WGU Digital Forensics in Cybersecurity (D431/C840) Course Exam WGU (D431/C840) Digital Forensics in Cybersecurity Course Exam Practice Test

Answer : A

Comprehensive and Detailed Explanation From Exact Extract:

Disk Investigator is a forensic tool that can analyze disk images and file systems to identify hidden data, including the presence of steganography by examining slack space, hidden files, and embedded data.

DiskDigger is mainly a data recovery tool.

FTK is a comprehensive forensic suite but does not specialize in steganography detection.

ComputerCOP is a parental control software, not a forensic tool.

Digital forensic best practices recognize Disk Investigator as useful for detecting steganographic content in files and disk areas.

Answer : D

Comprehensive and Detailed Explanation From Exact Extract:

Netstat is a standard Windows command line utility that displays active network connections, routing tables, and network interface statistics. It is widely used in forensic investigations to identify current and past TCP/IP connections, including IP addresses and port numbers associated with remote hosts. This information helps investigators identify if the suspect computer has active connections to other machines potentially used for data collection or command and control.

Telnet is a protocol used to connect to remote machines but does not display current network connections.

Openfiles shows files opened remotely but not network connection details.

Xdetect is not a standard Windows tool and not recognized in forensic investigations.

According to NIST SP 800-86 and SANS Digital Forensics guidelines, netstat is an essential tool for gathering network-related evidence during system investigations.

Answer : C

Comprehensive and Detailed Explanation From Exact Extract:

The Windows swap file, or page file, is a system file used to extend physical memory by storing data that cannot fit into the RAM. When RAM is full, the OS swaps inactive data pages to this file, thus augmenting RAM capacity.

It does not replace bad sectors; that function is for disk management utilities.

It is not primarily for security but for memory management.

It is not reserved exclusively for system files but is used dynamically for memory paging.

Microsoft's official documentation and forensic guides like NIST SP 800-86 describe the page file's role in virtual memory management and its importance in forensic analysis because it may contain fragments of memory and sensitive information.

Answer : A

Comprehensive and Detailed Explanation From Exact Extract:

The Communications Assistance to Law Enforcement Act (CALEA) mandates telecommunications carriers to assist law enforcement in executing authorized wiretaps, including on Voice over IP (VoIP) calls, ensuring lawful interception capabilities.

CALEA requires built-in surveillance capabilities in communications systems.

It balances privacy rights with law enforcement needs.

CALEA is cited in digital forensics and cybersecurity standards relating to lawful interception capabilities.

Answer : C

Comprehensive and Detailed Explanation From Exact Extract:

Snow is a specialized steganalysis tool that detects and extracts hidden data encoded in whitespace characters within text files and other mediums. It is widely used in digital forensic investigations for detecting covert data hiding methods such as whitespace steganography.

Data Doctor is a general data recovery tool, not specialized in steganalysis.

FTK is a general forensic suite, not specifically designed for steganography detection.

MP3Stego is focused on audio steganography.

NIST and digital forensics literature recognize Snow as a valuable tool in workflows designed to detect hidden data in text or similar carriers.

Answer : C

Comprehensive and Detailed Explanation From Exact Extract:

The ForwardedEvents log in Windows 7 is specifically designed to store events collected from remote computers via event forwarding. This log is part of the Windows Event Forwarding feature used in enterprise environments to centralize event monitoring.

The System and Application logs store local system and application events.

The Security log stores local security-related events.

ForwardedEvents collects and stores events forwarded from other machines.

Microsoft documentation and NIST SP 800-86 mention the use of ForwardedEvents for centralized event log collection in investigations.

Answer : C

Comprehensive and Detailed Explanation From Exact Extract:

The Advanced Forensic Format (AFF) is an open file format designed for storing disk images and related forensic metadata. It was developed by the Sleuth Kit community and is supported by forensic tools such as Sleuth Kit and Autopsy. AFF allows efficient storage, compression, and metadata annotation, which makes it suitable for forensic investigations.

AccessData is known for FTK format, not AFF.

iLook uses proprietary formats unrelated to AFF.

Guidance Software developed the EnCase Evidence File (E01) format.

AFF is widely recognized in open-source forensic toolchains.

The AFF format and its use with Sleuth Kit and Autopsy are documented in digital forensics literature and the AFF official documentation, as endorsed by the NIST and forensic tool developer communities.