WGU C702 FORENSICS AND NETWORK INTRUSION
EXAM OBJECTIVE ASSESSMENT AND PRE- ASSESSMENT
2025/2026
Rule under which 'authenticating or identifying evidences' comes. - answer- : Rule 901
Knowledgeable persons called to testify to the accuracy of the investigative process. - answer- : Expert
witnesses
A critical document in the computer forensics investigation process providing legal validation of
appropriate evidence handling. - answer- : Chain of custody
Launched by NIST to establish a methodology for testing computer forensics software tools. - answer- :
Computer Forensic Tool Testing Project (CFTTP)
NOT a digital data storage type. - answer- : Quantum storage devices
NOT a common computer file system. - answer- : EFX3
Refers to field type as primary Number 1. - answer- : Volume descriptor
Logical drive that holds the information regarding the data and files stored in the disk. - answer- :
Extended partition
Stores information about the partitions present on the hard disk and is 64-byte. - answer- : Partition
table structure size
,Uses 32 bits for storing LBAs (Logical Block Addresses) and size information on a 512-byte sector. -
answer- : MBR partition scheme
Contains the Partition Entry Array in the GUID Partition Table. - answer- : LBA 2
Describes when the user restarts the system via the operating system. - answer- : Warm booting
Starts up using either the traditional BIOS-MBR method or the newer UEFI-GPT method. - answer- :
Windows 8 boot method
Phase of EFI consisting of initializing the CPU, temporary memory, and boot firmware volume. - answer-
: PEI (Pre-EFI Initialization) Phase
Basic partitioning tool that displays details about the GPT partition tables in Windows OS. - answer- :
DiskPart
Stage that includes the task of loading the Linux kernel and optional initial RAM disk. - answer- : Linux
boot process
The initial stage in the boot process of a computer. - answer- : Bootloader Stage
A component of a typical FAT32 file system that the document framework uses to get to the volume and
utilizes the framework parcel to load the working portion documents. - answer- : Boot Sector
The computer system file driver for NTFS architecture. - answer- : Ntfs.sys
An abstract layer that resides on top of a complete file system, allowing client applications to access
various file systems, consisting of a dispatching layer and numerous caches. - answer- : Virtual File
System (VFS)
Information held by the superblock that contains major and minor items allowing the mounting code to
determine whether supported features are available to the file system. - answer- : Revision Level
,A file system used in Linux developed by Stephen Tweedie in 2001 as a journaling file system that
improves reliability. - answer- : Ext3
A file system that uses 16 bit values to address allocation blocks. - answer- : HFS
A part of the UFS file system composed of a few blocks in the partition reserved at the beginning. -
answer- : Boot blocks
A method of addressing that determines the address of the individual sector on the disk. - answer- :
Cylinders, Heads, and Sectors (CHS)
Mac OS uses a hierarchical file system. - answer- : True (Mac OS Hierarchical File System)
The main advantage is that if a single physical disk fails, the system will continue to function without loss
of data. - answer- : RAID
The command 'fsstat' does not display the details associated with an image file. - answer- : False (fsstat
command)
The simplest RAID level that does not involve redundancy and fragments the file into the user-defined
stripe size of the array. - answer- : RAID 0
NOT a mistake that investigators commonly make while collecting data from the system. - answer- : Use
of correct cables and cabling techniques
Built-in Linux commands used by forensic investigators to copy data from a disk drive. - answer- : dd and
dcfldd
Information in the registers or the processor cache are the most volatile data because they are always
changing. - answer- : True (volatile data)
, Involves creating a file that has every bit of information from the source in a raw bit-stream format. -
answer- : True (forensic data duplication)
The process of acquiring volatile data from working computers that are already powered on, whether
locked or in sleep condition. - answer- : Live data acquisition
Location where deleted items are stored on Windows Vista and later versions. - answer- : Drive;\
Location where deleted items are stored on Windows 98 and earlier versions. - answer- :
Drive:\RECYCLED
Location where deleted items are stored on Windows 2000, XP, and NT versions. - answer- :
Drive:\RECYCLER
Maximum size limit for the Recycle Bin in Windows prior to Windows Vista. - answer- : 3.99GB
Tool that does NOT support recovering files from a network drive. - answer- : Recover My Files tool
Tool used for format recovery, unformatting, and recovering deleted files emptied from the Recycle Bin.
