매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
Digital Forensics in Cybersecurity (D431/C840) Course Exam 온라인 연습
최종 업데이트 시간: 2025년12월09일
당신은 온라인 연습 문제를 통해 WGU Digital Forensics in Cybersecurity 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 Digital Forensics in Cybersecurity 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 74개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
The /Library/Receipts folder on Mac OS X contains receipts that track software installation and updates, including system and application updates. This folder helps forensic investigators determine which updates were installed and when, useful for detecting suspicious or unauthorized software installations like spyware.
/var/spool/cups is related to printer spooling.
/var/log/daily.out contains daily system log summaries but not detailed update records.
/var/vm contains virtual memory files.
NIST and Apple forensics documentation indicate that /Library/Receipts is a key location for examining software installation history.
정답:
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
The ForwardedEvents log in Windows 7 is specifically designed to store events collected from remote computers via event forwarding. This log is part of the Windows Event Forwarding feature used in enterprise environments to centralize event monitoring.
The System and Application logs store local system and application events.
The Security log stores local security-related events.
ForwardedEvents collects and stores events forwarded from other machines.
Microsoft documentation and NIST SP 800-86 mention the use of ForwardedEvents for centralized event log collection in investigations.
정답:
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
The /etc directory on Unix-based systems, including macOS, contains important system configuration files and scripts. It is the standard location for system-wide configuration data.
/var contains variable data like logs and spool files.
/bin contains essential binary executables.
/cfg is not a standard directory in macOS.
This is standard Unix/Linux directory structure knowledge and is reflected in NIST and forensic references for macOS.
정답:
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
The .bash_history file located in each user’s home directory (e.g., /Users/<user>/.bash_history) records the history of shell commands entered by the user in bash shell sessions. Reviewing this file allows investigators to see the commands executed by a specific user.
/var/vm contains virtual memory swap files, not command history.
/var/log contains system logs but not individual user shell command history.
/Users/<user>/Library/Preferences stores application preferences.
NIST guidelines and macOS forensics literature confirm .bash_history as the standard location for shell command histories on OS X systems.
정답:
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
SMTP (Simple Mail Transfer Protocol) is the protocol used to send email messages from a client to a mail server or between mail servers. It handles the transmission of outgoing mail. IMAP and POP3 are protocols used for retrieving email, not sending it. SNMP is used for network management.
IMAP and POP3 are for receiving emails.
SNMP is unrelated to email delivery.
This is documented in RFC 5321 and supported by all standard email system operations, including forensic analyses.
정답:
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
An email header contains metadata about the email including sender, receiver, routing information, and content details. The Content-Type header specifies the media type of the email body (e.g., text/plain, text/html, multipart/mixed), indicating how the email content should be interpreted.
Sender's MAC address is not typically included in email headers. Number of pages is not relevant to email metadata. Message-Digest is a term related to cryptographic hashes but is not a standard email header field.
Reference: RFC 5322 and forensic email analysis references outline that email headers contain fields like Content-Type describing the format of the message content, essential for proper parsing and forensic examination.
정답:
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Microsoft Exchange Server uses the .edb file extension for its Extensible Storage Engine (ESE) database files. These .edb files contain the mailbox data including emails, calendar items, and contacts.
.nsf is used by IBM Lotus Notes.
.mail and .db are generic extensions but not standard for Exchange.
The .edb file is the primary data store for Exchange mailboxes.
Reference: According to Microsoft technical documentation and forensic manuals, the Exchange mailbox database is stored in .edb files, which forensic examiners analyze to recover email evidence.
정답:
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Eudora email client uses the .mbx file extension to store email messages. The .mbx format stores emails in a mailbox file similar to the standard mbox format used by other email clients.
.dbx is used by Microsoft Outlook Express.
.ost and .pst are file types used by Microsoft Outlook.
Therefore, .mbx is specific to Eudora.
Reference: Digital forensics literature and software documentation clearly indicate Eudora’s .mbx file format as the repository for its email storage.
