics?
o Analysis performed on powered-off systems or forensic images.
16.What is slack space?
o Unused space in a disk cluster between the end of a file and the end
of the cluster that may contain remnants of previous data.
17.What is unallocated space?
, o Space on a storage device that is not currently allocated to any file
and may contain deleted data.
18.What is file carving?
o The process of recovering files without using file system metadata
by searching for file signatures and headers.
19.What is steganography?
o The practice of hiding data within other files, such as embedding a
message in an image.
20.What is metadata?
o Data about data, including file creation dates, modification dates,
author information, and file properties.
21.What is the difference between acquisition and analysis?
o Acquisition is the collection and preservation of evidence; analysis
is the examination and interpretation of that evidence.
22.What is a forensic workstation?
o A specially configured computer used for examining digital
evidence with write blockers and forensic software.
23.What is EnCase?
o A popular commercial digital forensics software suite used for
acquiring and analyzing digital evidence.
24.What is FTK (Forensic Toolkit)?
o Another commercial forensics platform that provides
comprehensive analysis capabilities.
25.What is Autopsy?
o An open-source digital forensics platform that provides a graphical
interface to The Sleuth Kit.
26.What are file signatures?
o Unique byte patterns at the beginning of files (magic numbers) that
identify file types regardless of extension.
27.What is timeline analysis?
EXAM COMPLETE QUESTIONS AND 100% VERIFIED
ANSWERS (LATEST VERSION)
1. What is digital forensics?
o The scientific process of identifying, preserving, analyzing, and
presenting digital evidence in a legally acceptable manner.
2. What are the four main phases of digital forensics?
o Collection, Examination, Analysis, and Reporting.
3. What is the principle of Locard's Exchange Principle in digital
forensics?
o Every contact leaves a trace; when a crime is committed, there is
always a transfer of evidence between the perpetrator and the crime
scene.
4. What is a chain of custody?
o A documented chronological record that tracks the seizure,
custody, control, transfer, analysis, and disposition of evidence.
5. Why is chain of custody important?
o It ensures evidence integrity and admissibility in court by proving
the evidence hasn't been tampered with or altered.
6. What is write blocking in forensics?
o A technique that prevents any data from being written to a storage
device during forensic acquisition, ensuring the original evidence
remains unchanged.
7. What is a forensic image?
, o A bit-by-bit copy of a storage device that captures all data,
including deleted files and unallocated space.
8. What is the difference between physical and logical acquisition?
o Physical acquisition copies all data bit-by-bit including deleted
files; logical acquisition copies only active, accessible files.
9. What is hashing in digital forensics?
o Creating a unique digital fingerprint of data using algorithms like
MD5 or SHA to verify data integrity.
10.Why are hash values important in forensics?
o They prove that evidence hasn't been altered from the time it was
collected to when it's presented in court.
11.What is volatile data?
o Data that is lost when power is removed, such as RAM contents,
running processes, and network connections.
12.What is non-volatile data?
o Data that persists after power is removed, such as hard drive
contents, USB drives, and solid-state storage.
13.What is the order of volatility?
o A guideline for collecting evidence from most volatile to least:
registers/cache, RAM, network connections, running processes,
disk storage, remote logs, physical configuration.
14.What is live forensics?
o The analysis of a system while it is still running to capture volatile
data before shutdown.
15.What is dead forensics?
o Analysis performed on powered-off systems or forensic images.
16.What is slack space?
o Unused space in a disk cluster between the end of a file and the end
of the cluster that may contain remnants of previous data.
17.What is unallocated space?
, o Space on a storage device that is not currently allocated to any file
and may contain deleted data.
18.What is file carving?
o The process of recovering files without using file system metadata
by searching for file signatures and headers.
19.What is steganography?
o The practice of hiding data within other files, such as embedding a
message in an image.
20.What is metadata?
o Data about data, including file creation dates, modification dates,
author information, and file properties.
21.What is the difference between acquisition and analysis?
o Acquisition is the collection and preservation of evidence; analysis
is the examination and interpretation of that evidence.
22.What is a forensic workstation?
o A specially configured computer used for examining digital
evidence with write blockers and forensic software.
23.What is EnCase?
o A popular commercial digital forensics software suite used for
acquiring and analyzing digital evidence.
24.What is FTK (Forensic Toolkit)?
o Another commercial forensics platform that provides
comprehensive analysis capabilities.
25.What is Autopsy?
o An open-source digital forensics platform that provides a graphical
interface to The Sleuth Kit.
26.What are file signatures?
o Unique byte patterns at the beginning of files (magic numbers) that
identify file types regardless of extension.
27.What is timeline analysis?