- answer- : EaseUS
Tool that undeletes and recovers lost files from hard drives, memory cards, and USB flash drives. -
answer- : Disk Digger
Tool that recovers files that have been lost, deleted, corrupted, and even deteriorated. - answer- : Quick
Recovery
Tool that recovers lost data from hard drives, RAID, photographs, deleted files, iPods, and removable
disks. - answer- : Total Recall
Tool that scans the entire system for deleted files and folders and recovers them. - answer- : Advanced
Disk Recovery
EXAM OBJECTIVE ASSESSMENT AND PRE- ASSESSMENT
2025/2026
Rule under which 'authenticating or identifying evidences' comes. - answer- : Rule 901
Knowledgeable persons called to testify to the accuracy of the investigative process. - answer- : Expert
witnesses
A critical document in the computer forensics investigation process providing legal validation of
appropriate evidence handling. - answer- : Chain of custody
Launched by NIST to establish a methodology for testing computer forensics software tools. - answer- :
Computer Forensic Tool Testing Project (CFTTP)
NOT a digital data storage type. - answer- : Quantum storage devices
NOT a common computer file system. - answer- : EFX3
Refers to field type as primary Number 1. - answer- : Volume descriptor
Logical drive that holds the information regarding the data and files stored in the disk. - answer- :
Extended partition
Stores information about the partitions present on the hard disk and is 64-byte. - answer- : Partition
table structure size
,Uses 32 bits for storing LBAs (Logical Block Addresses) and size information on a 512-byte sector. -
answer- : MBR partition scheme
Contains the Partition Entry Array in the GUID Partition Table. - answer- : LBA 2
Describes when the user restarts the system via the operating system. - answer- : Warm booting
Starts up using either the traditional BIOS-MBR method or the newer UEFI-GPT method. - answer- :
Windows 8 boot method
Phase of EFI consisting of initializing the CPU, temporary memory, and boot firmware volume. - answer-
: PEI (Pre-EFI Initialization) Phase
Basic partitioning tool that displays details about the GPT partition tables in Windows OS. - answer- :
DiskPart
Stage that includes the task of loading the Linux kernel and optional initial RAM disk. - answer- : Linux
boot process
The initial stage in the boot process of a computer. - answer- : Bootloader Stage
A component of a typical FAT32 file system that the document framework uses to get to the volume and
utilizes the framework parcel to load the working portion documents. - answer- : Boot Sector
The computer system file driver for NTFS architecture. - answer- : Ntfs.sys
An abstract layer that resides on top of a complete file system, allowing client applications to access
various file systems, consisting of a dispatching layer and numerous caches. - answer- : Virtual File
System (VFS)
Information held by the superblock that contains major and minor items allowing the mounting code to
determine whether supported features are available to the file system. - answer- : Revision Level
,A file system used in Linux developed by Stephen Tweedie in 2001 as a journaling file system that
improves reliability. - answer- : Ext3
A file system that uses 16 bit values to address allocation blocks. - answer- : HFS
A part of the UFS file system composed of a few blocks in the partition reserved at the beginning. -
answer- : Boot blocks
A method of addressing that determines the address of the individual sector on the disk. - answer- :
Cylinders, Heads, and Sectors (CHS)
Mac OS uses a hierarchical file system. - answer- : True (Mac OS Hierarchical File System)
The main advantage is that if a single physical disk fails, the system will continue to function without loss
of data. - answer- : RAID
The command 'fsstat' does not display the details associated with an image file. - answer- : False (fsstat
command)
The simplest RAID level that does not involve redundancy and fragments the file into the user-defined
stripe size of the array. - answer- : RAID 0
NOT a mistake that investigators commonly make while collecting data from the system. - answer- : Use
of correct cables and cabling techniques
Built-in Linux commands used by forensic investigators to copy data from a disk drive. - answer- : dd and
dcfldd
Information in the registers or the processor cache are the most volatile data because they are always
changing. - answer- : True (volatile data)
, Involves creating a file that has every bit of information from the source in a raw bit-stream format. -
answer- : True (forensic data duplication)
The process of acquiring volatile data from working computers that are already powered on, whether
locked or in sleep condition. - answer- : Live data acquisition
Location where deleted items are stored on Windows Vista and later versions. - answer- : Drive;\
Location where deleted items are stored on Windows 98 and earlier versions. - answer- :
Drive:\RECYCLED
Location where deleted items are stored on Windows 2000, XP, and NT versions. - answer- :
Drive:\RECYCLER
Maximum size limit for the Recycle Bin in Windows prior to Windows Vista. - answer- : 3.99GB
Tool that does NOT support recovering files from a network drive. - answer- : Recover My Files tool
Tool used for format recovery, unformatting, and recovering deleted files emptied from the Recycle Bin.
- answer- : EaseUS
Tool that undeletes and recovers lost files from hard drives, memory cards, and USB flash drives. -
answer- : Disk Digger
Tool that recovers files that have been lost, deleted, corrupted, and even deteriorated. - answer- : Quick
Recovery
Tool that recovers lost data from hard drives, RAID, photographs, deleted files, iPods, and removable
disks. - answer- : Total Recall
Tool that scans the entire system for deleted files and folders and recovers them. - answer- : Advanced
Disk Recovery
