• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key

image

Play button

image

Play button

image

Progress

1/395

Click to flip

395 Cards in this Set

  • Front
  • Back
?
?
Constructed to maintain the authenticity and integrity of the original evidence
Evidence File
The use of this type of file is to demonstrate how the evidence is preserved.
Evidence File
Evidence File is also known as a _____ file.
Image
Bit by Bit copy of the original file or hard drive.
Image / Evidence File
Using Encase preserves the data of an Image / Evidence file and also adds pertinent information that helps preserve the _____ __ ______.
Chain of Custody
MD5 stands for :
Message Digest 5
CRC stands for:
Cyclical Redundancy Check
Algorithm applied to data streams using 128-bit hexadecimal value.
MD5
2^ ___ power attempts are needed to be made to match the hash of an MD5 encryption.
128
The odds of two files having the same MD5 is _____.
remote
32 bit hex algorithm
CRC
2^ __ power is the CRC requirement to have two files possibly have the same hash value.
32
CRC is _____ than MD5 due to only having a 4 billion chance of replicating the same hash value.
faster
MD5 has many more ______ thus using up more computer system resources
calculations
Encase uses both CRC and MD5 but ___ is used more.
CRC
What are the three file components of an evidence file?
1. Header
2. Data Blocks
3. File Integrity Component
This appears on the front of the evidence file and the data blocks immediately follow.
Header
Is verified with its own CRC
Data Blocks
Is throughout the file. It is not located in only one place.
File Integrity Component
The ___ is after each block and header.
CRC
When the ENTIRE data block is subject to a MD5 hash, what will show up at the end of the physical layout?
Acquisition hash
AN MD5 hash is only calculated on the ____.
data
The header contains what five things?
1. Evidence name and number
2. Notes
3. Date/time of acquisition
4. Version of Encase used
5. OS under which the acquisition took place.
After the header is subjected to a CRC it is compressed. Why?
Saves space and removes ability to alter clear test data.
Where is the header placed after being CRC'd and compressed?
Front of the evidence file
The default block size for an evidence file is __ sectors
64
Once the data is in memory, a ___ is computed for the sectors.
CRC
Once all the data is completely CRC'd, then no more ____ is present to process.
data
Once there is no more data to be CRC'd, the acquisition hash is completed and written to the _____ or ___ of the evidence file.
last/end
The MD5 is part of the _____ contained in the final segment.
metadata
ALL ______ evidence files will not require a header again after the data is CRC'd and stored.
subsequent
Once you see the ___ value you know it is the end along with the metadata.
MD5
You may fill the drive you are using and need another drive. You will have to _____ another drive to be consistent.
span
EnCase allows spanning, some drives may have the same space (say 80 Gb) not the same number of _____.
sectors
EnCase does have a little overhead when imaging a drive, with this in mind, it is advised to use a _____ drive for acquisition.
larger
After the image is creater, the file is added to an ____ case.
open
File verification occurs automatically to provide data _____.
integrity
Each block of data in the evidence file is subject to verification ___ calculation.
CRC
The verification CRC must match the CRC values calculated when it was ____.
acquired
An error is reported if a block is not _____.
verified
Verification occurs for all _____.
blocks
The blocks of data are also subject to verification of the MD5 hash and this is called the _____ hash value.
Verification
You can change the block size for data. The default of 64 sectors should be fine but making a _____ size does speed up the acquisition.
larger
The only caveat to making the sectors larger is that the CRC values are written every ___ sectors instead of 64.
128
If there was a _____ sector, then more data (128 sectors) would be lost.
corrupted
When a _____ file is created you choose the file name and the storage path.
case
When creating a case file you choose the file name and the storage path. Be sure to be as ______ as possible when doing this.
consistent
Backups are created every __ minutes in EnCase.
10
Back up to _____ locations and possibly drives to make sure you do not loose the data if something were to happen to the drive you are working on.
different
EnCase uses ____ files located in the config folder
.ini
EnCase uses .ini located in the _____ folder.
config
The primary .ini files are the _____ file.
keyword
The keyword file stores _____ keywords.
global
This .ini file Stores the text styles used by the database.
TextStyles.ini
Stores values for the file signature database.
File Signatures
Database information regarding the viewers that EnCase can use when viewing data.
Viewers.ini
Stores the database of user IDs and usernames
SecurityIDs.ini
____ files are easily manipulated and caution must be taken when editing these files.
.ini
This is a special folder that places the storage files such as .PST or .DBX files
ParseCache
The _____ folder allows the intensive process to occur without using up all the stations memory and processor.
