Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
174 Cards in this Set
- Front
- Back
|
To undelete a file in the FAT file system, EnCase computes the number of_______ the file will use based on the file ______. |
Clusters; file size |
|
|
ROM is an acronym for: |
Read Only Memory |
|
|
Search terms are case sensitive by default. |
False |
|
|
Within EnCase, you highlight a range of data within a file. The lengthindicator displays the value 30.How many bytes have you actually selected? |
30 |
|
|
A sector on a floppy disk is the same size as a sector on a NTFS formattedhard drive. |
True |
|
|
Pressing the power button on a computer that is running could have whichof the following results? |
The operating system will shut down normally, The computer will instantly shut off, The computer will go into stand-by mode, or Nothing will happen. |
|
|
In the EnCase environment, the term external viewers is best described as: |
Programs that are associated with EnCase to open specific file types. |
|
|
A SCSI drive is pinned as a master when it is: |
A SCSI drive is not pinned as a master. |
|
|
The term signature and header as they relate to a signature analysis are: |
Synonymous. |
|
|
Which of the following selections is NOT found in the case file? |
External viewers |
|
|
A file extension and signature can be manually added by: |
Using the new file signature feature under file signatures. |
|
|
In Windows, the file MyNote.txt is deleted from C Drive and isautomatically sent to the recycle Bin. The long filename was MyNote.txt and the shortfilename was MYNOTE.TXT. When viewing the recycle Bin with EnCase, how will the longfilename and short filename appear? |
MyNote.txt, DC0.txt |
|
|
You are investigating a case involving fraud. You seized a computer froma suspect who stated that the computer is not used by anyone other than himself. Thecomputer has Windows 98 installed on the hard drive. You find the filenameC:\downloads\check01.jpg that EnCase shows as being moved. The starting extent is0C4057. You find another filename :\downloads\chk1.dll with the starting extent 0C4057,which EnCase also shows as being moved. In the C:\Windows\System folder you find anallocated file named chk1.dll with the starting extent 0C4057. The chk1.dll file is aJPEG image of a counterfeit check. What can be deduced from your findings? |
The presence and location of the files is strong evidence the suspect committed thecrime. |
|
|
To undelete a file in the FAT file system, EnCase obtains the startingextent from the: |
Directory entry |
|
|
Which of the following would most likely be an add-in card? |
A video card that is connected to the motherboard in the AGP slot |
|
|
Which of the following is found in the FileSignatures.ini configurationfile? |
The information contained in the signature table |
|
|
The default export folder remains the same for all cases |
False |
|
|
Assume that MyNote.txt was allocated to clusters 5, 9, and 11. Cluster 6,7, and 8 belong to MyResume.doc. Both files have been deleted and the directory entryin the FAT file system for MyResume.doc has been overwritten. What clusters wouldEnCase use to undelete MyNote.txt? |
5,6,7 |
|
|
Which of the following directories contain the information that is foundon a Windows 98 Desktop? |
C:\Windows\Desktop |
|
|
If a hard drive is left in a room while acquiring, and several personshave access to that room, which of the following areas would be of most concern? |
Chain-of-custody |
|
|
In Windows 2000 and XP, which of the following directories contain userpersonal folders? |
C:\Documents and Settings |
|
|
By default, what color does EnCase use for the contents of a logicalfile? |
Black |
|
|
A hash library would most accurately be described as: |
A file containing hash values from one or more selected hash sets. |
|
|
A standard DOS 6.22 boot disk is acceptable for booting a suspect drive. |
False |
|
|
By default, EnCase will display the data from the end of a logical file,Search... Search VenderListWAPSiteFreeDownNewUpdateAboutusto the end of the cluster, in what color: |
Red |
|
|
If a hash analysis is run on a case, EnCase: |
Will compare the hash value of the files in the case to the hash library. |
|
|
Creating an image of a hard drive that was seized as evidence: |
May only be done by trained personnel because the process has the potential to alterthe original evidence. |
|
|
Which of the following selections would be used to keep track of afragmented file in the FAT file system? |
The File Allocation Table |
