Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. WGU
  3. Digital-Forensics-in-Cybersecurity

WGU Digital-Forensics-in-Cybersecurity Exam (page: 1)
WGU Digital Forensics in Cybersecurity (D431/C840) Course
Updated on: 07-Feb-2026

Viewing Page 1 of 11
Digital-Forensics-in-Cybersecurity PDF 74 Questions

An organization believes that a company-owned mobile phone has been compromised.

Which software should be used to collect an image of the phone as digital evidence?

  1. PTFinder
  2. Forensic SIM Cloner
  3. Forensic Toolkit (FTK)
  4. Data Doctor

Answer(s): C

Explanation:

Comprehensive and Detailed Explanation From Exact Extract:

Forensic Toolkit (FTK) is a widely recognized and trusted software suite in digital forensics used to acquire and analyze forensic images of devices, including mobile phones. FTK supports the creation of bit-by-bit images of digital evidence, ensuring the integrity and admissibility of the evidence in legal contexts. This imaging process is crucial in preserving the original state of the device data without alteration.

FTK enables forensic investigators to perform logical and physical acquisitions of mobile devices.

It maintains the integrity of the evidence by generating cryptographic hash values (MD5, SHA-1) to prove that the image is an exact copy.

Other options such as PTFinder or Forensic SIM Cloner focus on specific tasks like SIM card cloning or targeted data extraction but do not provide full forensic imaging capabilities.

Data Doctor is more aligned with data recovery rather than forensic imaging.


Reference:

According to standard digital forensics methodologies outlined by NIST Special Publication 800-101 (Guidelines on Mobile Device Forensics) and the SANS Institute Digital Forensics and Incident Response guides, forensic tools used to acquire mobile device images must be capable of bit-stream copying with hash verification, which FTK provides.



A digital forensic examiner receives a computer used in a hacking case. The examiner is asked to extract information from the computer's Registry.

How should the examiner proceed when obtaining the requested digital evidence?

  1. Ensure that any tools and techniques used are widely accepted
  2. Investigate whether the computer was properly seized
  3. Enlist a colleague to witness the investigative process
  4. Download a tool from a hacking website to extract the data

Answer(s): A

Explanation:

Comprehensive and Detailed Explanation From Exact Extract:

In digital forensics, the use of reliable, validated, and widely accepted tools and techniques is critical to maintain the integrity and admissibility of digital evidence. According to the National Institute of Standards and Technology (NIST) guidelines and the Scientific Working Group on Digital Evidence (SWGDE) standards, any forensic process must utilize methods that are recognized by the forensic community and have undergone rigorous testing to ensure accuracy and reliability.

Using validated tools helps prevent evidence contamination or loss and ensures that results can withstand legal scrutiny.

While proper seizure and witnessing are important, the priority in the extraction phase is to use appropriate, trusted tools.

Downloading tools from unauthorized or suspicious sources can compromise the evidence and is not an ethical or legal practice.


Reference:

NIST SP 800-101 (Guidelines on Mobile Device Forensics) and SWGDE Best Practices emphasize tool validation and adherence to community-accepted methods as foundational principles in forensic examination.



A victim of Internet fraud fell for an online offer after using a search engine to find a deal on an expensive software purchase. Once the victim learned about the fraud, he contacted a forensic investigator for help.

Which digital evidence should the investigator collect?

  1. Virus signatures
  2. Whois records
  3. Computer logs
  4. Email headers

Answer(s): C

Explanation:

Comprehensive and Detailed Explanation From Exact Extract:

In Internet fraud investigations, computer logs are critical because they provide a record of user activity, including browsing history, downloads, and system events. These logs can help establish a timeline, identify malicious access, and confirm fraudulent transactions.

Computer logs may include browser history, system event logs, and application logs that document the victim's interaction with the fraudulent offer.

Whois records help identify domain registration details but are secondary evidence.

Email headers are relevant if communication via email was part of the fraud but less critical than logs that show direct interaction.

Virus signatures are used in malware investigations, not directly relevant to fraud evidence collection.


Reference:

According to guidelines by the International Journal of Digital Crime and Forensics and the SANS

Institute, capturing logs is essential in building a case for Internet fraud as it provides objective data about the victim's system and activities.



A cybercriminal hacked into an Apple iPad that belongs to a company's chief executive officer (CEO). The cybercriminal deleted some important files on the data volume that must be retrieved.

Which hidden folder will contain the digital evidence?

