Free Practice Questions for WGU Digital-Forensics-in-Cybersecurity Exam

Comprehensive and Detailed Explanation From Exact Extract:

The/Library/Receiptsfolder on Mac OS X contains receipts that track software installation and updates, including system and application updates. This folder helps forensic investigators determine which updates were installed and when, useful for detecting suspicious or unauthorized software installations like spyware.

/var/spool/cupsis related to printer spooling.

/var/log/daily.outcontains daily system log summaries but not detailed update records.

/var/vmcontains virtual memory files.

NIST and Apple forensics documentation indicate that/Library/Receiptsis a key location for examining software installation history.

Comprehensive and Detailed Explanation From Exact Extract:

Windows stores the hashes of local user account passwords in the SAM (Security Account Manager) file, which is located in theWindows\System32\configdirectory. This file is a critical component in the Windows security infrastructure.

The registry paths in A and B refer to network profiles and wireless configuration data, unrelated to password storage.

The "Security" file also resides in theSystem32\configfolder but stores security policy data rather than password hashes.

The SAM file stores password hashes and is targeted in forensic investigations for credential recovery.

Comprehensive and Detailed Explanation From Exact Extract:

Snow is a tool that encodes hidden messages using whitespace characters (spaces and tabs), which can be embedded in text and sometimes in image file metadata or formats that allow invisible characters. It is commonly used to hide data in plain sight, including within digital images.

Steganophony focuses on hiding data in VoIP.

Wolf is not recognized as a steganography tool for whitespace.

QuickStego is another tool for text-based steganography but less commonly associated with whitespace specifically.

Forensic and cybersecurity literature often cites Snow as the preferred tool for whitespace-based steganography.

Comprehensive and Detailed Explanation From Exact Extract:

The ipconfig command executed at a Windows command prompt displays detailed network configuration information such as IP addresses, subnet masks, and default gateways. Collecting this information prior to seizure preserves volatile evidence relevant to the investigation.

Documenting network settings supports the understanding of the suspect system's connectivity at the time of seizure.

NIST recommends capturing volatile data (including network configuration) before shutting down or disconnecting a suspect machine.

Comprehensive and Detailed Explanation From Exact Extract:

Eudora email client uses the.mbxfile extension to store email messages. The.mbxformat stores emails in a mailbox file similar to the standard mbox format used by other email clients.

.dbxis used by Microsoft Outlook Express.

.ostand.pstare file types used by Microsoft Outlook.

Therefore,.mbxis specific to Eudora.

Comprehensive and Detailed Explanation From Exact Extract:

On Apple iOS devices, deleted files are often moved to a hidden Trash folder before permanent deletion. The directory/.Trashes/501is a hidden folder where deleted files for user ID 501 (the first user created on macOS/iOS devices) are temporarily stored.

This folder can contain files marked for deletion and thus is a prime location for recovery attempts.

/lost+foundis a directory commonly used on Unix/Linux file systems for recovered file fragments after file system corruption but is not the default trash location on iOS.

/Private/etcand/etccontain system configuration files, not deleted user files.

Comprehensive and Detailed Explanation From Exact Extract:

An email header contains metadata about the email including sender, receiver, routing information, and content details. TheContent-Typeheader specifies the media type of the email body (e.g., text/plain, text/html, multipart/mixed), indicating how the email content should be interpreted.

Sender's MAC address is not typically included in email headers.

Number of pages is not relevant to email metadata.

Message-Digest is a term related to cryptographic hashes but is not a standard email header field.

Comprehensive and Detailed Explanation From Exact Extract:

The Windows Security Account Manager (SAM) file stores hashed passwords for local Windows user accounts. These hashes are used to authenticate users without storing plaintext passwords.

The SAM file stores local account password hashes, not network passwords.

Passwords are hashed (not encrypted) using algorithms like NTLM or LM hashes.

Network password management occurs elsewhere (e.g., Active Directory).

Comprehensive and Detailed Explanation From Exact Extract:

When collecting evidence from a running system, volatile and critical evidence such as security logs should be collected first as they are most susceptible to being overwritten or lost. Security logs may contain valuable information on unauthorized access or malicious activity.

Chat room logs, recently accessed files, and temporary internet files are important but often less volatile or can be recovered from disk later.

NIST SP 800-86 and SANS Incident Response Guidelines prioritize the collection of volatile logs and memory contents first.

This approach helps ensure preservation of time-sensitive data critical for forensic analysis.

Comprehensive and Detailed Explanation From Exact Extract:

Before connecting an iPhone to a forensic workstation, the investigator must ensure that the phone doesnotsync with the computer automatically. Automatic syncing may alter, delete, or overwrite evidence stored on the device or the computer, compromising forensic integrity.

Jailbreak mode is not necessary and can complicate forensic analysis.

Powering off the device prevents acquisition of volatile data.

Root privileges (jailbreak) may aid access but are not mandatory before connection.

NIST mobile device forensic guidelines emphasize disabling automatic sync to preserve data integrity during acquisition.