WGU C840 Digital Forensics 2022 Study Guide/181 Questions and answers/ With complete solution.

WGU C840 Digital Forensics 2022 Study Guide/181 Questions and answers/ With complete solution. expert report Correct ans - A formal document prepared by a forensics specialist to document an investigation, including a list of all tests conducted as well as the specialist's own curriculum vitae (CV). Anything the specialist plans to testify about at a trial must be included in the expert report. Testimonial evidence Correct ans - Information that forensic specialists use to support or interpret real or documentary evidence; for example, to demonstrate that the fingerprints found on a keyboard are those of a specific individual. Daubert standard Correct ans - The standard holding that only methods and tools widely accepted in the scientific community can be used in court. If the computer is turned on when you arrive, what does the Secret Service recommend you do? Correct ans - Shut down according to the recommended Secret Service procedure. Communications Assistance to Law Enforcement Act of 1994 Correct ans - The Communications Assistance to Law Enforcement Act of 1994 is a federal wiretap law for traditional wired telephony. It was expanded to include wireless, voice over packet, and other forms of electronic communications, including signaling traffic and metadata. Digital evidence Correct ans - Digital evidence is information processed and assembled so that it is relevant to an investigation and supports a specific finding or determination. Federal Privacy Act of 1974 Correct ans - The Federal Privacy Act of 1974, a United States federal law that establishes a code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by U.S. federal agencies. Power Spy, Verity, ICU, and WorkTime Correct ans - Spyware good fictitious e-mail response rate Correct ans - 1-3% Which crime is most likely to leave e-mail evidence? Correct ans - Cyberstalking Where would you seek evidence that ophcrack had been used on a Windows Server 2008 machine? Correct ans - In the logs of the server; look for the reboot of the system A SYN flood is an example of what? Correct ans - DoS attack definition of a virus, in relation to a computer? Correct ans - a type of malware that requires a host program or human help to propagate What is the starting point for investigating the denial of service attacks? Correct ans - Tracing the packets China Eagle Union Correct ans - The cyberterrorism group, the China Eagle Union, consists of several thousand Chinese hackers whose stated goal is to infiltrate Western computer systems. Members and leaders of the group insist that not only does the Chinese government have no involvement in their activities, but that they are breaking Chinese law and are in constant danger of arrest and imprisonment. However, most analysts believe this group is working with the full knowledge and support of the Chinese government. Rules of evidence Correct ans - Rules that govern whether, when, how, and why proof of a legal case can be placed before a judge or jury. file slack Correct ans - The unused space between the logical end of the file and the physical end of the file. It is also called slack space. The Analysis Plan Correct ans - Before forensic examination can begin, an analysis plan should be created. This plan guides work in the analysis process. How will you gather evidence? Are there concerns about evidence being changed or destroyed? What tools are most appropriate for this specific investigation? A standard data analysis plan should be created and customized for specific situations and circumstances. What is the most important reason that you not touch the actual original evidence any more than you have to? Correct ans - Each time you touch digital data, there is some chance of altering it. You should make at least two bitstream copies of a suspect drive. Correct ans - TRUE To preserve digital evidence, an investigator should Correct ans - make two copies of each evidence item using different imaging tools What would be the primary reason for you to recommend for or against making a DOS Copy Correct ans - A simple DOS copy will not include deleted files, file slack, and other information. Which starting-point forensic certification covers the general principles and techniques of forensics, but not specific tools such as EnCase or FTK? Correct ans - (CHFI) EC Council Certified Hacking Forensic Investigator This forensic certification is open to both the public and private sectors and is specific to the use and mastery of FTK. Requirements for taking the exam include completing the boot camp and Windows forensic courses. Correct ans - AccessData Certified Examiner. AccessData is the creator of Forensic Toolkit (FTK) software. Federal Rules of Evidence (FRE) Correct ans - The Federal Rules of Evidence (FRE) is a code of evidence law. The FRE governs the admission of facts by which parties in the U.S. federal court system may prove their cases. The rules of evidence, encompasses the rules and legal principles that govern the proof of facts in a legal proceeding. These rules determine what evidence must or must not be considered by the trier of fact in reaching its decision The DoD Cyber Crime Center (DC3) Correct ans - DC3 is involved with DoD investigations that require computer forensics support to detect, enhance, or recover digital media. DC3 provides computer investigation training. It trains forensic examiners, investigators, system administrators, and others. It also ensures that defense information systems are secure from unauthorized use, criminal and fraudulent activities, and foreign intelligence service exploitation. DC3 ets standards for digital evidence processing, analysis, and diagnostics. Expert testimony Correct ans - Expert testimony involves the authentication of evidence-based upon scientific or technical knowledge relevant to cases. Forensic examiners are often called upon to authenticate evidence between given specimens and other items. Forensic specialists should not undertake an examination that is beyond their knowledge and skill. temporary data Correct ans - Data that an operating system creates and overwrites without the computer user taking direct action to save this data. Physical analysis Correct ans - Offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system. Logical analysis Correct ans - Analysis involving using the native operating system, on the evidence disk or a forensic duplicate, to peruse the data. sweepers Correct ans - A kind of software that cleans unallocated space. Also called a scrubber. It is acceptable, when you have evidence in a vehicle, to stop for a meal, if the vehicle is locked. Correct ans - FALSE What Linux command can be used to create a hash? Correct ans - MD5sum EnCase Format Correct ans - The EnCase format is a proprietary format that is defined by Guidance Software for use in its forensic tool to store hard drive images and individual files. It includes a hash of the file to ensure nothing was changed when it was copied from the source. advanced Forensic Format (AFF) Correct ans - This file format, abbreviated AFF, has three variations: AFF, AFM, and AFD. The AFF variation stores all data and metadata in a single file. The AFM variation stores the data and the metadata in separate files. The AFD variation stores the data and metadata in multiple small files. The AFF file format is part of the AFF Library and Toolkit, which is a set of open-source computer forensics programs. Sleuth Kit and Autopsy both support this file format. The Generic Forensic Zip Correct ans - an open source file format used to store evidence from forensic examinations IXimager Correct ans - developed by the IRS and restricted to law enforcement and government use What Linux command can be used to wipe a target drive? Correct ans - dd RAID 0 Correct ans - disk striping RAID 1 Correct ans - completely mirrors the contents of disks so there is an identical copy of the drive running on the machine RAID 3 or 4 Correct ans - combines three or more disks in a way that protects data against loss of any one disk.