WGU Digital Forensics in Cybersecurity (D431/C840) Course Exam WGU (D431/C840) Digital Forensics in Cybersecurity Course Exam Questions

Answer : C

Comprehensive and Detailed Explanation From Exact Extract:

Mac OS X 10.8 (Mountain Lion) uses the HFS+ (Hierarchical File System Plus) file system by default for its native storage volumes. HFS+ is Apple's proprietary file system introduced in the late 1990s, designed for macOS.

ReiserFS is a Linux file system.

MFS (Macintosh File System) is an outdated file system replaced by HFS.

NTFS is a Windows file system.

This is well documented in Apple technical specifications and forensic analysis standards for macOS systems.

Digital forensics references including NIST guidelines and vendor documentation confirm HFS+ as the standard file system for Mac OS X versions prior to APFS adoption.

Answer : A

Comprehensive and Detailed Explanation From Exact Extract:

To legally search the computer located in the home, the detective must obtain consent from someone with authority over the premises --- in this case, the parents. Parental consent is generally sufficient for searches within their household unless other legal considerations apply. This ensures compliance with constitutional protections against unlawful searches.

Obtaining valid consent is a fundamental requirement under the Fourth Amendment for legal search and seizure.

Forensic investigators must avoid searches without proper consent or a warrant to maintain admissibility of evidence.

NIST SP 800-101 and standard forensic ethics protocols emphasize obtaining lawful consent or warrants prior to accessing digital evidence.

Answer : C

Comprehensive and Detailed Explanation From Exact Extract:

Netstat is a command-line network utility tool used to monitor active network connections, open ports, and network routing tables. In the context of detecting data exfiltration potentially using steganographic methods, netstat can help a forensic investigator identify suspicious or unauthorized network connections through which hidden data may be leaving an organization.

While netstat itself does not detect steganography within files, it can be used to monitor data flows and connections to external hosts, which is critical for identifying channels where steganographically hidden data could be transmitted.

Data Encryption Standard (DES) is a cryptographic algorithm, not a forensic tool.

MP3Stego is a steganography tool for embedding data in MP3 files and is not designed for detection or monitoring.

Forensic Toolkit (FTK) is a forensic analysis software focused on acquiring and analyzing data from storage devices, not network monitoring.

NIST Special Publication 800-86 (Guide to Integrating Forensic Techniques into Incident Response) emphasizes the importance of network monitoring tools like netstat during forensic investigations to detect unauthorized data transmissions. Although steganographic detection requires specialized analysis, identifying suspicious network activity is the first step in uncovering covert channels used for data exfiltration.

Answer : D

Comprehensive and Detailed Explanation From Exact Extract:

XRY is a commercial forensic tool specifically designed to extract data from mobile devices, including Apple iPhones. It has capabilities to bypass or work around iOS passcodes under certain conditions to acquire data for forensic analysis.

iStumbler is a Wi-Fi scanning tool.

Ophcrack and LOphtCrack are password cracking tools for Windows systems, not mobile devices.

XRY is widely referenced in digital forensics training and NIST mobile device forensic guidelines as a leading tool for iOS data extraction.

Answer : B

Comprehensive and Detailed Explanation From Exact Extract:

Documenting the scene through photographs preserves the original state of evidence before it is moved or altered. This supports chain of custody and evidence integrity, providing context during analysis and court proceedings.

Photographic documentation is a standard step in forensic protocols.

It ensures the scene is accurately recorded.

According to forensic investigation standards (NIST SP 800-86), photographing the scene is the initial action upon arrival.

Answer : D

Comprehensive and Detailed Explanation From Exact Extract:

Windows uses a swap file (commonly called pagefile.sys) to extend physical memory (RAM) by temporarily storing data from memory to disk when RAM is insufficient. This allows the system to handle more data than the available RAM.

Linux and Unix typically use dedicated swap partitions or swap files but refer to them differently and manage them in other ways.

Mac OS X uses a paging file system but does not typically use a 'swap file' in the Windows sense; it uses dynamic paging files instead.

The terminology 'swap file' is most commonly associated with Windows.

Microsoft Windows forensics guidelines and NIST documentation describe the page file's role in virtual memory management in Windows operating systems.

Answer : B

Comprehensive and Detailed Explanation From Exact Extract:

NTLDR (NT Loader) is the boot loader for Windows NT-based systems including Windows XP. It reads the boot.ini configuration file and displays the boot menu, initiating the boot process.

Later Windows versions (Vista and above) replaced NTLDR with BOOTMGR.

Understanding boot components assists forensic investigators in boot process analysis.

Microsoft technical documentation and forensic training materials outline NTLDR's role in legacy Windows systems.