|
|
A suspect typed a file on his computer and saved it to a floppy diskette.The filename was MyNote.txt. You receive the floppy and the suspect's computer. Thesuspect denies that the floppy disk belongs to him. You search the suspect's computerand locate only the filename within a .LNK file. The .LNK file is located in the folderC:\Windows\Recent. How you would use the .LNK file to establish a connection betweenthe file on the floppy diskette and the suspect computer? |
The dates and time of the file found in the .LNK file, at file offset 28, and The full path of the file, found in the .LNK file |
|
|
Using good forensic practices, when seizing a computer at a businessrunning Windows 2000 Server you should: |
Shut it down normally. |
|
|
A signature analysis has been run on a case. The result !Bad Signaturemeans: |
The file signature is unknown and the file extension is known. |
|
|
A FAT directory has as a logical size of: |
0 bytes |
|
|
What are the EnCase configuration .ini files used for? |
Storing information that will be available to EnCase each time it is opened,regardless of the active case(s). |
|
|
Assume that an evidence file is added to a case, the case is saved, andthe case is closed. What happens if the evidence file is moved, and the case is thenopened? |
EnCase asks for the location of the evidence file the next time the case is opened. |
|
|
The EnCase case file can be best described as: |
A file that contains information specific to one case. |
|
|
The case file should be archived with the evidence files at thetermination of a case. |
True |
|
|
Name of this set of binary numbers: 0000 0000 0000 0000 0000 0000 0000 0000 |
Dword |
|
|
You are conducting an investigation and have encountered a computer thatis running in the field. The operating system is Windows XP. A software program iscurrently running and is visible on the screen. |
Photograph the screen and pull the plug from the back of the computer. |
|
|
An Enhanced Metafile would best be described as: |
A file format used in the printing process by Windows. |
|
|
Changing the filename of a file will change the hash value of the file. |
False |
|
|
The results of a hash analysis on an evidence file that has been added toa case will be stored in which of the following files? |
The case file |
|
|
In Unicode, one printed character is composed of ____ bytes of data. |
2 |
|
|
To generate an MD5 hash value for a file, EnCase: |
Computes the hash value based on the logical file. |
|
|
What does the acronym BIOS stand for? |
Basic Input/Output System |
|
|
The EnCase signature analysis is used to perform which of the followingactions? |
Analyzing the relationship of a file signature to its file extension. |
|
|
The spool files that are created during a print job are __________ afterthe print job is completed. |
deleted |
|
|
The following keyword was typed in exactly as shown. Choose the answer(s)that would result. All search criteria have default settings. credit card |
Credit Card, credit card |
|
|
What files are reconfigured or deleted by EnCase during the creation ofan EnCase boot disk? |
command.com , io.sys , drvspace.bin |
|
|
A hard drive was imaged using EnCase. The original drive was placed intoevidence. The restore feature was used to make a copy of the original hard drive.EnCase verifies the restored copy using: |
An MD5 hash |
|
|
Which of the following would be a true statement about the function ofthe BIOS? |
The BIOS is responsible for swapping out memory pages when RAM fills up. The BIOS integrates compressed executable files with memory addresses for fasterexecution. |
|
|
Within EnCase, what is purpose of the default export folder? |
This is the folder that will be automatically selected when the copy/unerase featureis used. |
|
|
The following keyword was typed in exactly as shown. Choose the answer(s)that would result. All search criteria have default settings. Speed and Meth |
Speed and Meth |
|
|
You are assigned to assist with the search and seizure of severalcomputers. The magistrate ordered that the computers cannot be seized unless they arefound to contain any one of ten previously identified images. You currently have theten images in JPG format. Using the EnCase methodology, how would you best handle thissituation? |
Use FastBloc or a network/parallel port cable to preview the hard drives. Conduct ahash analysis of the files on the hard drives, using a hash library containing the hashvalues of the previously identified images. |
|
|