ParseCache
Avoiding detection
Goal of Anti-Forensics
Disrupting information collection
Goal of Anti-Forensics
Increasing the examiner's time
Goal of Anti-Forensics
Casting doubt on a forensic report or testimony
Goal of Anti-Forensics
Forcing a tool to reveal its presence
Goal of Anti-Forensics
Subverting the tool, using it to attack the examiner or organization.
Goal of Anti-Forensics
EnCase uses two methods for identifying file types.
1. File Extensions
2. File Signatures
It clarifies actual data
Metadata
Data about Data
Metadata
It can include size, time, date, location, etc.
Metadata
If an examiner has "when" the violator accessed the system, this makes i much easier to find out what files were accessed by using a ______ order of file accesses.
chronological
Removing the files often does not delete the file access ______.
directory
Writing over the access times so that the tacking of the _____ is difficult or near impossible is an effective Anti-Forensic practice
timelines
Using the Anti Forensic tool _____ will modify all timestamps you want to change or delete information.
Timestomp
Another Anti Forensic tools is to prevent the _____ from being created.
Metadata
Under HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate, setting it to "1" will _____ updating of the last-accessed timestamp
disable
Setting your entire drive to _____ _____ except by you and your password will cause frustration to a Forensic Examination.
read only
Another way to cause problems with a Forensic Examination is to use a tool that securely removes files from your computer hard drive and clears free space to remove any _____ data.
residual
Darik's Boot and Nuke (DBAN)
Anti-Forensics Tool
Anti forensics tool that securely removes files from your computer and can be booted from a floppy, CD, DVD or USB
Darik's Boot and Nuke (DBAN)
A program that hides files within the slack space of a NTFS file system.
Slacker Program
A slacker program is very useful for people that want to _____ files.
hide
Files that have been carved by slacker programs are _____ detected using standard forensics tools.
easily
FragFS is an advanced data hiding tool/technique that hides data in the ___ (_____ _____ _____)
MFT / Master File Table
RuneFS is a _____ program that stores data in "Bad Blocks".
Slacker
Is deleting the browser history all a user has to do in order to hide where he\she has been?
No
To be certain browser history is removed, you can use tools such as _____, AssureYourPrivacy.com, and SoftChecker.
WinClear
To be certain browser history is removed, you can use tools such as WinClear, ______, and SoftChecker.
AssureYourPrivacy.com
To be certain browser history is removed, you can use tools such as WinClear, AssureYourPrivacy.com, and _____.
SoftChecker
When you erase a file on your computer, the actual data in the file is not overwritten. The space utilized by that file is simply marked as "_____" for use by other data
free
The method to securely erase data is to write over the same physical spot on the hard disk multiple times with different patterns, effectively obliterating the magnetic _____ of the data which was once there.
signatures
Software to securely erase data are _____, Eraser, Necrofile, and File Shredder.
SDelete
Software to securely erase data are SDelete, _____, Necrofile, and File Shredder.
Eraser
Software to securely erase data are SDelete, Eraser, _____, and File Shredder.
Necrofile
Software to securely erase data are SDelete, Eraser, Necrofile, and ______.
File Shredder
Another method of hiding or erasing the data is to use a program that when a file is accessed _____ a program will automatically erase the file and overwrite it with useless data
incorrectly
One of the most effective ways to hold off an investigation into your device is to use what?
File Encryption
File encryption only encrypts only file _____.
contents
File encryption leaves important information such as file name, size, and timestamps _____.
unencrypted
Parts of an encrypted files contents can be _____ from other locations such as temporary files, swap file, and deleted unencrypted copies.
reconstructed
Parts of an encrypted files contents can be reconstructed from other locations such as ______ _____, swap file, and deleted unencrypted copies.
temporary files
Parts of an encrypted files contents can be reconstructed from other locations such as temporary files, _____ _____, and deleted unencrypted copies.
swap file
Parts of an encrypted files contents can be reconstructed from other locations such as temporary files, swap file, and _____ ______ _____.
deleted unencrypted copies
The purpose of _____ _____ is to confuse, disorientate and divert the forensic examination process.
trail obfuscation
An application that changes the header information of a file.
Transmorgrify
Changing a files header from .jpg to .doc would require you use _____.
Transmorgrify
Even if the header information of a file is changed, the OS will read the file ______.
extension
The art to hiding messages (or binary) in a form that people who are not addressees can't perceive them
Steganography
Hiding Data within data
Watermarking
File formats with more room for compression are best

