Download WGU C702 FINAL PAPER 2026 ACCURATE ANSWER SET and more Exams Forensics in PDF only on Docsity!
WGU C702 FINAL PAPER 2026 ACCURATE
ANSWER SET
◉Computer Forensics. Answer: A set of methodological procedures and techniques that help identify, gather, preserve, extract, interpret, document, and present evidence from computers in a way that is legally admissible ◉Cyber Crime. Answer: Any illegal act involving a computing device, network, its systems, or its applications. Both internal and external ◉Enterprise Theory of Investigation (ETI). Answer: Methodology for investigating criminal activity ◉Types of Cyber Crime. Answer: Civil, Criminal, Administrative ◉Civil Cases. Answer: Involve disputes between two parties. Brought for violation of contracts and lawsuits where a guilty outcome generally results in monetary damages to the plaintiff ◉Criminal Cases. Answer: Brought by law enforcement agencies in response to a suspected violation of law where a guilty outcome results in monetary damages, imprisonment, or both
◉Administrative Cases. Answer: An internal investigation by an organization to discover if its employees/clients/partners are abiding by the rules or policies (Violation of company policies). Non- criminal in nature and are related to misconduct or activities of an employee ◉Rules of Forensic Investigation. Answer: Safeguard the integrity of the evidence and render it acceptable in a court of law. The forensic examiner must make duplicate copies of the original evidence. The duplicate copies must be accurate replications of the originals, and the forensic examiner must also authenticate the duplicate copies to avoid questions about the integrity of the evidence. Must not continue with the investigation if the examination is going to be beyond his or her knowledge level or skill level. ◉Cyber Crime Investigation Methodology/Steps. Answer: 1.Identify the computer crime 2.Collect preliminary evidence 3.Obtain court warrant dor discovery/seizure of evidence 4.Perform first responder procedures 5.Seize evidence at the crime scene 6. Transport evidence to lab 7.Create two bitstream copies of the evidence 8. Generate MD5 checksum of the images 9. Maintain chain of custody
- Store original evidence in secure location 11. Analyze the image copy for evidence 12. Prepare a forensic report 13. Submit a report to client 14. Testify in course as an expert witness
◉Admissible evidence. Answer: Evidence that can be legally and properly introduced in a civil or criminal trial. Evidence is relevant to the case ◉Authentic Evidence. Answer: Evidence that is in its original or genuine state. Investigators must provide supporting documents regarding the authenticity, accuracy, and integrity of the evidence ◉Complete Evidence. Answer: Evidence must either prove or disprove the fact ◉Reliable Evidence. Answer: evidence that possesses a sufficient degree of likelihood that it is true and accurate Evidence must be proven dependable when the evidence was extracted ◉Believable Evidence. Answer: Evidence must be presented in a clear manner and expert opinions must be obtained where necessary ◉Rules of Evidence. Answer: Rules governing the admissibility of evidence in trial courts.
◉Best Evidence Rule. Answer: states that secondary evidence, or a copy, is inadmissible in court when the original exists. Duplicate evidence will suffice under the following conditions:
- Original evidence is destroyed due to fire or flood
- Original evidence is destroyed in the normal course of business
- Original evidence is in possession of a third party ◉Forensic Readiness. Answer: An organization's ability to make optimal use of digital evidence in a limited period and with minimal investigation costs. ◉Fourth Amendment. Answer: Protects against unreasonable search and seizure. Government agents may not search or seize areas or things in which a person has reasonable expectation of privacy, without a search warrant. ◉Chain of Custody. Answer: a written record of all people who have had possession of an item of evidence ◉Rule 101: Scope. Answer: These rules govern proceedings in the courts of the United States and before United States bankruptcy judges and United States magistrate judges, to the extent and with the exceptions stated in rule 1101.
