Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. WGU
  5. Digital-Forensics-in-Cybersecurity

WGU Digital-Forensics-in-Cybersecurity Exam Questions
Digital Forensics in Cybersecurity (D431/C840) Course (Page 7 )

Updated On: 28-Feb-2026
Page 3 of 16
PDF with 74 Questions

A company has identified that a hacker has modified files on one of the company's computers. The IT department has collected the storage media from the hacked computer.

Which evidence should be obtained from the storage media to identify which files were modified?

  1. File timestamps
  2. Private IP addresses
  3. Public IP addresses
  4. Operating system version

Answer(s): A

Explanation:

Comprehensive and Detailed Explanation From Exact Extract:

File timestamps, including creation time, last modified time, and last accessed time, are fundamental metadata attributes stored with each file on a file system.
When files are modified, these timestamps usually update, providing direct evidence about when changes occurred. Examining file timestamps helps forensic investigators identify which files were altered and estimate the time of unauthorized activity.

IP addresses (private or public) are network-related evidence, not stored on the storage media's files directly.

Operating system version is system information but does not help identify specific file modifications.

Analysis of file timestamps is a standard forensic technique endorsed by NIST SP 800-86 (Guide to Integrating Forensic Techniques into Incident Response) for determining file activity and changes on digital media.



An organization has identified a system breach and has collected volatile data from the system.

Which evidence type should be collected next?

  1. Running processes
  2. Network connections
  3. Temporary data
  4. File timestamps

Answer(s): B

Explanation:

Comprehensive and Detailed Explanation From Exact Extract:

In incident response, after collecting volatile data (such as contents of RAM), the next priority is often to collect network-related evidence such as active network connections. Network connections can reveal ongoing communications, attacker activity, command and control channels, or data exfiltration paths.

Running processes and temporary data are also volatile but typically collected simultaneously or immediately after volatile memory.

File timestamps relate to non-volatile data and are collected later after volatile data acquisition to preserve evidence integrity.

This sequence is supported by NIST SP 800-86 and SANS Incident Handler's Handbook which emphasize the volatility of evidence and recommend capturing network state immediately after memory.



Where is the default location for 32-bit programs installed by a user on a 64-bit version of Windows 7?

  1. C:\ProgramData
  2. C:\Program files
  3. C:\Windows
  4. C:\Program files (x86)

Answer(s): D

Explanation:

Comprehensive and Detailed Explanation From Exact Extract:

On 64-bit versions of Windows operating systems (including Windows 7), 32-bit applications are installed by default into the folder C:\Program Files (x86). This separation allows the OS to distinguish between 64-bit and 32-bit applications and apply appropriate system calls and redirection.

C:\Program Files is reserved for native 64-bit applications.

C:\ProgramData contains application data shared across users.

C:\Windows contains system files, not program installations.

This structure is documented in Microsoft Windows Internals and Windows Forensics guides, including official NIST guidelines on Windows forensic investigations.



Which principle of evidence collection states that access to evidence must be tracked from the time it is seized through its use in court?

  1. Evidence record
  2. Chain of custody
  3. Event log
  4. Audit log

Answer(s): B

Explanation:

Comprehensive and Detailed Explanation From Exact Extract:

The Chain of Custody (CoC) is the documented and unbroken transfer record of evidence handling, from seizure to presentation in court. It ensures that the evidence has been preserved, controlled, and protected from tampering or alteration.

Evidence record documents evidence details but is less formal than CoC.

Event log and audit log are system-generated records and do not replace the formal CoC.

CoC is a fundamental forensic principle as outlined by NIST SP 800-86 and the Scientific Working Group on Digital Evidence (SWGDE) best practices, ensuring evidence admissibility and reliability in legal proceedings.



A forensics investigator is investigating a Windows computer which may be collecting data from other computers on the network.

Which Windows command line tool can be used to determine connections between machines?

  1. Telnet
  2. Xdetect
  3. Openfiles
  4. Netstat

Answer(s): D

Explanation:

Comprehensive and Detailed Explanation From Exact Extract:

Netstat is a standard Windows command line utility that displays active network connections, routing tables, and network interface statistics. It is widely used in forensic investigations to identify current and past TCP/IP connections, including IP addresses and port numbers associated with remote hosts. This information helps investigators identify if the suspect computer has active connections to other machines potentially used for data collection or command and control.

Telnet is a protocol used to connect to remote machines but does not display current network connections.

Openfiles shows files opened remotely but not network connection details.

Xdetect is not a standard Windows tool and not recognized in forensic investigations.


Reference:

According to NIST SP 800-86 and SANS Digital Forensics guidelines, netstat is an essential tool for gathering network-related evidence during system investigations.






Post your Comments and Discuss WGU Digital-Forensics-in-Cybersecurity exam dumps with other Community members:

Join the Digital-Forensics-in-Cybersecurity Discussion