-_____ _____ (___ ___)
-Sound files (MP3, WAV)
-Video files (MPG, AVI)
Image files (JPEG, GIF)
File formats with more room for compression are best

-Image files (JPEG, GIF)
-_____ _____ (___ ___)
-Video files (MPG, AVI)
Sound files (MP3, WAV)
File formats with more room for _____ are best

-Image files (JPEG, GIF)
-Sound files (MP3, WAV)
-Video files (MPG, AVI)
compression
In watermarking, the hidden information may be _____, but not necessarily.
encrypted
Process whereby the magnetic media is erased.
Disk Degaussing
Degaussing requires a _____ _____ that is designed and approved for the type of media being purged.
degausser device
_____ systems and _____ are not the same in a virtual machine compared to a physical machine.
File / directories
The push to use virtual machines makes the forensic investigator _____ about this technology.
learn
a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk
Live View
Uses TPM(Trusted Platform Module) - a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a desktop or portable computer, and communicates with the rest of the system by using a hardware bus.
BitLocker
Computers that incorporate a ___ (_____ _____ _____)can also create a key that has not only been wrapped, but is also tied to specific hardware or software conditions.
TPM (Trusted Platform Module)
Live view is available for _____
download
Java-based graphical forensics tool that creates a VMware virtual machine out of a raw disk image or physical disk
Live View
Dummy files such as _____ files added to computer files are one of the other methods to Anti Forensics.
index.dat
EnCase _____ are one of the other methods to Anti Forensics.
landmines
EnCase is separated into 4 distinct windows. They are the _____ Pane, Table Pane, View Pane, and the Filter Pane.
Tree
EnCase is separated into 4 distinct windows. They are the Tree Pane, _____ Pane, View Pane, and the Filter Pane.
Table
EnCase is separated into 4 distinct windows. They are the Tree Pane, Table Pane, _____ Pane, and the Filter Pane.
View
EnCase is separated into 4 distinct windows. They are the Tree Pane, Table Pane, View Pane, and the _____ Pane.
Filter
The starting point for all Encase cases is the _____ Pane. The first step it to create a case!
Tree
Enter all pertinent information in the _____ options screen.
case
The _____ folder is used to place a file in order to view it externally.
Temp
EnCase 6 allows _____ that makes searches much faster than previous versions.
indexing
It is a good idea to develop a _____ for data in the cases folder
template
Be consistent with the _____ and _____ of all EnCase cases.
numbering/setup
Represents a live physical device in the lower right of the icon.
Blue Triangle
Selecting an object under the _____ places a blue check box in all the files under the table view.
Entries
The box directly to the left of the filter pane that has ex. 11/15
Dixon box
The box next to the square box that looks like a baseball diamond is used to show all files selected in the _____ pane.
table
In the Table Pane, to lock a column you will need to right click the column, and then select column and then _____ _____.
set lock
This column displays a Booleen True or False value stating whether the object will appear in the Report view. By default, objects do not.
In Report
This column displays the file's extension if it has one. Windows uses file extensions to determine which application to use to open it, while other OSs instead use header or other metadata information to do so. EnCase reports the actual extension used by the file. If it has been changed, the real extension remains an unknown until a file signature analysis is run.
File Ext
File types will return information from the File Types view and table based on file _____.
extension
The _____ category is likewise pulled from the File Types table and is a general category, such as documents or images.
File
This column is populated after a file signature analysis and returns the result of that process. The results could be "match," "! Bad Signature," and so on.
Signature
This column briefly describes the object (file, folder, volume), some of its attributes, and what the icon means that sometimes accompanies the object name.
Description
This column displays a Boolean True or False value indicating whether file has been deleted.
Is Deleted
This column indicates the date/time a file was last accessed. The file does not have to change but be accessed only. Programs vary in the way they touch this time stamp. It may or may not reflect user activity. Some hex editors allow data to be altered and no date/time stamps are changed.
Last Accessed
This column indicates the date/time a file was created in that particular location. You can edit a file after it was originally written, giving it a last written date/time later than originally written (created). If you move it to a new location, the file will take on a new creation date/time for when and where it was moved, making it "appear" to have been created after it was last written. This concept confuses many, but the key is understanding that the creation date/time typically indicates when it was created in its current location and that files can be moved around after they were last written.
File Created.
This column displays the date/time that a file was opened, data was changed, and the file was saved. If the file is opened and the data isn't changed, there shouldn't be a change in the last written date/time.
Last Written
This column indicates the date/time a file or folder's file system record entry was changed. This pertains to NTFS and Linux file systems.
Entry Modified
This column reports the date/time of file deletion according to a Windows Recycle Bin INFO2 database.
File Deleted
This column reports the date/time the evidence file in which objects resides was acquired.
File Acquired
This column specifies the actual size of data in a file from first byte to last byte, reported in bytes.
Logical Size
This column specifies the actual size of the file plus slack space.
Physical Size
The Starting _____ is the starting cluster for a file in the format Evidence File Number (order within the Case) | Logical Drive Letter | Starting Cluster Number; in the case of resident data in a master file table (MFT), the starting cluster will be followed by a comma and the byte offset from the beginning of the cluster to the beginning of the data.
Extent
This column lists the number of data runs or extents for a file.
File Extents
This displays a Boolean True or False value stating whether security settings have been applied to the object.
Permissions
This displays the number of times the highlighted file is referenced or bookmarked.
References
This displays the number of bytes into the device that a file begins.
Physical Location
This is the starting sector where a file starts.
Physical Sector
This displays the evidence file in which object resides.
Evidence File
The _____ Identifier is the file table index number.
File
This is the ___ hash value of each file is displayed after Compute Hash Value is run from the Search tool window.
MD5
This displays the hash set a file belongs to if it matches a known value in the hash library (usually set up as Known and Notable but can be defined by the user).
Hash Category
