WGU Digital Forensics in Cybersecurity (D431/C840) Course Exam WGU (D431/C840) Digital Forensics in Cybersecurity Course Exam Questions

Page: 1 / 14
Total 74 questions
Question 1

Which information is included in an email header?



Answer : C

Comprehensive and Detailed Explanation From Exact Extract:

An email header contains metadata about the email including sender, receiver, routing information, and content details. The Content-Type header specifies the media type of the email body (e.g., text/plain, text/html, multipart/mixed), indicating how the email content should be interpreted.

Sender's MAC address is not typically included in email headers.

Number of pages is not relevant to email metadata.

Message-Digest is a term related to cryptographic hashes but is not a standard email header field.


RFC 5322 and forensic email analysis references outline that email headers contain fields like Content-Type describing the format of the message content, essential for proper parsing and forensic examination.

Question 2

Tom saved a message using the least significant bit (LSB) method in a sound file and uploaded this sound to his own website.

What is the carrier in this example?



Answer : C

Comprehensive and Detailed Explanation From Exact Extract:

In steganography, the carrier is the file or medium used to hide the secret message. In this example, the sound file is the carrier because it contains the hidden message embedded using the least significant bit method. The message is the payload, and the website is merely the distribution platform.

LSB is the embedding technique, not the carrier.

The message is the payload, not the carrier.

The website is not involved in data hiding.

NIST and steganography references clearly define the carrier as the container holding the hidden data.


Question 3

While collecting digital evidence from a running computer involved in a cybercrime, the forensic investigator makes a list of items that need to be collected.

Which piece of digital evidence should be collected first?



Answer : A

Comprehensive and Detailed Explanation From Exact Extract:

When collecting evidence from a running system, volatile and critical evidence such as security logs should be collected first as they are most susceptible to being overwritten or lost. Security logs may contain valuable information on unauthorized access or malicious activity.

Chat room logs, recently accessed files, and temporary internet files are important but often less volatile or can be recovered from disk later.

NIST SP 800-86 and SANS Incident Response Guidelines prioritize the collection of volatile logs and memory contents first.

This approach helps ensure preservation of time-sensitive data critical for forensic analysis.


Question 4

Which type of information does a Windows SAM file contain?



Answer : C

Comprehensive and Detailed Explanation From Exact Extract:

The Windows Security Account Manager (SAM) file stores hashed passwords for local Windows user accounts. These hashes are used to authenticate users without storing plaintext passwords.

The SAM file stores local account password hashes, not network passwords.

Passwords are hashed (not encrypted) using algorithms like NTLM or LM hashes.

Network password management occurs elsewhere (e.g., Active Directory).


NIST SP 800-86 and standard Windows forensics texts explain that the SAM file contains hashed local account credentials critical for forensic investigations involving Windows systems.

Question 5

What is one purpose of steganography?



Answer : B

Comprehensive and Detailed Explanation From Exact Extract:

Steganography is used to conceal information within other seemingly innocuous data, such as embedding messages inside image files, allowing secret delivery of information without detection.

Unlike encryption, steganography hides the existence of the message itself.

It is an anti-forensic technique used to evade detection.


NIST and digital forensics literature describe steganography as covert communication methodology.

Question 6

How is the Windows swap file, also known as page file, used?



Answer : C

Comprehensive and Detailed Explanation From Exact Extract:

The Windows swap file, or page file, is a system file used to extend physical memory by storing data that cannot fit into the RAM. When RAM is full, the OS swaps inactive data pages to this file, thus augmenting RAM capacity.

It does not replace bad sectors; that function is for disk management utilities.

It is not primarily for security but for memory management.

It is not reserved exclusively for system files but is used dynamically for memory paging.


Microsoft's official documentation and forensic guides like NIST SP 800-86 describe the page file's role in virtual memory management and its importance in forensic analysis because it may contain fragments of memory and sensitive information.

Question 7

Susan was looking at her credit report and noticed that several new credit cards had been opened lately in her name. Susan has not opened any of the credit card accounts herself.

Which type of cybercrime has been perpetrated against Susan?



Answer : A

Comprehensive and Detailed Explanation From Exact Extract:

Identity theft occurs when an attacker unlawfully obtains and uses another person's personal information to open accounts, access credit, or commit fraud. The opening of credit cards without the victim's consent is a classic example.

SQL injection is a web application attack method that does not directly relate to this case.

Cyberstalking involves harassment via digital means and is unrelated.

Malware is malicious software and may be used to facilitate identity theft but is not the crime itself.


According to the U.S. Federal Trade Commission (FTC) definitions and NIST Cybersecurity Framework, identity theft is defined as the unauthorized use of someone's personal information for fraudulent purposes, perfectly matching Susan's situation.

Page:    1 / 14   
Total 74 questions