WGU Master's Course C702 - Forensics and Network Intrusion

A software company suspects that employees have set up automatic corporate email forwarding to their personal inboxes against company policy. The company hires forensic investigators to identify the employees violating policy, with the intention of issuing warnings to them. Which type of cybercrime investigation approach is this company taking? A Civil B Criminal C Administrative D Punitive Correct answer- C Which model or legislation applies a holistic approach toward any criminal activity as a criminal operation? A Enterprise Theory of Investigation B Racketeer Influenced and Corrupt Organizations Act C Evidence Examination D Law Enforcement Cyber Incident Reporting Correct answer- A What does a forensic investigator need to obtain before seizing a computing device in a criminal case? A Court warrant B Completed crime report C Chain of custody document D Plaintiff's permission Correct answer- A Which activity should be used to check whether an application has ever been installed on a computer? A Penetration test B Risk analysis C Log review D Security review Correct answer- C Which characteristic describes an organization's forensic readiness in the context of cybercrimes? A It includes moral considerations. B It includes cost considerations. C It excludes nontechnical actions. D It excludes technical actions. Correct answer- B A cybercrime investigator identifies a Universal Serial Bus (USB) memory stick containing emails as a primary piece of evidence. Who must sign the chain of custody document once the USB stick is in evidence? A Those who obtain access to the device B Anyone who has ever used the device C Recipients of emails on the device D Authors of emails on the device Correct answer- A Which type of attack is a denial-of-service technique that sends a large amount of data to overwhelm system resources? A Phishing B Spamming C Mail bombing D Bluejacking Correct answer- C Which computer crime forensics step requires an investigator to duplicate and image the collected digital information? A Securing evidence B Acquiring data C Analyzing data D Assessing evidence Correct answer- B What is the last step of a criminal investigation that requires the involvement of a computer forensic investigator? A Analyzing the data collected B Testifying in court C Assessing the evidence D Performing search and seizure Correct answer- B How can a forensic investigator verify an Android mobile device is on, without potentially changing the original evidence or interacting with the operating system? A Check to see if it is plugged into a computer B Tap the screen multiple times C Look for flashing lights D Hold down the power button Correct answer- C What should a forensic investigator use to protect a mobile device if a Faraday bag is not available? A Aluminum foil B Sturdy container C Cardboard box D Bubble wrap Correct answer- A Which criterion determines whether a technology used by government to obtain information in a computer search is considered innovative and requires a search warrant? A Availability to the general public B Dependency on third-party software C Implementation based on open source software D Use of cloud-based machine learning Correct answer- A Which situation allows a law enforcement officer to seize a hard drive from a residence without obtaining a search warrant? A The computer is left unattended. B The front door is wide open. C The occupant is acting suspicious. D The evidence is in imminent danger. Correct answer- D Which legal document contains a summary of findings and is used to prosecute? A Investigation report B Search warrant C Search and seizure D Chain of custody Correct answer- A What should an investigator use to prevent any signals from reaching a mobile phone? A Faraday bag B Dry bag C Anti-static container D Lock box Correct answer- A A forensic investigator is called to the stand as a technical witness in an internet payment fraud case. Which behavior is considered ethical by this investigator while testifying? A Providing and explaining facts found during the investigation B Interpreting the findings and offering a clear opinion to the jury C Helping the jury arrive at a conclusion based on the facts D Assisting the attorney in compiling a list of essential questions Correct answer- A A government agent is testifying in a case involving malware on a system. What should this agent have complied with during search and seizure? A Fourth Amendment B Stored Communications Act C Net Neutrality Bill D Federal Rules of Evidence Correct answer- A Which path should a forensic investigator use to look for system logs in a Mac? A /var/log/cups/access_log B /var/log/ C /var/audit/ D /var/log/ Correct answer- B Which tool should a forensic investigator use to view information from Linux kernel ring buffers? A arp B dmesg C fsck D grep Correct answer- B A forensic investigator makes a bit-stream