This displays the full path to the file, including the evidence file name.
Full Path
This displays DOS 8.3 file name.
Short Name
This displays the file name for files as they are mounted in Windows Explorer after EnCase Virtual File System is activated and the device is mounted.
Unique Name
If the file is an allocated, nondeleted file, this column is blank. If the file is deleted and has been overwritten, this column will show which file has overwritten the original file. If the file is in the Recycle Bin, this column shows the original location of the file when it was deleted.
Original Path
A _____ Link contains no data about the file that is pointed to; their value lies mostly in pointing to resources on other systems.
Symbolic
Specifies that you want to search only the data written and not the entire space allocated.
Initialized Size
This is the character encoding table upon which the file is based.
Code Page
This displays True if the file displayed is a duplicate of another file.
Is Duplicate
This denotes hidden files that are used by the operating system internally and are hidden from the user.
Is Internal
This displays True if the original file is deleted and its space is currently occupied by another file.
Is Overwritten
using the _____ view, To view data in the table view just right click on the In Report and select in report.
Report
A _____ appears in the column and when you go to report view you see the data.
dot
View images in the case
Gallery view
You can copy, bookmark, and change the size of the bookmarks when viewing the _____ view.
report
In _____ view, you can view the sectors of the drive which are color coded according to the legend.
Disk view
Provides a chronological activity view.
Timeline View
Created files, written files, accessed files, modified files, deleted files, and acquired files by right clicking on the _____ area.
timeline
Hitting the _____ sign makes the view larger to allow easier navigation.
+
There is no report or printing feature available in the _____ view. If you want to print you need to do a screen shot
timeline
In _____ View, you can view the data in Hex view or text view.
Text
In _____ view, you can select an area to view and bookmark it, export it, and copy and paste the data.
Text
_____ view comes up automatically when EnCase detects a picture.
Picture
Displays output from scripts run on the data or drive.
Console view
Is enabled in the full version of EnCase and allows you to view the document in its native format.
Doc view
There is even a ___ locator that is a real time updated location platform that allows the users to either locate evidence or precisely show where the evidence is.
GPS
Works in Hex or text view and searches a sector or disk.
Find
All you need to do is hit the dark arrows and squares to change the view
Moving the panes
Either a 1 or a 0. Each representing a ___
BIT
What is a BIT?
(Binary Unit)
What is a nibble?
4 bits
What is a Byte?
8 bits
What are 2 Bytes called?
Word
What are 4 Bytes called?
Dword or Double word
Dword equals how many bits?
32
What is the Base of Hexadecimal?
Base 16
What is the Base of Binary?
Base 2
Hex is typically annotated by an _ after the number.
h
_ has the parser expecting a number in hex.
0
in 0x98, the x stands for ____
hex
It is easier to use the _____ method to convert to hex.
nibble
_____ numbers are separated into 2 nibble sections. Left and Right.
Binary
254 in binary is _ _ _ _ - _ _ _ _
1111-1110
Take each nibble _____.
separately
1111 = 8+4+2+1 = 15 or _
F
1110 = 8+4+2+0 = 14 or _
E
So ___ is the correct representation of 254 in hex.
FEh
ASCII stands for what?
American Code for Information Interchange.
ASCII differentiates between what?
lower and upper case.
A character set developed to accommodate more characters in a language.
Unicode
This standard allows the interchange of text from one language to another.
Unicode
To search the drive or block of selected text you must create a string or _____ search.
keyword
_____ searches are created and stored for future use.
Keyword
The keywords can be _____ or case level
global
The keywords can be global or _____ level
case
Keywords become global and are stored in the _____.___ file.
Keywords.ini
How do you create a Keyword?
Select keyword > Right click > Select new
When creating a keyword, you will notice that as you type the view shows each letter in _____.
Unicode
By default, when creating a Keyword, the case is not _____ sensitive.
case
Name is a what?
Keyword search option
Case sensitive is a what?
Keyword search option
GREP is a what?
Keyword search option
RTL Reading is a what?
Keyword search option
ANSI LAtin -1 is a what?
Keyword search option
Unicode is a search expression found under what?
Keyword search option
Big- Endian Unicode is a search expression found under what?
Keyword search option
UTF-8 is a search expression found under what?
Keyword search option
UTF-7 is a search expression found under what?
Keyword search option
Code page is a search expression found under what?
Keyword search option
Keyword tester is a search option included under what?
Keyword search option
Adding _____ can be accomplished by importing (which uses a previous exported list) or by adding keyword lists.
keywords
Select a folder in the tree pane Right Click and choose Add Keyword list.
Keyword list
Globally search for the Regular Expression and Print
GREP Keywords
EnCase uses ____ because of its power and ease of use.
GREP
GREP is commonly used for _____ _____ number searches
Social Security
References to specific files or data.
Bookmarking
Can be created just about any where in EnCase.
Bookmarking
Highlighted data is the most common _____.
Bookmark
High and Low ASCII can be a _____ type.
Bookmark
Hex can be a _____ type.
Bookmark
Unicode can be a ______ type.
Bookmark
ROT-13 - code is rotated 13 characters to appear encrypted can be a _____ type.
Bookmark
HTML can be a _____ type.
Bookmark
Pictures can be a _____ type.
bookmark
Integers can be a _____ type.
Bookmark
Dates can be a _____ type.
Bookmark
Very useful to help add information into the case.
Notes Bookmark
Used to depict the folder structure in the bookmark.
Folder Information Bookmark
You can create _____ that help show the information you acquired.
reports
A reference to a file that contains significant information to your case is called a _____ file bookmark.
Notable
With a notable file bookmark, The data is not bookmarked just the _____ of the file are bookmarked.
attributes
_____ are essential when annotating data and making reports.
Bookmarks
EnCase 6 allows us to index the data to assist us in searching data. This is called _____ Searches.
Indexed
You first must create an index by running the _____ case tool.
index
Creating _____ is an essential part of forensics.
reports
EnCase provides _____ _____ reports that are very useful and easy to create.
web page
When you have created the bookmarks you desire and want to export them to a web page it is as easy as right clicking in the _____ pane and choose the export option as a web page.
table
When you have created the bookmarks you desire and want to export them to a web page it is as easy as right clicking in the table pane and choose the _____ option as a web page.
export
Checksum does not see _____.