question is raised about the original's authenticity or the circumstances make it unfair to admit the duplicate. ◉Rule 1004. Admissibility of Other Evidence of Content. Answer: Admissibility of Other Evidence of Content ◉Scientific Working Group on Digital Evidence (SWGDE). Answer: brings together organizations actively engaged in the field of digital and multimedia evidence to foster communication and cooperation as well as to ensure quality and consistency within the forensic community. ◉Computer Forensics Investigation Process. Answer: 1. Pre- Investigation
- Investigation
- Post-Investigation ◉Pre-Investigation. Answer: Tasks performed prior to investigation Setting up a computer forensics lab, toolkit, and workstation ◉Investiagtion. Answer: Main phase in computer forensics investigation Acquisition, preservation, and analysis of the data
◉Post-Investigation. Answer: Reporting and documentation of all the actions undertaken and the findings Ensure that the target audience can easily understand the report Ensure report provides adequate and acceptable evidence ◉Computer Forensics Laboratory. Answer: Work area considerations (50-63 sq. ft per station) no windows ASCLD/Lab Accreditation ISO/IEC 17025 ◉Forensic Hardware Tools. Answer: FRED, Paraben's StrongHold, PC-3000 Data Extractor, Paraben's Chat Stick, RAPID IMAGE 7020 X2, RoadMASSter-3 X2, ZX-Tower, Data Recovery Stick, Tableau T8- R2 Forensic USB Bridge ◉FRED. Answer: Acquires data directly from hard drives and storage devices ◉Paraben's StrongHold. Answer: blocks out wireless signals ◉PC-3000 Data Extractor. Answer: Diagnoses and fixes file system issues, so data can be obtained
◉R-Drive Image. Answer: Creation of disk image files for backup ◉FileMerlin. Answer: Converts word processing to a wide range of file formats ◉AccessData FTK. Answer: Court-cited digital investigations platform provides processing and indexing up front ◉EnCase. Answer: Rapidly acquire data and unearth potential evidence with disk-level forensic analysis ◉The Sleuth Kit. Answer: Command line tools to analyze disk images and recover files ◉L0phtCrack. Answer: Password auditing and recovery software ◉Ophcrack. Answer: Password cracker based on rainbow tables ◉Computer Forensic Tool Testing Project (CFTT). Answer: NIST, establishes a methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware.
◉Image Integrity Tools. Answer: HashCalc, MDF Calculator, HashMyFiles ◉HashCalc. Answer: Create MD5 has for files, text and hex string ( different algorithms) ◉MDF Calculator. Answer: View MD5 hash to compare to provided hash value ◉HashMyFiles. Answer: Calculate MD5 hash on one or more files ◉Recover My Files. Answer: recover deleted files emptied from the windows recycle bin and files lost due to the format or corruption of a hard drive, virus, or trojan infection, and unexpected system shutdown or software failure ◉Advanced Disk Recovery. Answer: Quick or deep scan for lost or deleted files ◉UndeletePlus. Answer: Quick or deep scan for lost or deleted files. same as Advanced Disk Recovery ◉Data Analysis Tools. Answer: FTK Imager, EnCase Forensic, The Sleuth Kit (TSK)
◉18 USC 1030. Answer: Fraud and related activity in connection with computers ◉18 USC 1361-2. Answer: Prohibit malicious mischief ◉18 USC 2252A. Answer: Child pornography ◉18 USC 2252B. Answer: Misleading domains on Internet ◉18 USC 2702. Answer: Voluntary disclosure of customer communications or records ◉42 USC 2000AA. Answer: Privacy Protection Act ◉Rule 402. Answer: Relevant Evidence ◉Rule 502. Answer: Attorney-Client Privilege and Work Product; Limitations on Waiver ◉Rule 608. Answer: Evidence of character and conduct of witness ◉Rule 609. Answer: Impeachment by evidence
◉Rule 614. Answer: Interrogation of Witnesses ◉Rule 701. Answer: Opinion testimony ◉Rule 705. Answer: Disclosure of facts ◉Platters. Answer: Circular metal disks mounted into a drive enclosure ◉Tracks. Answer: Concentric rings on the platters that store data ◉Track Numbering. Answer: Starts at 0 and goes to 1023 ◉Sectors. Answer: Smallest physical storage unites located on a hard disk platter (512 bytes long) ◉Clusters. Answer: Smallest accessible/logical storage unit on the hard disk ◉Slack Space. Answer: Wasted are of the disk cluster lying between end of the file and end of the cluster
◉GIF. Answer: Contains 8 bits per pixel and displays 256 colors per frame ◉fsstat (TSK). Answer: display details associated with the file system ◉istat (TSK). Answer: Display details of meta-data structure (INODE) ◉fls (TSK). Answer: List file and directory names in a disk image ◉img_stat (TSK). Answer: Displays details of an image file ◉Master Boot Record (MBR). Answer: The first sector on a hard drive, which contains the partition table and a program the BIOS uses to boot an OS from the drive. 512 bytes long Contains four 16-byte master partition records Starts at sector 0 Signature 0x55AA
◉Master Boot Code. Answer: Loads into BIOS and initiated system boot process ◉American Standard Code for Information Interchange (ASCII). Answer: 128 specified characters coded into 7-bit integers Source code of a program, batch files, macros, scripts, HTML and XML documents ◉ASCII Table. Answer: Non-printable Coded between 0 and 31 Lower ASCII codes between 32 and 127 Higher ASCII codes between 128 and 255 ◉Universal Coded Character Set (USC). Answer: Standard for encoding, representation, and management of texts More than 128000 characters XML, Java, and Microsoft.NET ◉Back Up the MBR. Answer: dd if=/dev/xxx of=mbr.backup bs= count= ◉Restore the MBR. Answer: dd if=mbr.backup of=/dev/xxx bs= count=