copy of a Windows hard drive that has been reformatted. The investigator needs to locate only the Adobe PDF files on the hard drive. Which tool should this investigator use? A Quick Recovery B Handy Recovery C EaseUS Data Recovery D Stellar Data Recovery Correct answer- C Which hexadecimal value should an investigator search for to find JPEG images on a device? A 0x424D B 0xD0CF11E0A1B11AE1 C 0x504B600 D 0xFFD8 Correct answer- D Which type of steganography allows the user to physically move a file but keep the associated files in their original location for recovery? A Whitespace B Folder C Image D Web Correct answer- B An employee steals a sensitive text file by embedding it into a PNG file. The employee then sends this file via an instant chat message to an accomplice. Which type of steganography did this employee use? A Document B Image C Text D Web Correct answer- B Which method is used when an investigator has access to the plaintext and an image file with the hidden information? A Stego-only B Known-stego C Known-message D Chosen-message Correct answer- C Which method is used when an investigator takes a plaintext message, uses various tools against it, and finds the algorithm used to hide information? A Stego-only B Known-stego C Known-message D Chosen-message Correct answer- D Which operating system is targeted by the DaveGrohl password cracker? A Linux B OS X C UNIX D Windows Correct answer- B Which password cracker is used to recover passwords on an OS X operating system? A Cain and Abel B DaveGrohl C L0phtCrack D Ophcrack Correct answer- B Which tool allows a forensic investigator to process Transmission Control Protocol (TCP) streams for analysis of malicious traffic? A Kibana B OSSEC C Syslog-ng D Wireshark Correct answer- D Which tool allows an investigator to review or process information in a Windows environment but does not rely on the Windows API? A EnCase B netstat C dd D LogMeister Correct answer- A A computer forensic investigator finds an unauthorized wireless access point connected to an organization's network switch. This access point's wireless network has a random name with a hidden service set identifier (SSID). What is this set-up designed to do? A Create a backdoor that a perpetrator can use by connecting wirelessly to the network B Jam the wireless signals to stop all legitimate traffic from using the wireless network C Activate the wireless cards in the laptops of victims to gain access to their data and network D Transmit high-power signals that force users to connect to the rogue wireless network Correct answer- A Which web-based application attack corrupts the execution stack of a web application? A Buffer overflow B Cookie poisoning C SQL injection D Denial-of-service Correct answer- A An employee is accused of sending a threatening email through Microsoft Exchange. Which file extension should the investigator search for to find the archived message on the server? A .DB B .NSF C .PST D .EDB Correct answer- D Investigators do not have physical access to the computer of the victim of an email crime. Which task should these investigators instruct the victim to perform in order to identify the sending email server? A Provide the email body B Provide the email header C Run Aid4Mail Email Forensics D Run Email Address Verifier Correct answer- B Which tool should a forensic investigator use on a Windows computer to locate all the data on a computer disk, protect evidence, and create evidentiary reports for use in legal proceedings? A Wireshark B OmniPeek C ProDiscover D Capsa Correct answer- C What is the purpose of hashing tools during data acquisition? A Dumping the original RAM contents to a forensically sterile removable device B Enabling write protection on the original media to preserve the original evidence C Validating the collected digital evidence by comparing the original and copied file message digests D Creating a replica of the original source to prevent the inadvertent alteration of the original Correct answer- C Which software-based tool is used to prevent writes to storage devices on a computer? A CRU WiebeTech B ILook Investigator C SAFE Block D USB WriteBlocker Correct answer- C Which tool should a forensic team use to research unauthorized changes in a database? A ApexSQL DBA B Gargoyle Investigator Forensic Pro C LSASecretsView D RSA NetWitness Investigator Correct answer- A Which graphical tool should investigators use to identify publicly available information about a public IP address? A AWStats B GoAccess C SmartWhois D NsLookup Correct answer- C Which tool is used to search and analyze PC messaging logs? A Chat Stick B File Viewer C SnowBatch D Zamzar Correct answer- A Which forensic tool allows an investigator to acquire database files for analysis from a mobile device? A Andriller B Volatility C WinDump D Tripwire Correct answer- A A first responder arrives at an active crime scene that has several mobile