Ex. 1234 and 4321 will produce the same checksum.
order
_____ is a fixed size arbitrary block of data.

Ex. SSN, bank accounts, etc.
Checksum
CRC
Cyclical Redundancy Check
CRC is a variation of _____.
checksum
CRC is _____ sensitive
order
Most hard drives store 1 CRC for every _____.
sector
When a CRC value of a sector does not match a value recomputed by the drive hardware a ___-_____ read error occurs.
low-level
the odds that two sectors containing different data will produce the same CRC is roughly one in a _____.
billion
Every byte of the file is verified using a __-bit CRC, making it extremely difficult, if not impossible, to tamper with the evidence once it has been acquired. This allows the investigators and legal team to confidently stand by the evidence in court.
32
EnCase computes a CRC for every block of __ sectors (32KB) written to the Evidence File.
64
EnCase computes a CRC for every block of 64 sectors (32KB) written to the ______ File.
Evidence
EnCase uses an industry standard _____ algorithm to achieve an average size reduction of 50%.
compression
EnCase uses an industry standard compression algorithm to achieve an average size reduction of __%.
50
Compression _____ has any effect on the final evidence, and compressed blocks are checked for validity in the same way as uncompressed ones.
NEVER
You can __-_____ an Evidence File manually, just click on the Case tab and select the appropriate Evidence File. RIGHT-CLICK and select Verify File Integrity. A confirmation box will appear.
re-verify
You can re-verify an Evidence File manually, just click on the Case tab and select the appropriate Evidence File. RIGHT-CLICK and select _____ _____ _____. A confirmation box will appear.
Verify File Integrity
EnCase calculates an ___ hash when it acquires a physical drive or logical volume.
MD5
The _____ value is written into the Evidence File and becomes part of the documentation of the evidence.
hash
The hash value that is stored in the Evidence File and the hash value that is computed when the Evidence File is added to a case both appear in the Report for immediate _____ that the Evidence File has not changed since it was acquired.
confirmation
A _____ file is a text file that contains pointers to the evidence and additional information specific to that case, such as bookmarks, search results, sorts, hash analysis and signature analysis results.
case
A _____ file is created when the user saves the case.
case
Compression _____ has any effect on the final evidence, and compressed blocks are checked for validity in the same way as uncompressed ones.
NEVER
In the Status Bar, PS is the _____.
Physical Sector number
You can __-_____ an Evidence File manually, just click on the Case tab and select the appropriate Evidence File. RIGHT-CLICK and select Verify File Integrity. A confirmation box will appear.
re-verify
In the Status Bar, LS is the _____.
Logical Sector number
You can re-verify an Evidence File manually, just click on the Case tab and select the appropriate Evidence File. RIGHT-CLICK and select _____ _____ _____. A confirmation box will appear.
Verify File Integrity
EnCase calculates an ___ hash when it acquires a physical drive or logical volume.
MD5
The _____ value is written into the Evidence File and becomes part of the documentation of the evidence.
hash
The hash value that is stored in the Evidence File and the hash value that is computed when the Evidence File is added to a case both appear in the Report for immediate _____ that the Evidence File has not changed since it was acquired.
confirmation
A _____ file is a text file that contains pointers to the evidence and additional information specific to that case, such as bookmarks, search results, sorts, hash analysis and signature analysis results.
case
A _____ file is created when the user saves the case.
case
In the Status Bar, PS is the _____.
Physical Sector number
In the Status Bar, LS is the _____.
Logical Sector number
Compression _____ has any effect on the final evidence, and compressed blocks are checked for validity in the same way as uncompressed ones.
NEVER
You can __-_____ an Evidence File manually, just click on the Case tab and select the appropriate Evidence File. RIGHT-CLICK and select Verify File Integrity. A confirmation box will appear.
re-verify
You can re-verify an Evidence File manually, just click on the Case tab and select the appropriate Evidence File. RIGHT-CLICK and select _____ _____ _____. A confirmation box will appear.
Verify File Integrity
EnCase calculates an ___ hash when it acquires a physical drive or logical volume.
MD5
The _____ value is written into the Evidence File and becomes part of the documentation of the evidence.
hash
The hash value that is stored in the Evidence File and the hash value that is computed when the Evidence File is added to a case both appear in the Report for immediate _____ that the Evidence File has not changed since it was acquired.
confirmation
A _____ file is a text file that contains pointers to the evidence and additional information specific to that case, such as bookmarks, search results, sorts, hash analysis and signature analysis results.
case
A _____ file is created when the user saves the case.
case
In the Status Bar, PS is the _____.
Physical Sector number
In the Status Bar, LS is the _____.
Logical Sector number
In the Status Bar, CL is the _____.
Cluster number
In the Status Bar, SO is the _____.
Sector Offset
The distance in bytes from the beginning of the sector.
Sector Offset
In the Status Bar, FO is the _____.
File Offset
The File _____ is the distance in bytes from the beginning of the file.
Offset
In the Status Bar, LE is the _____.
Length
The number in bytes of the selected area.
Length
There are _____ different types of bookmarks.
Five
A _____ File Bookmark is any one file that was bookmarked individually. This is a fully customizable bookmark
Notable
Created by sweeping data. This is a fully customizable bookmark.
Highlighted Data Bookmark
Allows the investigator to write anything into the Report. It has a few formatting features, and is not a bookmark of evidence.
Notes Bookmark
Bookmarks the tree structure of a folder. There is no comment on this bookmark. Options include showing the device information and the number of columns to use for the tree structure.
Folder Information Bookmark
Indicates that a group of selected files was bookmarked.
File Group
After files are erased, application programs and normal processes of most operating systems will _____ their directory entries.
overwrite
Data is left on the disk with no indication that it is there. Searching the _____ space for known file headers and their associated end-of-file markers (if any) is one method of identifying such data
unallocated
To view certain file _____ you want to search for click on view and file signatures….
headers
Place a blue checkmark in the _____ space to search this space.
Unallocated
Possibly go to Keywords view and create a new folder called File _____…
Headers
Make sure to have ____ selected when searching unallocated space.
GREP
When searching unallocated space, you Right Click and choose _____.
edit
When searching unallocated disk space, after Right clicking and choosing edit, You will see a _____ expression. Copy the expression into your new signature and name it whatever you want to help you know what it is
search
Once the search is completed, review the _____ to determine the relevance to the investigation.
hits
To see the search hits as pictures, in the right pane, table view, scroll to the column entitled _____, which is deactivated for all search hits.
Picture
Select/Blue Check all search hits, right-click anywhere in the Picture column, and select _____-_____ Selected Items. You can now view the pictures in the bottom pane or switch the view above the right pane to Gallery.
Picture-Invert
EnCase will read the structure of the evidence files and will alert the examiner that the three hard drives formed some type of _____ array.
RAID
To virtually recreate the software _____, you must scan the disk configuration of the drive containing the keys to the _____.
RAID
In this case, it is the boot disk containing the operating system forming the RAID. Right-click on the _____ drive and scan its configuration.
boot
EnCase will virtually recreate the _____ RAID, including the last assigned volume drive letter. You can then browse and search the logical file structure.
software
EnCase will virtually recreate the software RAID, including the last assigned _____ drive letter. You can then browse and search the logical file structure.
volume
EnCase will virtually recreate the software RAID, including the last assigned volume drive letter. You can then browse and search the _____ file structure.
logical
The EnCase evidence file is best described as follows:

A. A mirror image of the source device written to a hard drive
B. A sector-by-sector image of the source device written to corresponding sectors of a seconda ary hard drive
c. A bitstream image of a source device written to the corresponding sectors of a secondary hard drive
D. A bitstream image of a source device written to a file or several file segments
D. An EnCase evidence file is a bitstream image of a source device such as a hard drive, CD-ROM, or floppy disk written to a file (.Eol) or several file segments (.E02, .E03, and so on).
How does EnCase verify the contents of an evidence file?

A. EnCase writes an MD5 hash value for every 32 sectors copied.
B. EnCase writes an MD5 value for every 64 sectors copied.
c. EnCase writes a CRC value for every 32 sectors copied.
D. EnCase writes a CRC value for every 64 sectors copied.
EnCase writes a CRC value for every 64 sectors copied, by default. If the block size has been increased, the CRC frequency will be adjusted accordingly.
What is the smallest file size that an EnCase evidence file can be saved as?

