Page 1 of 32
WGU D431 OA & PRE-ASSESSMENT EXAM ACTUAL EXAM COMPLETE
200 QUESTIONS AND CORRECT DETAILED SOLUTIONS
WGU D431 OA EXAM
Disk Forensics
The process of acquiring and analyzing information stored on physical storage media, such as
computer hard drives, smartphones, GPS systems, and removable media. Includes both the
recovery of hidden and deleted information and the process of identifying who created a file or
message.
Email Forensics
The study of the source and content of email as evidence, including the identification of the
sender, recipient, date, time, and origination location of an email message.
Network Forensics
the process of examining network traffic, including transaction logs and real-time monitoring
using sniffers and tracing.
Internet Forensics
is the process of piecing together where and when a user has been on the internet. For
example, you can use internet forensics to determine whether inappropriate internet content
access and downloading were accidental.
Software Forensics
also known as malware forensics, is the process of examining malicious computer code
Live system forensics
The process of searching memory in real time, typically for working with compromised hosts or
to identify system abuse.
Cell-Phone Forensics
1
,Page 2 of 32
is the process of searching the contents of cell phones. A few years ago, this was just not a big
issue, but with the ubiquitous nature of cell phones today, cell-phone
forensics is a very important topic. A cell phone can be a treasure trove of evidence. Modern
cell phones are essentially computers with processors, memory, even hard drives and operating
systems, and they operate on networks. Phone forensics also includes VoIP and traditional
phones and may overlap the Foreign Intelligence Surveillance Act of 1978 (FISA), the USA
PATRIOT Act, and the Communications Assistance for Law Enforcement Act (CALEA) in the
United States.
Chain of Custody
From the time the evidence is first seized by a law
enforcement officer or civilian investigator until the moment it is shown in court, the
whereabouts and custody of the evidence, and how it was handled and stored and by whom,
must be able to be shown at all times. Failure to maintain the proper chain of custody can lead
to evidence being excluded from trial.
Don't Touch the Suspect Drive
One very important principle is to touch the system as little as possible. It is possible to make
changes to the system in the process of examining it, which is very undesirable. Obviously, you
have to interact with the system to investigate it. The answer is to make a forensic copy and
work with that copy. You can make a forensic copy with most major forensic tools such as
AccessData's Forensic Toolkit, Guidance Software's EnCase, or PassMark's OSForensics. There
are also open source software products that allow copying of original source information. To be
specific, make a copy and analyze the copy.
Document trail
The next issue is documentation. The rule is that you document everything. Who was present
when the device was seized? What was connected to the device or showing on the screen
when you seized it? What specific tools and techniques did you use? Who had access to the
evidence from the time of seizure until the time of trial? All of this must be documented. And
2
,Page 3 of 32
when in doubt, err on the side of over-documentation. It really is not possible to document too
much information about an investigation.
Secure the Evidence
It is absolutely critical to the integrity of your investigation as well as to maintaining the chain of
custody that you secure the evidence. It is common to have the forensic lab be a locked room
with access given only to those who must enter. Then, evidence is usually secured in a safe,
with access given out only on a need-to-know basis. You have to take every reasonable
precaution to ensure that no one can tamper with the evidence.
Daubert Standard
Standard used by a trial judge to make a preliminary assessment of whether an expert's
scientific testimony is based on reasoning or methodology that is scientifically valid and can
properly be applied to the facts at issue. Under this standard, the factors that may be
considered in determining whether the methodology is valid are: (1) whether the theory or
technique in question can be and has been tested; (2) whether it has been subjected to peer
review and publication; (3) its known or potential error rate; (4) the existence and maintenance
of standards controlling its operation; and (5) whether it has attracted widespread acceptance
within a relevant scientific community.
The Federal Privacy act of 1974
establishes a code of information-handling practices that governs the
collection, maintenance, use, and dissemination of information about individuals that is
maintained in systems of records by U.S. federal agencies. A system of records is a group of
records under the control of an agency from which information is retrieved by the name of the
individual or by some identifier assigned to the individual
The Privacy Protection Act of 1980
protects journalists from being required to turn over to
law enforcement any work product and documentary materials, including sources, before it is
3
, Page 4 of 32
disseminated to the public. Journalists who most need the protection of the PPA are those who
are working on stories that are highly controversial or that describe criminal acts, because the
information gathered may also be useful to law enforcement
The Communications Assistance to Law Enforcement Act of 1994 (CALEA)
federal wiretap law for traditional wired telephony. It was expanded in 2004 to include
wireless, voice over packets, and other forms of electronic communications, including signaling
traffic and metadata.
18 U.S.C. § 2701
This act covers access to a facility through which electronic communication is provided or
exceeding the access that was authorized. It is broadly written to apply to a range of offenses.
Punishment can be up to 5 years in prison and fines for the first offense
The Electronic Communications Privacy act of 1986
governs the privacy and disclosure, access, and interception of content and traffic data related
to electronic communications
The Computer Security Act of 1987
The law requires the establishment of minimum
acceptable security practices, creation of computer security plans, and training of system users
or owners of facilities that house sensitive information
The Foreign Intelligence Surveillance Act of 1978
a law that allows for collection of "foreign intelligence information" between foreign powers
and agents of foreign powers using
physical and electronic surveillance. A warrant is issued by the FISA court for actions under FISA
The Child Protection and Sexual Predator Punishment Act of 1998
4