정답:
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
The SAM (Security Account Manager) file located in the Windows\System32\config directory stores hashed local user account passwords. It can be accessed and extracted using a live CD or bootable forensic tool, which allows the forensic investigator to bypass the running operating system and avoid altering the evidence.
IPSec is related to network security policies, not password storage.
HAL (Hardware Abstraction Layer) is a system file managing hardware interaction.
Ntidr is a boot loader file in Windows NT systems.
Cracking password hashes extracted from the SAM file is a common forensic practice to recover user passwords during investigations.
Reference: NIST Special Publication 800-86 and Windows forensic textbooks confirm that the SAM file is the repository of local password hashes accessible via forensic live CDs or imaging.
정답:
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Windows stores the hashes of local user account passwords in the SAM (Security Account Manager) file, which is located in the Windows\System32\config directory. This file is a critical component in the Windows security infrastructure.
The registry paths in A and B refer to network profiles and wireless configuration data, unrelated to password storage.
The "Security" file also resides in the System32\config folder but stores security policy data rather than password hashes.
The SAM file stores password hashes and is targeted in forensic investigations for credential recovery.
Reference: Microsoft technical documentation and NIST digital forensics standards explain that the SAM file is the definitive source for local user password hashes in Windows systems.
정답:
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Real evidence (also called physical evidence) refers to tangible objects that are involved in the crime or relevant to the investigation. A USB flash drive is physical evidence because it is an actual device containing potentially relevant digital data.
Documentary evidence refers to written or recorded information, not physical devices.
Demonstrative evidence is used to illustrate or clarify facts (e.g., models, charts).
Testimonial evidence is oral or written statements provided by witnesses.
Reference: Digital forensics principles and legal evidentiary classifications (as outlined by NIST and court-admissibility guidelines) clearly categorize physical devices like USB drives as real evidence.
정답:
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
The Windows Security Account Manager (SAM) file stores hashed passwords for local Windows user accounts. These hashes are used to authenticate users without storing plaintext passwords.
The SAM file stores local account password hashes, not network passwords. Passwords are hashed (not encrypted) using algorithms like NTLM or LM hashes. Network password management occurs elsewhere (e.g., Active Directory).
Reference: NIST SP 800-86 and standard Windows forensics texts explain that the SAM file contains hashed local account credentials critical for forensic investigations involving Windows systems.
정답:
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Windows uses a swap file (commonly called pagefile.sys) to extend physical memory (RAM) by temporarily storing data from memory to disk when RAM is insufficient. This allows the system to handle more data than the available RAM.
Linux and Unix typically use dedicated swap partitions or swap files but refer to them differently and manage them in other ways.
Mac OS X uses a paging file system but does not typically use a "swap file" in the Windows sense; it uses dynamic paging files instead.
The terminology "swap file" is most commonly associated with Windows.
Reference: Microsoft Windows forensics guidelines and NIST documentation describe the page file’s role in virtual memory management in Windows operating systems.
정답:
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Mac OS X 10.8 (Mountain Lion) uses the HFS+ (Hierarchical File System Plus) file system by default for its native storage volumes. HFS+ is Apple’s proprietary file system introduced in the late 1990s, designed for macOS.
ReiserFS is a Linux file system.
MFS (Macintosh File System) is an outdated file system replaced by HFS.
NTFS is a Windows file system.
This is well documented in Apple technical specifications and forensic analysis standards for macOS systems.
Reference: Digital forensics references including NIST guidelines and vendor documentation confirm HFS+ as the standard file system for Mac OS X versions prior to APFS adoption.
정답:
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
The Windows swap file, or page file, is a system file used to extend physical memory by storing data that cannot fit into the RAM. When RAM is full, the OS swaps inactive data pages to this file, thus augmenting RAM capacity.
It does not replace bad sectors; that function is for disk management utilities.
It is not primarily for security but for memory management.
It is not reserved exclusively for system files but is used dynamically for memory paging.
Reference: Microsoft’s official documentation and forensic guides like NIST SP 800-86 describe the page file’s role in virtual memory management and its importance in forensic analysis because it may contain fragments of memory and sensitive information.