A. 64 sectors
B. 512 sectors
C. 1 MB
D. 2MB
E. 640MB
The smallest file size that an EnCase evidence file can be saved as is 1 MB.
What is the largest file segment size that an EnCase evidence file can be saved as?

A. 640MB
B. 1-GBB
C. 2GB
D. No maximum limit
The biggest file size that an EnCase evidence file can be saved as is 2 GB.
How does EnCase verify that the evidence file contains an exact copy of the source device?

A. By comparing the MDS hash value of the source device to the MDS hash value of the data stored in the evidence file
B. By comparing the CRC value of the source device to the CRC of the data stored in the evidence file
C. By comparing the MDS hash value of the source device to the MDS hash value of the entire evidence file
D. By comparing the CRC value of the source device to the CRC value of the entire evidence file
A. EnCase compares the MDS hash value of the source device ro the MDS hash value of iust the data stored in the evidence file, not the entire contents of the evidence file, such as case information and CRC values of each data block.
How does EnCase verify that the case information—such as case number, evidence number, notes, and so on—in an evidence file has nor been damaged or altered after the evidence file has been written?

A. The case file writes a CRC value for the case information and verifies it when the case is opened.
B. EnCase does not verify the case information because it can be changed at any time.
C. EnCase writes a CRC value for the case information and verifies the CRC value when the evidence is added to a case.
D. EnCase writes an MD5 value of the case information and verifies the MD5 value when the evidence is added to a case.
C. EnCase calculates a CRC value for the case information, which is verified when the evidence file is added to a case.
For an EnCase evidence file to successfully pass the file verification process, which of the following? must be true?

A. The MD5 hash value must verify.
B. The CRC values and the MD5 hash value both must verify.
c. Either the CRC or MDS hash values must verify.
D. The CRC values must verify.
B. when an evidence file containing an MD5 hash value is added to a case, EnCase verifies both the CRC and MD5 hash values.
The MDS hash algorithm produces a _____ value.

A. 32-bit
B. 64-bit
C. 128-bit
D. 256-bit
C. The MD5 hash algorithm produces a 128-bit value.
The MD5 hash algorithm is — hexadecimal characters in length.

A..16h
B. 32
C. 64
D. 128
B. The MDS hash algorithm is 32 characters in length.
If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later altered?

A. EnCase will detect the error when that area of the evidence file is accessed by the user.
B. EnCase will detect the error if the evidence file is manually reverified.
C. EnCase will allow the examiner to continue to access the rest of the evidence file that has not been changed.
D. All of the above.
D. EnCase will detect the error and will still allow the examiner to access the unaffected areas
of the evidence file.
which of the following aspects of the EnCase evidence file can be changed during a reacquire of the evidence file?

A. Investigator's name
B. Evidence number
C. Notes
D. Evidence file size
E. All of the above
D. The evidence file size can be changed during a reacquire.
An evidence file was archived onto five CD-ROMs with the third file segment on disc 3. Can the contents of the third file segment be verified by itself while still on the CD-ROM?

A. No. All evidence file segments must be put back together.
B. Yes. Any evidence file segmenr can be verified independently by comparing the CRC values.
B. EnCase can verify independent evidence tile segments by comparing the CRC values of the data blocks.
will EnCase allow a user to write data into an acquired evidence file?

A. Yes, when adding notes or comments to bookmarks.
B. Yes, when adding search results.
C. Aand W
D. No, data cannot he added to the evidence file after the acquisition is made.
D. EnCase does not write to the evidence tile after the acquisition is complete.
All investigators using EnCase should mn tests on the evidence file acquisition and verification process to do which of the following?

A. To further the investigator’s understanding of the evidence file
B. To give more weight to the investigator's testimony in court
c. To verify that all hardware and software is functioning properly
D. All of the above
D. As with any forensic tool, the investigator should test the tools to better understand how the tool performs and to verify that it is functioning properly.
when a noncompressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence file will remain the same for both files.

A. True
B. False
A. Compressing an evidence file does not change its MDS hash value.
Search hit results and bookmarks are stored in the evidence file,

A. True
B. False
B. Search hit results and bookmarks are stored in the case and .cbak files.
The EnCase evidence file’s logical file name can be changed without affecting the veriiication of the acquired evidence.

A. True
B. False
A. An EnCase evidence file's logical file name can be renamed without affecting the verification of the acquired evidence.
An evidence file can not be moved to another directory without changing the file verification.

A. True
B. False
B. EnCase evidence files can be moved without affecting the file verification.
what happens when EnCase attempts to reopen a case once the evidence file has been moved?

A. EnCase reports that the file's integriry has been compromised and renders the file useless.
B. EnCase reports a diiferent hash value for the evidence file.
c. EnCase prompts for the location of the evidence file.
D. EnCase opens the case, excluding the moved evidence file.
C. when an evidence file has moved from the previous path, Encase will prompt for the new location of the evidence file.
During reacquisition, you can change which of the following? (Choose all that apply.)
A. Block size and error granulariry
B. Add or remove a password
c. Investigator’s name
D. Compression
A, B, D, E. All may he changed during reacquisition with the exception of the investigator's name.
In the EnCase Windows environment, must an examiner first create a new case before adding a device to examine?

A.Yes
B..No
1. A. In the windows environment, you must first create a new case before the Add Device select tool appears on the toolbar.
Proper file management and organization require that which of the following should be created prior to acquiring evidence?

A. Evidence, Export, Temp, and Index folders
B Unique naming conventions for folders belonging to the same case
c. All subfolders saved under one folder with the same unique name
D. All of the above
D. Any folders created for a specific case should be created beforehand, and they should be grouped together under one folder with the same unique name as the case name and case file name.
The EnCase methodology dictates that the lab drive used to store EnCase evidence files must have which of the following prior to acquiring an image?