devices. What should this first responder do while securing the crime scene? A Leave the devices in the state they are in and put them in anti-static bags B Turn on the devices and review recently accessed data C Turn off the devices to preserve the volatile memory D Leave the devices as found and fill out chain of custody paperwork Correct answer- D What is a responsibility of the first responder at a crime scene? A Package and transport the evidence B Identify the presence of rootkits on the evidence C Decrypt the evidence by cracking passwords D Detect malware present on the evidence Correct answer- A Which step preserves the forensic integrity of volatile evidence when a device is discovered in the powered-on state? A Documenting the procedures for shutting down the system B Collecting information with a secure command shell C Using the built-in backup utility to gather information D Copying the file with the keyboard shortcut Ctrl+C Correct answer- B Which action maintains the integrity of evidence when a forensic laptop is used to acquire data from a compromised computer? A Connecting the machines with a straight through cable B Connecting the machines with a crossover cable C Enabling a hardware write blocker D Enabling administrative control Correct answer- C What should an investigator do while collecting evidence from a device? A Turn off the computer to protect the data B Install antivirus software to protect information C Begin documenting the chain of custody D Close any open documents and applications Correct answer- C Why should investigators use the bit-stream disk-to-disk data acquisition method rather than the disk-to-image method? A Ensures that integrity is not compromised B Preserves the required chain of custody C Addresses potential errors and incompatibilities D Avoids the possibility of running out of space Correct answer- C Which anti-forensic defense technique allows a forensic investigator to determine if the system's kernel is compromised? A Performing a brute-force attack B Conducting steganalysis C Performing BIOS bypass D Conducting rootkit detection Correct answer- D Which anti-forensic defense technique allows a forensic investigator to gain access to files protected with Encrypting File System (EFS)? A Installing a recovery certificate B Detecting hosts in promiscuous mode C Performing BIOS bypass D Conducting rootkit detection Correct answer- A Which anti-forensic defense technique allows a forensic investigator to reset the firmware in order to access the operating system? A Install a recovery certificate B Detect hosts in promiscuous mode C Perform BIOS password bypass D Conduct rootkit detection Correct answer- C A software company has a data breach and hires a forensic expert to examine event and intrusion detection logs on its Linux servers. The investigator finds a suspicious user ID and wants to track all events of that user. Which command should this forensic expert use? A ausearch B dd C readelf D cron Correct answer- A A forensic investigator receives dozens of log-in failure events within a few minutes. A security attack event is generated. What is the goal when performing event correlation? A Data aggregation B Content reduction C Explorative data analysis D Root cause identification Correct answer- D A computer forensic investigator is preparing an affidavit statement. Which type of report should this investigator prepare? A Formal verbal B Informal verbal C Formal written D Informal written Correct answer- C A forensic investigator is preparing a report in response to a security breach. The report is augmented by documentation provided by a third party. Which optional section in the report serves as a gesture of thanks for the third-party support? A Acknowledgments B References C Conclusions D Appendices Correct answer- A A network log from a remote system is entered into evidence, and the proper steps are taken to protect the integrity of the data. The log contains network intrusion data but does not contain any information about the log. What must an investigator document about this log in the forensic report? A Name of the server B Number of records in the file C Name of the server administrator D Number of bytes in the file Correct answer- A What should an investigator do to ensure that creating a forensic hard drive image does not alter the drive? A Make a duplicate using the dd command B Make a duplicate using the cp command C Copy each file to a new disk using copy and paste D Copy each file to a new disk using File Explorer Correct answer- A A Mac computer that does not have removeable batteries is powered on. Which action must a first responder take to preserve digital evidence from the computer once volatile information is collected? A Place the computer in an anti-static bag B Obtain the IP address of the computer C Maintain the power with a portable charger D Press the power switch for 30 seconds Correct answer- D