You are working in a computer forensic lab. A law enforcementinvestigator brings you a computer and a valid search warrant. You have legal authorityto search the computer. The investigator hands you a piece of paper that has threeprinted checks on it. All three checks have the same check and account number. Youimage the suspect's computer and open the evidence file with EnCase. You perform a textsearch for the account number and check number. Nothing returns on the search results.You perform a text search for all other information found on the printed checks andthere is still nothing returned in the search results. You run a signature analysis andcheck the gallery. You cannot locate any graphical copies of the printed checks in thegallery. At this point, is it safe to say that the checks are not located on thesuspect computer? |
No. The images could be in an image format not viewable inside EnCase, No. The images could be located a compressed file,No. The images could be embedded in a document, No. The images could be in unallocated clusters. |
|
|
You are investigating a case involving fraud. You seized a computer froma suspect who stated that the computer is not used by anyone other than himself. Thecomputer has Windows 98 installed on the hard drive. You find the filenameC:\downloads\check01.jpg?that EnCase shows as being moved. The starting extent is0C4057. You find another filename C:\downloads\chk1.dll with the starting extent0C4057, which EnCase also shows as being moved. In the C:\windows\System folder youfind an allocated file named chk1.dll with the starting extent 0C4057. The chk1.dllfile is a JPEG image of a counterfeit check. Could this information be used to refutethe suspect claim that he never knew it was on the computer? |
Yes, because the chk1.dll file was moved and renamed. |
|
|
How many partitions can be found in the boot partition table found at thebeginning of the drive? |
4 |
|
|
In hexadecimal notation, one byte is represented by _____ character(s). |
2 |
|
|
The EnCase evidence file is best described as: |
A bit stream image of the source hard drive written to a file, or several filesegments. |
|
|
In Windows 98 and ME, Internet based e-mail, such as Hotmail, will mostlikely be recovered in the _____________________ folder. |
C:\Windows\Temporary Internet files |
|
|
When an EnCase user double-clicks on a valid .jpg file, that file is: |
Copied to the EnCase specified temp folder and opened by an associated program. |
|
|
When a drive letter is assigned to a logical volume, that information istemporarily written the volume boot record on the hard drive. |
False |
|
|
A hash set would most accurately be described as: |
A group of hash values that can be added to the hash library. |
|
|
When a file is deleted in the FAT or NTFS file systems, what happens tothe data on the hard drive? |
Nothing |
|
|
Temp files created by EnCase are deleted when EnCase is properly closed. |
True |
|
|
For an EnCase evidence file acquired with a hash value to passverification, which of the following must be true? |
The CRC values and the MD5 hash value both must verify. |
|
|
The EnCase default export folder is: |
A case-specific setting that can be changed. |
|
|
A standard Windows 98 boot disk is acceptable for booting a suspectdrive. |
False |
|
|
Which of the following aspects of the EnCase evidence file can be changed during a reacquire of the evidence file? |
You cannot change the investigator name, the evidence number, the acquisition notes. |
|
|
EnCase can build a hash set of a selected group of files. |
True |
|
|
The signature table data is found in which of the following files? |
The configuration FileSignatures.ini file |
|
|
The following keyword was typed in exactly as shown. Choose the answer(s)that would result. All search criteria have default settings. Tom Jones |
Tom Jones, tom jones |
|
|
When a document is printed using EMF in Windows, what file(s) aregenerated in the spooling process? |
The .SPL file and The .S |
|
|
EnCase uses the _________________ to conduct a signature analysis. |
file signature table |
|
|
The MD5 hash algorithm produces a _____ number |
128 bit |
|
|
The Windows 98 Start Menu has a selection called documents which displaysa list of recently used files. Which of the following folders contain those files? |
C:\Windows\Recent |
|
|
The first sector on a hard drive is called the: |
Master boot record |
|
|
Before utilizing an analysis technique on computer evidence, theinvestigator should: |
Be trained in the employment of the technique.