A. FAT 32 partition
B. NTFS partition
C. Clean format
D. Previously wiped and sterile partition
D. A hard drive used to store evidence files should be completely wiped of any data to prevent any chance of cross-contamination.
when creating a new case, the Case Options dialog box prompts for which of the following?

A. Name or (case name)
B. Examiner name
c. Default export folder
D. Temporary folder
E. All of the above
E. The Case Options dialog box asks for all the options listed when a new case is created.
what determines the action that will result when a user double-dicks a file within EnCase?

A. The settings in the TEXTSTYLES.INI file
B. The settings in the FlLETYPES.INI file
c. The settings in the FILESIGNATURES.INl file
D. The settings in the VIEWERS.INI file
B. The FILETYPES.INI file stores information on files such as types, extensions, and viewers used to access the file.
In the EnCase environment, the term external viewers is best described as which of the following?

A. Internal programs that are copied out of an evidence file
B. External programs loaded in the evidence file to open specific file rypes
c. Extemnal programs thar are associared with EnCase to open speciiic file rypes
D. External viewers used to open a file that has been copied out of an evidence file
C. External viewers are programs that EnCase uses to open specific file types.
where is the list of extemnal viewers kepr within EnCase?

A. The settings in the TEXTSTY[.ESJNI file
B. The settings in the FIL.ETYPEs.INI file
c. The settings in the FILESIGNATURES.INI file
D. The settings in the vIEwERS.INI file
the VIEWERS.INI file stores information on external programs that EnCase uses to open specific file types.
when the copy/unerase feature is used, EnCase saves the selected file(s) to which folder?

A. Evidence
B. Export
c. Temp
D. None of the above
B. when EnCase copies selected items or undeletes files, they are saved externally to the Export folder.
Can the Export folder be moved once it is saved within a case?

A. Yes
B. No
A. Yes. The Export folder can be moved by selecting Tools in the menu bar and selecting Options, and then changing the path of the Default Export Folder on the Case Options tab in the resulting dialog box.
Files that have been sent to external viewers are copied to which folder?

A. Evidence
B. Export
C. Temp
D. None of the above
C. when files are opened by external viewers, they are first copied to the Temp folder before the external viewers can access the files.
The Temp folder of a case cannot be changed once the case has been saved.

A. True
B. False
B. Once a case has been saved, the EnCase user can change the location of the Temp folder by selecting Tools .., Options and changing the path of that folder.
Files stored in the Temp folder are removed once EnCase is properly closed.

A. True
B. False
A. EnCase will empty the Temp folder once the program has properly shut down. However, files will still remain in the Temp folder if EnCase has shut down improperly.
How do you access the setting to adjust how often a backup file (.cbak) is saved?

A. Select Tools> Options> Case Options
B. Select view ) Options> Case Options
c. Select Tools> Options> Global
D. Select view Options> Global
C. To adjust the amount of minutes the backup file is saved, select Tools in the menu bar, select Options, and then change the time in the Auto Save Minutes box on the Global tab of the resulting dialog box.
what is the maximum number of columns that can be sorted simultaneously in the Table view tab?

A. Two
B. Three
C. Five
D. 28 (maximum number of tabs)
C. EnCase allows the user to sort up to five columns in the Table view tab.
How would a user reverse-sort on a column in the Table view?

A. hlold down the Ctrl key, and double-click the selected column header.
B. Right-click the welected column, select Sort, and select either Sort Ascending or Sort Descending.
C. Both A and B.
C. The user can use either method to reverse-sort on a column.
How can you hide a column in the Table view?

A. Place the cursor on the selected column, and press Ctrl+l I.
B. Right-click on the selected column, select Column, and select [lide.
c. Right-dick on the selected column, select Show Columns, and uncheck the desired fields to be hidden.
D. All of the above.
D. All three methods will hide selected columns from the Table view.
what does the Gallery view tab use to determine graphics files?

A. Header or file signature
B. File extension
C. File name
D. File size
B. The Gallery view displays images based onl the File Category - Picture,’ which is determined by file extensions until such time that a file signature analysis is run.
will the Encase Gallery view display a .jpg file if its file extension was renamed to .txt?

A. No, because EnCase will treat it as a text file.
B. Yes, because the Gallery view looks ar a file’s header information and nor the file extension.
c. Yes, but mly if a signature aualysis is performed to correct the “File Category” to Picture” based on its file header information.
D. Yes, but only after a hash analysis is performed to determine the file's true identity.
C. when a signature analysis is performed, EnCase will update or correct the ‘File Category to picture,” in this particular case based on the information contained in the file header.
How would a user change the default colors and text fonts within EnCase?

A. The user cannot change the default colors and fonts settings.
B. The user can change the default colors and tonts settings by right-clicking the selected items and scrolling down to Change Colors and Fonts.
C. The user can change the default colors and fonts settings by clicking the view tab on the menu bar and selecting the Colors tab or Fonts tab.
D. The user can change default colors and forns settings by clicking the Tools tab on the menu bar, selecting Options, and selecting the Colors tab or Fonts tab.
D. A user can change the way colors and fonts appear by selecting the Tools tab and then clicking Options to change colors and fonts.
An EnCase user will always know the exact location of the selected data in the evidence file by looking at which of the following?

A. Data bar
B. Dixon box
C. Disk view
D. Hex view
A. The navigation data displays (he selected data’s exact location, including the full path, physical sector, logical sector number, cluster number, sector offset, and file offset.
1. Computers use a numbering system with only two digits, 0 and 1. This system is referred to as
which of the following?

A. Hexadecimal
B. ASCIl
c. Binary
D. FAT
1. C. Binary is a numbering system consisting of 0 and I used by computers to process information.
A bit can have a binary value of which of the following?

