WGU D488 FINAL EXAM TEST BANK
(LATEST UPDATE 2026/2027)
CYBERSECURITY ARCHITECTURE AND
ENGINEERING | QUESTIONS AND
ANSWERS | GRADE A | 100% CORRECT
(VERIFIED SOLUTIONS)
Questions 1–100
1. A security team notices traffic coming from a country
where the organization does not have any business
operations. Which of the following could this be an indicator
of?
A. High call volume
B. Odd network traffic
C. Geographic anomalies
D. Unauthorized changes
Correct Answer: C. Geographic anomalies
Rationale: Geographic anomalies occur when network traffic originates from
unexpected or unauthorized geographic regions. This can indicate malicious activity
such as botnets, compromised systems, or attackers attempting to evade detection.
Organizations often restrict or monitor traffic based on geographic location. Identifying
anomalies early helps reduce exposure to external threats.
,2. A forensic analyst is creating a copy of evidence. Which
stage of the forensics process is this a part of?
A. Identification
B. Analysis
C. Collection
D. Presentation
Correct Answer: C. Collection
Rationale: The collection stage focuses on acquiring and preserving digital evidence
in a forensically sound manner. Creating copies ensures the original evidence remains
unchanged for legal and investigative purposes. Proper collection maintains chain of
custody and evidence integrity. Any alteration at this stage can compromise
admissibility in court.
3. A forensic analyst is creating a copy of a hard drive to
preserve evidence and uses hashing to ensure integrity.
Which stage of the forensics process does this belong to?
A. Identification
B. Analysis
C. Collection
D. Presentation
Correct Answer: C. Collection
Rationale: Hashing during evidence duplication confirms that the copied data is
identical to the original. This process is part of evidence collection because it ensures
integrity before analysis begins. Hash values are later rechecked to prove no
tampering occurred. This is a foundational principle of digital forensics.
,4. A first responder secures a crime scene where digital
evidence may be present. Their first priority is ensuring
personnel safety. Which stage is this?
A. Identification
B. Analysis
C. Collection
D. Presentation
Correct Answer: A. Identification
Rationale: The identification stage involves recognizing potential sources of digital
evidence while ensuring safety and preventing contamination. Securing the scene and
protecting people comes before collecting devices or data. Failure to properly identify
evidence sources can lead to loss or corruption. This stage sets the foundation for the
entire investigation.
5. A forensic expert interprets data from a suspect’s device,
examining file structures and signs of tampering. Which
stage is this?
A. Identification
B. Analysis
C. Collection
D. Presentation
Correct Answer: B. Analysis
Rationale: The analysis stage involves examining collected evidence to uncover facts
and patterns related to an incident. Activities include file system review, timeline
analysis, and detection of unauthorized changes. This stage transforms raw data into
meaningful findings. Accuracy here directly impacts investigative conclusions.
, 6. A forensic investigator prepares a report detailing tools,
methods, and findings for court. Which stage is this?
A. Identification
B. Analysis
C. Collection
D. Presentation
Correct Answer: D. Presentation
Rationale: The presentation stage focuses on communicating findings clearly to
stakeholders such as management or courts. Reports must be accurate, repeatable,
and defensible. Documentation ensures transparency and credibility. Poor
presentation can invalidate strong technical findings.
7. A web administrator observes malicious scripts being
permanently inserted into a vulnerable web application.
What type of attack is this?
A. Reflected XSS
B. Stored XSS
C. CSRF
D. Directory traversal
Correct Answer: B. Stored XSS
Rationale: Stored XSS occurs when malicious scripts are saved on a server and
executed whenever users access affected content. This makes it more dangerous than
reflected XSS because it impacts multiple users. Attackers often use stored XSS to
steal credentials or hijack sessions. Secure input validation is a primary mitigation.
(LATEST UPDATE 2026/2027)
CYBERSECURITY ARCHITECTURE AND
ENGINEERING | QUESTIONS AND
ANSWERS | GRADE A | 100% CORRECT
(VERIFIED SOLUTIONS)
Questions 1–100
1. A security team notices traffic coming from a country
where the organization does not have any business
operations. Which of the following could this be an indicator
of?
A. High call volume
B. Odd network traffic
C. Geographic anomalies
D. Unauthorized changes
Correct Answer: C. Geographic anomalies
Rationale: Geographic anomalies occur when network traffic originates from
unexpected or unauthorized geographic regions. This can indicate malicious activity
such as botnets, compromised systems, or attackers attempting to evade detection.
Organizations often restrict or monitor traffic based on geographic location. Identifying
anomalies early helps reduce exposure to external threats.
,2. A forensic analyst is creating a copy of evidence. Which
stage of the forensics process is this a part of?
A. Identification
B. Analysis
C. Collection
D. Presentation
Correct Answer: C. Collection
Rationale: The collection stage focuses on acquiring and preserving digital evidence
in a forensically sound manner. Creating copies ensures the original evidence remains
unchanged for legal and investigative purposes. Proper collection maintains chain of
custody and evidence integrity. Any alteration at this stage can compromise
admissibility in court.
3. A forensic analyst is creating a copy of a hard drive to
preserve evidence and uses hashing to ensure integrity.
Which stage of the forensics process does this belong to?
A. Identification
B. Analysis
C. Collection
D. Presentation
Correct Answer: C. Collection
Rationale: Hashing during evidence duplication confirms that the copied data is
identical to the original. This process is part of evidence collection because it ensures
integrity before analysis begins. Hash values are later rechecked to prove no
tampering occurred. This is a foundational principle of digital forensics.
,4. A first responder secures a crime scene where digital
evidence may be present. Their first priority is ensuring
personnel safety. Which stage is this?
A. Identification
B. Analysis
C. Collection
D. Presentation
Correct Answer: A. Identification
Rationale: The identification stage involves recognizing potential sources of digital
evidence while ensuring safety and preventing contamination. Securing the scene and
protecting people comes before collecting devices or data. Failure to properly identify
evidence sources can lead to loss or corruption. This stage sets the foundation for the
entire investigation.
5. A forensic expert interprets data from a suspect’s device,
examining file structures and signs of tampering. Which
stage is this?
A. Identification
B. Analysis
C. Collection
D. Presentation
Correct Answer: B. Analysis
Rationale: The analysis stage involves examining collected evidence to uncover facts
and patterns related to an incident. Activities include file system review, timeline
analysis, and detection of unauthorized changes. This stage transforms raw data into
meaningful findings. Accuracy here directly impacts investigative conclusions.
, 6. A forensic investigator prepares a report detailing tools,
methods, and findings for court. Which stage is this?
A. Identification
B. Analysis
C. Collection
D. Presentation
Correct Answer: D. Presentation
Rationale: The presentation stage focuses on communicating findings clearly to
stakeholders such as management or courts. Reports must be accurate, repeatable,
and defensible. Documentation ensures transparency and credibility. Poor
presentation can invalidate strong technical findings.
7. A web administrator observes malicious scripts being
permanently inserted into a vulnerable web application.
What type of attack is this?
A. Reflected XSS
B. Stored XSS
C. CSRF
D. Directory traversal
Correct Answer: B. Stored XSS
Rationale: Stored XSS occurs when malicious scripts are saved on a server and
executed whenever users access affected content. This makes it more dangerous than
reflected XSS because it impacts multiple users. Attackers often use stored XSS to
steal credentials or hijack sessions. Secure input validation is a primary mitigation.