Test the technique on simulated evidence in a controlled environment to confirm thatthe results are consistent. |
|
|
A signature analysis has been run on a case. The result ?*JPEG ?in thesignature column means: |
The file signature is a JPEG signature and the file extension is incorrect. |
|
|
EnCase marks a file as overwritten when _____________ has been allocatedto another file. |
the starting cluster of the file |
|
|
Will EnCase allow a user to write data into an acquired evidence file? |
No. Data cannot be added to the evidence file after the acquisition is made. |
|
|
When undeleting a file in the FAT file system, EnCase will check the_____________ to see if it has already been overwritten. |
FAT |
|
|
4 bits allows what number of possibilities? |
16 |
|
|
An evidence file can be moved to another directory without changing thefile verification. |
True |
|
|
If cases are worked on a lab drive in a secure room, without any cleaningof the contents of the drive, which of the following areas would be of most concern? |
Cross-contamination |
|
|
A personal data assistant was placed in a evidence locker until anexaminer has time to examine it. Which of the following areas would require specialattention? |
Storage |
|
|
Which statement would most accurately describe a motherboard? |
The main circuit board that has slots for the microprocessor, RAM, ROM, and add-incards. |
|
|
The EnCase methodology dictates that the lab drive for evidence have a__________ prior to making an image. |
unique volume label |
|
|
When a file is deleted in the FAT file system, what happens to thefilename? |
The first character of the directory entry is marked with a hex E5. |
|
|
Which of the following is commonly used to encode e-mail attachments? |
Base64 |
|
|
The FAT in the File Allocation Table file system keeps track of: |
File fragmentation, Every addressable cluster on the partition, and Clusters marked as bad |
|
|
What information should be obtained from the BIOS during computerforensic investigations? |
The date and time, The boot sequence |
|
|
Search terms are stored in what .ini configuration file? |
Keywords.ini |
|
|
Search results are found in which of the following files? |
The case file |
|
|
When Unicode is selected for a search keyword, EnCase |
Will find the keyword if it is either Unicode or ASCII. |
|
|
How many clusters can a FAT 16 system address? |
65,536 |
|
|
You are at an incident scene and determine that a computer containsevidence as described in the search warrant. When you seize the computer, you should: |
Record the location that the computer was recovered from, Record the identity of the person(s) involved in the seizure, and Record the date and time the computer was seized. |
|
|
EnCase is able to read and examine which of the following file systems? |
NTFS FAT EXT3 HFS |
|
|
The Unicode system can address ____ characters? |
65,536 |
|
|
The following keyword was typed in exactly as shown. Choose the answer(s)that would be found. All search criteria have default settings. Tom |
Tomorrow, Tom, Stomp, TomJ@hotmail.com |
|
|
The temporary folder of a case cannot be changed once it has been set. |
False |
|
|
The maximum file segment size for an EnCase evidence file is: |
2000 MB |
|
|
A restored floppy diskette will have the same hash value as the originaldiskette. |
True |
|
|
GREP terms are automatically recognized as GREP by EnCase. |
False |
|
|
How many copies of the FAT are located on a FAT 32, Windows 98-formattedpartition? |
2 |
|
|
By default, what color does EnCase use for slack? |
Red |
|
|
RAM is tested during which phase of the power-up sequence? |
During POST |
|
|
Searches and bookmarks are stored in the evidence file. |
False |
|
|
RAM is an acronym for: |
Random Access Memory |
|
|
When handling computer evidence, an investigator should: |
Avoid making any changes to the original evidence. |
|
|
The case number in an evidence file can be changed without causing theverification feature to report an error, if: |
The case information cannot be changed in an evidence file, without causing theverification feature to report an error. |
|
|
In the FAT file system, the size of a deleted file can be found: |
In the directory entry |
|
|
A sector on a hard drive contains how many bytes? |
512 |
|
|
You are an investigator and have encountered a computer that is runningat the home of a suspect. The computer does not appear to be a part of a network. Theoperating system is Windows XP Home. No programs are visibly running. You should: |
Pull the plug from the back of the computer. |
|
|
The EnCase methodology dictates that ________ be created prior toacquiring evidence. |