A. 0 or 1
B. 0-9
c. 0-9 and A-F
D. On or Off
A. Bi refers to two; therefore, a bit can have only two values, 0 or 1.
A byte consists of — bits.

A..2.
B. 4
C. 8
D. 16
C. A byte consists of 8 bits or two 4-bit nibbles, commonly referred to as the left nibble and right nibble.
If 1 bit can have two unique possibilities, 2 bits can have four unique possibilities, and 3 bits can have eight unique possibilities. This is known as the power of 2. How many unique possibilities are there in 8 bits (2 to the 8th power)?

A..16
B. 64
C. 128
D. 256
D.2 to the 8th power is 2x2 eight times,or 2x2x2 2x2x2x2x2 = 256
when the letter A is represented as 41h, it is displayed in which of the following?

A. Hexadecimal
B. ASCII
c. Binary
D. Decimal
A. values expressed with the letter b as a suffix are hexadecimal characters. EnCase can display the letter 4 in text or hexadecimal formats.
what is the decimal integer value for the binary code 0000-1001?

A. 7
B. 9
C. 11
D. 1001
B. Starting from the right, the bits are “on’ for bit positions 1 and 8, which totals 9.
Select all of the following that depict a Dword value.

A. 00000001
B. 0001
C. FF00 l0AF
D. 0000 0000 0000 0000 0000 0000 0000 0001
C, D. A Dword is a 32-bit value. A is incorrect because it depicts 8 binary bits or one byte.
B is incorrect as it depicts 4 binary bits or one nibble. C is correct because it represents four
hexadecimal values with each being 8 bits (4 x 8 = 32 bits). D is correct because i represents
32 binary bits.
How many characters can be addressed by the -bit ASCII character table? 16-bit Unicode?

A. 64and256
B. 128 and 256
c. 64 and 65,536
D. 128 and 65,536
D.2 to the 7th power is 2x2 seven times or 2x2x2x2x2x2x2=o128,while 2 to the 16th power is 2x2 sixteen times = 65.536.
where does EnCase (version 5 or 6) store keywords?

A. within each specific case file (.case and .cbak)
B. In the KEYWORDS.INl tile
C. BothAandB
D. None of the above
C. In version 5 and 6, keywords can be saved in specific case files (.case and .cbak) as well as globally in the KEYwORDS.INl file.
when performing a keyword search in windows, EnCase searches which of the following?

A. The logical files
B. The physical disk in unallocated clusters and other unused disk areas
C. BothAandB
D. None of the above
C. EnCase performs a search not only of logical files but of the entire disk to include unallocated clusters and unused disk areas outside the logical partition.
By default, search terms are case sensitive.

A. True
B. False
B. By default, the Case Sensitive option is not selected; therefore, search terms are not case sensitive unless you select that option.
By selecting the Unicode box, EnCase searches for both ASCII and Unicode formats.

A. True
B. False
A. By selecting the Unicode box, EnCase will search for both ASCII and Unicode formats.
with regard to a search using EnCase in the windows environment, can EnCase find a word or phrase that is fragmented or spans in noncontiguous clusters?

A. No, because the letters are located in noncontiguous clusters.
B. No, EnCase performs a physical search only.
c. No, unless the File Slack option is deselected in the dialog box before the search.
D. Yes, EnCase performs both physical and logical searches.
D. Encase can perform both physical searches as well as logical searches for keyword(s) that span noncontiguous clusters.
Which of the following would be a search hit for the His keyword?

A. this
B. His
c. history
D. Bill_Chisholm@gmail.com
E. All of the above
E. Since the entry allows for characters to precede and follow the keyword, and the default setting does not have the Case Sensitive option enabled, all the selections apply.
which of the following would be a search for for the following GREP expression?
[Aa-zjLiz [Aa-z]L

A. Elizabeth
B. Lizzy
C. Liz1
D. None of the above
C. The GRIP symbol A means to exclude the following characters. So the GREP expression in the question excludes the alpha characters (a through z) before and after the keyword but will find nonalpha characters such as numbers.
which of the following would be a search hir for the following GREP expression?

[\x00- \x07] \x0O\x00\x00.
A. 00000001 AOEE-F11
B. Os000OO0AOEE-F1m
C. 0A000000AOEEF1
D. 08'000000AOEE-F1a
B. The GREP expression in the question permits a hexadecimal range from 00 through
0 followed 1w hexadecimal values 00 00 00 and any other characters.
which of the following would be a search hir for the following GREP expression?

Jan 1st, 2?O?06
A. Jan 1st, 2006
B. Jan 1st, 06
C. BothmA-andnBE
D. None of the above
C. The GREP expression ? calls for the preceding character to be repeated 0 or 1 time. nhe GREP expression calls for 2 or not, then 0 or not, followed by 06.
which of the following will not be a search hit for the following GREP expression?

[^#]123[ \-)45[ \-]6789[^#]
A. A1234567890
B. A12345-6789
C. A123-45-6789
D. A123 45 6789
A. The GREP expression [‘#] means that it cannot be a number, meaning the first character and bst character following the 9 can't be nunbers. Therefore, A will not retumn as a search hit becanuse the number 0 follows the number 9.
A sweep or highlight of a specific range of text is referred to as which of the following?

A. File group bookmark
B. Folder information bookmark
c. Highlighted data bookmark
D. Notable file bookmark
E. Notes bookmark
C. The highlighted data bookmark is a sweep or highlight of a specific text fragment
which of the following is not correct regarding building and querying indexes?

A. To search an index, click the Search button on the toolbar.
B. Search hits will appear in the Docs tab and in the Transcript tab.
c. The Hits tab appears in the Filters pane and is used to navigate among search hits.
D. The indexing tool is an EnScript.
E. Conditions are used to query an index.
A. Searching an index is not conducted from the search button on the toolhar; rather, coridit toons are Lised to query the index.