  1. /Private/etc
  2. /lost+found
  3. /.Trashes/501
  4. /etc

Answer(s): C

Explanation:

Comprehensive and Detailed Explanation From Exact Extract:

On Apple iOS devices, deleted files are often moved to a hidden Trash folder before permanent deletion. The directory /.Trashes/501 is a hidden folder where deleted files for user ID 501 (the first user created on macOS/iOS devices) are temporarily stored.

This folder can contain files marked for deletion and thus is a prime location for recovery attempts.

/lost+found is a directory commonly used on Unix/Linux file systems for recovered file fragments after file system corruption but is not the default trash location on iOS.

/Private/etc and /etc contain system configuration files, not deleted user files.


Reference:

Apple forensic investigations per NIST and training manuals such as those from Cellebrite and BlackBag Technologies indicate that user-deleted files on iOS devices reside in .Trashes or similar hidden directories until permanently removed.



Susan was looking at her credit report and noticed that several new credit cards had been opened lately in her name. Susan has not opened any of the credit card accounts herself.

Which type of cybercrime has been perpetrated against Susan?

  1. Identity theft
  2. SQL injection
  3. Cyberstalking
  4. Malware

Answer(s): A

Explanation:

Comprehensive and Detailed Explanation From Exact Extract:

Identity theft occurs when an attacker unlawfully obtains and uses another person's personal information to open accounts, access credit, or commit fraud. The opening of credit cards without the victim's consent is a classic example.

SQL injection is a web application attack method that does not directly relate to this case.

Cyberstalking involves harassment via digital means and is unrelated.

Malware is malicious software and may be used to facilitate identity theft but is not the crime itself.


Reference:

According to the U.S. Federal Trade Commission (FTC) definitions and NIST Cybersecurity Framework, identity theft is defined as the unauthorized use of someone's personal information for fraudulent purposes, perfectly matching Susan's situation.



A company has identified that a hacker has modified files on one of the company's computers. The IT department has collected the storage media from the hacked computer.

Which evidence should be obtained from the storage media to identify which files were modified?

  1. File timestamps
  2. Private IP addresses
  3. Public IP addresses
  4. Operating system version

Answer(s): A

Explanation:

Comprehensive and Detailed Explanation From Exact Extract:

File timestamps, including creation time, last modified time, and last accessed time, are fundamental metadata attributes stored with each file on a file system.
When files are modified, these timestamps usually update, providing direct evidence about when changes occurred. Examining file timestamps helps forensic investigators identify which files were altered and estimate the time of unauthorized activity.

IP addresses (private or public) are network-related evidence, not stored on the storage media's files directly.

Operating system version is system information but does not help identify specific file modifications.

Analysis of file timestamps is a standard forensic technique endorsed by NIST SP 800-86 (Guide to Integrating Forensic Techniques into Incident Response) for determining file activity and changes on digital media.



An organization has identified a system breach and has collected volatile data from the system.

Which evidence type should be collected next?

  1. Running processes
  2. Network connections
  3. Temporary data
  4. File timestamps

Answer(s): B

Explanation:

Comprehensive and Detailed Explanation From Exact Extract:

In incident response, after collecting volatile data (such as contents of RAM), the next priority is often to collect network-related evidence such as active network connections. Network connections can reveal ongoing communications, attacker activity, command and control channels, or data exfiltration paths.

Running processes and temporary data are also volatile but typically collected simultaneously or immediately after volatile memory.

File timestamps relate to non-volatile data and are collected later after volatile data acquisition to preserve evidence integrity.

This sequence is supported by NIST SP 800-86 and SANS Incident Handler's Handbook which emphasize the volatility of evidence and recommend capturing network state immediately after memory.



Where is the default location for 32-bit programs installed by a user on a 64-bit version of Windows 7?

  1. C:\ProgramData
  2. C:\Program files
  3. C:\Windows
  4. C:\Program files (x86)

Answer(s): D

Explanation:

Comprehensive and Detailed Explanation From Exact Extract:

On 64-bit versions of Windows operating systems (including Windows 7), 32-bit applications are installed by default into the folder C:\Program Files (x86). This separation allows the OS to distinguish between 64-bit and 32-bit applications and apply appropriate system calls and redirection.

C:\Program Files is reserved for native 64-bit applications.

C:\ProgramData contains application data shared across users.

C:\Windows contains system files, not program installations.

This structure is documented in Microsoft Windows Internals and Windows Forensics guides, including official NIST guidelines on Windows forensic investigations.