A unique directory on the lab drive for case management |
|
|
This question addresses the EnCase for Windows search process. If atarget word is located in the unallocated space, and the word is fragmented betweenclusters 10 and 15, the search: |
Will not find it because the letters of the keyword are not contiguous. |
|
|
When does the POST operation occur? |
When the power button to a computer is turned on. |
|
|
Which is the proper formula for determining the size in bytes of a harddrive that uses cylinders (C), heads (H), and sectors (S) geometry? |
C X H X S X 512 |
|
|
If cluster #3552 entry in the FAT table contains a value of this would mean: |
The cluster is unallocated |
|
|
The acronym ASCII stands for: |
American Standard Code for Information Interchange |
|
|
You are examining a hard drive that has Windows XP installed as theoperating system. You see a file that has a date and time in the deleted column. Wheredoes that date and time come from? |
Info2 file |
|
|
Within EnCase, what is the purpose of the temp folder? |
This is the folder used to hold copies of files that are sent to external viewers. |
|
|
Select the appropriate name for the below area of the binarynumbers. 0000 0000 0000 0000 |
Word |
|
|
To later verify the contents of an evidence file? |
EnCase writes a CRC value for every 64 sectors copied. |
|
|
Assume that MyNote.txt has been deleted. The FAT file system directory entry for that file has been overwritten. The data for MyNote.txt is now: |
Unallocated |
|
|
An evidence file was archived onto five CD-Rom disks with the third filesegment on disk number three. Can the contents of the third file segment be verified byitself while still on the CD? |
Yes. Any segment of an evidence file can be verified through re-computing andcomparing the CRCs, even if it is on a CD. |
|
|
The EnCase evidence file logical filename can be changed without affecting the verification of the acquired evidence. |
True |
|
|
If an evidence file has been added to a case and completely verified,what happens if the data area within the evidence file is later changed? |
EnCase will detect the error when that area of the evidence file is accessed by theuser. EnCase detect the error if the evidence file is manually re-verified. EnCase will allow the examiner to continue to access the rest of the evidence filethat has not been changed. |
|
|
The BIOS chip on an IBM clone computer is most commonly located on: |
The motherboard |
|
|
Consider the following path in a FAT file system: C:\My Documents\MyPictures\Bikes. Where does the directory bikes receive its name? |
From the My Pictures directory |
|
|
The following GREP expression was typed in exactly as shown. Choose theanswer(s) that would result. 800[) \-]+555-1212 |
(800) 555-1212 |
|
|
How does EnCase verify that the case information (Case Number, Evidence Number, Investigator Name, etc) in an evidence file has not been damaged or changed,after the evidence file has been written? |
EnCase writes a CRC value of the case information and verifies the CRC value when the evidence is added to a case. |
|
|
Which of the following statements is more accurate? |
The Recycle Bin increases the chance of locating the existence of a file on acomputer. |
|
|
The first sector on a volume is called the: |
Volume boot sector or record |
|
|
When an EnCase user double-clicks on a file within EnCase whatdetermines the action that will result? |
The settings in the FileTypes.ini file. |
|
|
The following GREP expression was typed in exactly as shown. Choose theanswer(s) that would result. Bob@[a-z]+.com |
Bob@America.com |
|
|
The following GREP expression was typed in exactly as shown. Choose theanswer(s) that would result. [^a-z]Tom[^a-z] |
Tom |
|
|
The following GREP expression was typed in exactly as shown. Choose theanswer(s) that would result. [\x00-\x05]\x00\x00\x00?[\x00-\x05]\x00\x00\x00 |
04 00 00 00 FF FF BA |
|
|
This question addresses the EnCase for Windows search process. If atarget word is within a logical file, and it begins in cluster 10 and ends in cluster15 (the word is fragmented), the search: |
Will find it because EnCase performs a logical search. |
|
|
When a file is deleted in the FAT file system, what happens to the FAT? |
The FAT entries for that file are marked as available. |
|
|
In DOS and Windows, how many bytes are in one FAT directory entry? |
32 |
|
|
When a non-compressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence will remain the same for both files. |
True |
|
|
An EnCase evidence file of a hard drive ________ be restored to anotherhard drive of equal or greater size. |