What should an investigator do to ensure that a phone serving as evidence at a crime scene is properly isolated? A Contact the service provider B Turn the device off C Remove the battery D Use a Faraday bag Correct answer- D First responders arrive at a company and determine that a non-company Windows 7 computer was used to breach information systems. The computer is still powered on. What is the correct procedure for powering off this computer once the volatile information has been collected? A Shut down the device by clicking Special Shutdown B Unplug the electrical cord from the wall socket C Type Get-Service | Where {$_.status -eq 'running'} D Press down the Ctrl and L keys simultaneously Correct answer- B What is the minimum number of workstations a forensics lab needs? A One B Two C Three D Four Correct answer- B Which function does the BIOS parameter block (BPB) handle for the hard disk? A Describes the physical layout and volume partitions B Specifies the location of the operating system C Initializes code that executes after powering the firmware interface D Interprets the boot configuration data and selects boot policy Correct answer- A How does RAID 3 store information? A Information is written on a minimum of two drives for quick reading and writing of data. B Data is mirrored on two drives to improve the speed of retrieving information and resilience. C Information is written at byte level across multiple drives, but only one is dedicated for parity. D Information is stored on multiple drives, with floating parity for improved performance and resilience. Correct answer- C Which file system is on a system with MacOS installed? A New Technology File System (NTFS) B Hierarchical File System Plus (HFS+) C Extended file system (EXT) D Z File System (ZFS) Correct answer- B Where should an investigator search for details of activities that have taken place in an SQL database? A Primary data files (MDF) B Secondary data files (NDF) C Data definition language (DDL) files D Transaction log data files (LDF) Correct answer- D Which command line utility enables an investigator to analyze privileges assigned to database files? A DBINFO B SHOWFILESTATS C mysqldump D mysqlaccess Correct answer- D The following is the header from a threatening email: Received: from M( [124.53.112.16]) by M (8.8.5/8.7.2) Received: from ( [124.211.3.88]) by M (10.5.2/10.4.1) With ESMTP id LAA20869 for ; Tue, Jan 26 2016 14:39:24 -0800 (PST) What is the name of the server that sent the message? A M B M C M D Correct answer- A Which header allows an investigator to determine if a message was sent to many recipients? A In-Reply-To B Content-Type C X-Distribution D X-Mailer Correct answer- C Which operating system contains PLIST files for forensic analysis? A Android B Windows C Linux D MacOS Correct answer- D Which operating system contains the authentication log at /var/log/? A Android B Linux C iOS D MacOS Correct answer- B Which of the following is true regarding computer forensics? A deals with the process of finding evidence related to a digital crime to find the culprits and initiate legal action against them. B deals with the process of finding evidence related to a digital crime to find the culprits and avoid legal action against them. C deals with the process of finding evidence related to a digital crime to find the victims and prevent legal action against them. D deals with the process of finding evidence related to a crime to find the culprits and initiate legal action against them. Correct answer- A Which of the following is NOT an objective of computer forensics? A Identify, gather, and preserve the evidence of a cybercrime. B Track and prosecute the perpetrators in a court of law. C Interpret, document, and present the evidence to be admissible during prosecution. D Mitigate vulnerabilities allowing further loss of intellectual property, finances, and reputation during an attack. Correct answer- D Which of the following is true regarding Enterprise Theory of Investigation (ETI)? A It encourages reactive action on the structure of the criminal enterprise. B It adopts an approach toward criminal activity as a criminal act. C It adopts a holistic approach toward any criminal activity as a criminal operation rather than as a single criminal act. D It differs from traditional investigative methods, and it is less complex and less time- consuming. Correct answer- C Forensic readiness refers to: A an organization's ability to make optimal use of digital evidence in a limited time period and with minimal investigation costs B replacing the need to meet all regulatory requirements C having no impact on prospects of successful legal action D the establishment of specific incident response procedures and designated trained personnel to prevent a breach Correct answer- A Which of the following is NOT an element of cybercrime? A anonymity through masquerading B volatile evidence C fast-paced speed