Viewing Page 1 of 11



Share your comments for WGU Digital-Forensics-in-Cybersecurity exam with other users:

Kotesh 7/27/2023 2:30:00 AM

good content
Anonymous


Biswa 11/20/2023 9:07:00 AM

understanding about joins
Anonymous


Jimmy Lopez 8/25/2023 10:19:00 AM

please upload oracle cloud infrastructure 2023 foundations associate exam braindumps. thank you.
Anonymous


Lily 4/24/2023 10:50:00 PM

questions made studying easy and enjoyable, passed on the first try!
UNITED STATES


John 8/7/2023 12:12:00 AM

has anyone recently attended safe 6.0 exam? did you see any questions from here?
Anonymous


Big Dog 6/24/2023 4:47:00 PM

question 13 should be dhcp option 43, right?
UNITED STATES


B.Khan 4/19/2022 9:43:00 PM

the buy 1 get 1 is a great deal. so far i have only gone over exam. it looks promissing. i report back once i write my exam.
INDIA


Ganesh 12/24/2023 11:56:00 PM

is this dump good
Anonymous


Albin 10/13/2023 12:37:00 AM

good ................
EUROPEAN UNION


Passed 1/16/2022 9:40:00 AM

passed
GERMANY


Harsh 6/12/2023 1:43:00 PM

yes going good
Anonymous


Salesforce consultant 1/2/2024 1:32:00 PM

good questions for practice
FRANCE


Ridima 9/12/2023 4:18:00 AM

need dump and sap notes for c_s4cpr_2308 - sap certified application associate - sap s/4hana cloud, public edition - sourcing and procurement
Anonymous


Tanvi Rajput 10/6/2023 6:50:00 AM

question 11: d i personally feel some answers are wrong.
UNITED KINGDOM


Anil 7/18/2023 9:38:00 AM

nice questions
Anonymous


Chris 8/26/2023 1:10:00 AM

looking for c1000-158: ibm cloud technical advocate v4 questions
Anonymous


sachin 6/27/2023 1:22:00 PM

can you share the pdf
Anonymous


Blessious Phiri 8/13/2023 10:26:00 AM

admin ii is real technical stuff
Anonymous


Luis Manuel 7/13/2023 9:30:00 PM

could you post the link
UNITED STATES


vijendra 8/18/2023 7:54:00 AM

hello send me dumps
Anonymous


Simeneh 7/9/2023 8:46:00 AM

it is very nice
Anonymous


john 11/16/2023 5:13:00 PM

i gave the amazon dva-c02 tests today and passed. very helpful.
Anonymous


Tao 11/20/2023 8:53:00 AM

there is an incorrect word in the problem statement. for example, in question 1, there is the word "speci c". this is "specific. in the other question, there is the word "noti cation". this is "notification. these mistakes make this site difficult for me to use.
Anonymous


patricks 10/24/2023 6:02:00 AM

passed my az-120 certification exam today with 90% marks. studied using the dumps highly recommended to all.
Anonymous


Ananya 9/14/2023 5:17:00 AM

i need it, plz make it available
UNITED STATES


JM 12/19/2023 2:41:00 PM

q47: intrusion prevention system is the correct answer, not patch management. by definition, there are no patches available for a zero-day vulnerability. the way to prevent an attacker from exploiting a zero-day vulnerability is to use an ips.
UNITED STATES


Ronke 8/18/2023 10:39:00 AM

this is simple but tiugh as well
Anonymous


CesarPA 7/12/2023 10:36:00 PM

questão 4, segundo meu compilador local e o site https://www.jdoodle.com/online-java-compiler/, a resposta correta é "c" !
UNITED STATES


Jeya 9/13/2023 7:50:00 AM

its very useful
INDIA


Tracy 10/24/2023 6:28:00 AM

i mastered my skills and aced the comptia 220-1102 exam with a score of 920/1000. i give the credit to for my success.
Anonymous


James 8/17/2023 4:33:00 PM

real questions
UNITED STATES


Aderonke 10/23/2023 1:07:00 PM

very helpful assessments
UNITED KINGDOM


Simmi 8/24/2023 7:25:00 AM

hi there, i would like to get dumps for this exam
AUSTRALIA


johnson 10/24/2023 5:47:00 AM

i studied for the microsoft azure az-204 exam through it has 100% real questions available for practice along with various mock tests. i scored 900/1000.
GERMANY