Can |
|
|
A hard drive has been formatted as NTFS and Windows XP was installed.The user used fdisk to remove all partitions from that drive. Nothing else was done.You have imaged the drive and have opened the evidence file with EnCase. What would bethe best way to examine this hard drive? |
Use the add Partition feature to rebuild the partition and then examine the system |
|
|
How are the results of a signature analysis examined? |
By sorting on the signature column in the table view. |
|
|
A CPU is: |
A chip that would be considered the brain of a computer, which is installed on amotherboard. |
|
|
If a floppy diskette is in the a drive, the computer will always boot tothat drive before any other device. |
False |
|
|
During the power-up sequence, which of the following happens first? |
The power On Self-Test. |
|
|
A hard drive has 8 sectors per cluster. File Mystuff.doc has a logicalfile size of 13,000 bytes. How many clusters will be used by Mystuff.doc? |
3 |
|
|
Select the appropriate name for the below set of the binarynumbers. 0 |
Bit |
|
|
The end of a logical file to the end of the cluster that the file ends in is called: |
Slack |
|
|
The boot partition table found at the beginning of a hard drive islocated in what sector? |
Master boot record |
|
|
What information in a FAT file system directory entry refers to thelocation of a file on the hard drive? |
The starting cluster |
|
|
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Jan 1 st , 2?0?00 |
Jan 1st, 2000 |
|
|
EnCase can make an image of a USB flash drive. |
True |
|
|
All investigators using EnCase should run tests on the evidence file acquisition and verification process to: |
Further the investigator understanding of the evidence file. Give more weight to the investigator testimony in court. Insure that the investigator is using the proper method of acquisition. |
|
|
Within EnCase, clicking on save on the toolbar affects what file(s)? |
The open case file |
|
|
Hash libraries are commonly used to: |
Identify files that are already known to the user. |
|
|
A logical file would be best described as: |
The data from the beginning of the starting cluster to the length of the file. |
|
|
You are investigating a case of child pornography on a hard drivecontaining Windows XP. In theC:\Documents and Settings\Bad Guy\Local Settings\Temporary Internet Files folder youfind three images of child pornography. You find no other copies of the images on thesuspect hard drive, and you find no other copies of the filenames. What can be deducedfrom your findings? |
The presence and location of the images is not strong evidence of possession. |
|
|
Which of the following items could contain digital evidence? |
Cellular phones Digital cameras Personal assistant devices Credit card readers |
|
|
Bookmarks are stored in which of the following files? |
The case file |
|
|
Two allocated files can occupy one cluster, as long as they can both fitwithin the allotted number of bytes. |
False |
|
|
A SCSI host adapter would most likely perform which of the followingtasks? |
Make SCSI hard drives and other SCSI devices accessible to the operating system. |
|
|
How does EnCase verify that the evidence file contains an exact copy ofthe suspect hard drive? |
By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of thedata stored in the evidence file. |
|
|
In DOS acquisition mode, if a physical drive is detected, but nopartition information is displayed, what would be the cause: |
There are no partitions present, and The partition scheme is not recognized by DOS. |
|
|
RAM is used by the computer to: |
Temporarily store electronic data that is being processed. |
|
|
If cluster number 10 in the FAT contains the number 55, this means: |
That cluster 10 is used and the file continues in cluster number 55. |
|
|
Within EnCase for Windows, the search process is: |
A search of the logical files, a search of the physical disk in unallocated clusters and other unused disk areas |
|
|
A physical file size is: |
The total size of all the clusters used by the file measured in bytes. |
|
|
A case file can contain ____ hard drive images? |
Any number of |
|
|
When can an evidence file containing a NTFS partition be logicallyrestored to a FAT 32 partition? |
Never |
|
|
Select the appropriate name for the below area of the binarynumbers. 0000 |
Nibble |
|
|
C:\ volume of the hard drive are not made by DOS when acomputer is booted with a standard DOS 6.22 boot disk. |
False |
|
|
Select the appropriate name for the below area of the binary numbers. 0000 0000 |
Byte |
