Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
172 Cards in this Set
- Front
- Back
|
When an EnCase user double-clicks on a file within EnCase what determines the action that will result?
Select all that apply A. The settings in the case file. B. The settings in the FileTypes.ini file. C. The setting in the evidence file. |
B. The settings in the FileTypes.ini file.
|
|
|
Search results are found in which of the following files? Select all that apply.
A. The evidence file B. The configuration Searches.ini file C. The case file |
C. The case file
|
|
|
If cluster #3552 entry in the FAT table contains a value of 00 this would mean:
A. The cluster is unallocated B. The cluster is the end of a file C. The cluster is allocated D. The cluster is marked bad |
A. The cluster is unallocated
|
|
|
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result.
Bob@[a-z]+.com A. Bob@New zealand.com B. Bob@My-Email.com C. Bob@America.com D. Bob@a-z.com |
C. Bob@America.com
|
|
|
You are an investigator and have encountered a computer that is running at the home of a suspect. The computer does not appear to be a part of a network. The operating system is Windows XP Home. No programs are visibly running. You should:
A. Pull the plug from the back of the computer. B. Turn it off with the power button. C. Pull the plug from the wall D. Shut it down with the start menu. |
A. Pull the plug from the back of the computer.
|
|
|
A physical size is:
A. The total size in sectors of an allocated file. B. The total size of all the clusters used by the file measured in bytes. C. The total size in bytes of a logical file. D. The total size of the file including the ram slack in bytes. |
B. The total size of all the clusters used by the file measured in bytes.
|
|
|
In Unicode, one printed character is composed of ______ bytes of data.
A. 8 B. 4 C. 2 D. 1 |
C. 2
|
|
|
If cluster number 10 in the FAT contains the number 55, this means:
A. That cluster 10 is used and the file continues in cluster number 55. B. That the file starts in number 55 and continues to cluster number 10. C. That there is a cross-linked file. D. The cluster number 55 is the end of an allocated file. |
A. That cluster 10 is used and the file continues in cluster number 55.
|
|
|
How are the results of a signature analysis examined?
A. By sorting on the category column in the Table view. B. By sorting on the signature column in the Table view. C. By sorting on the hash sets column in the Table view. D. By sorting on the hash library column in the Table view. |
B. By sorting on the signature column in the Table view.
|
|
|
The acronym ASCII stands for:
A. American Standard Communication Information Index B. American Standard Code for Information Interchange C. Accepted Standard Code for Information Interchange D. Accepted Standard Communication Information Index |
B. American Standard Code for Information Interchange
|
|
|
The default export folder remains the same for all cases.
A. True B. False |
B. False
|
|
|
The EnCase default export folder is:
A. A case-specific setting that cannot be changed. B. A case-specific setting that can be changed. C. A global setting that can changed. D. A global setting that cannot be changed. |
B. A case-specific setting that can be changed.
|
|
|
Hash libraries are commonly used to:
A. Compare a file header to a file extension. B. Identify files that are already known to the user. C. Compare one hash set with another hash set. D. Verify the evidence file |
B. Identify files that are already known to the user.
|
|
|
Which is the proper formula for determining the size in bytes of a hard drive that uses cylinders (C), heads (H), and sectors (S) geometry?
A. CxH+S B. CxHxS+512 C. CxHxSx512 D. CxHxS |
C. CxHxSx512
|
|
|
Within EnCase, clicking on Save on the toolbar affects what file(s)?
A. All of the Below B. The evidence files C. The open case file D. The configuration .ini files |
C. The open case file
|
|
|
EnCase uses the ________________ to conduct a signature analysis.
A. Both b and c B. file signature table C. hash library D. file Viewers |
B. file signature table
|
|
|
EnCase is able to read and examine which of the following file systems?
A. NTFS B. EXT3 C. FAT D. HFS |
A. NTFS
B. EXT3 C. FAT D. HFS |
|
|
ROM is an acronym for:
A. Read Open Memory B. Random Open Memory C. Read Only memory D. Relative Open Memory |
C. Read Only memory
|
|
|
If a floppy diskette is in the A drive, the computer will always boot to that drive before any other device.
A. False B. True |
A. False
|
|
|
A standard Windows 98 boot disk is acceptable for booting a suspect drive.
A. True B. False |
B. False
|
|
|
Search terms are case sensitive by default.
A. False B. True |
A. False
|
|
|
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Jan 1st, 2?0?00
A. Jan 1st, 1900 B. Jan 1st, 2100 C. Jan 1st, 2001 D. Jan 1st, 2000 |
D. Jan 1st, 2000
|
|
|
An evidence file can be moved to another directory without changing the file verification.
A. False B. True |
B. True
|
|
|
Pressing the power button on a computer that is running could have which of the following results?
A. The computer will instantly shut off. B. The computer will go into stand-by mode. C. Nothing will happen. D. The operating system will shut down normally. E. All of the above could happen. |
E. All of the above could happen.
|
|
|
How does Encase verify that the evidence file contains an exact copy of the suspect hard drive? How does EnCase verify that the evidence file contains an exact copy of the suspect's hard drive?
A. By meant of a CRC value of the suspect hard drive compared to a CRC value of the data stored in the evidence file. B. By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of the data stored in the evidence file. C. By means of a CRC value of the evidence file itself. D. By means of an MD5 hash value of the evidence file itself. |
B. By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of the data stored in the evidence file.
|
|
|
By default, EnCase will display the data from the end of a logical file, to the end of the cluster, in what color:
A. Red B. Red on black C. Black on red D. Black |
A. Red
|
|
|
A SCSI drive is pinned as a master when it is:
A. The only drive on the computer. B. The primary of two drives connected to one cable. C. Whenever another drive is on the same cable and is pinned as a slave. D. A SCSI drive is not pinned as a master. |
D. A SCSI drive is not pinned as a master.
|
|
|
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result.
[^a-z]Tom[^a-z] A. Tomato B. Tom C. Toms D. Stomp |
B. Tom
|
|
|
This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search:
A. Will not find it unless file slack is checked on the search dialog box. B. Will find it because EnCase performs a logical search. C. Will not find it because EnCase performs a physical search only. D. Will not find it because the letters of the keyword are not contiguous. |
B. Will find it because EnCase performs a logical search.
|
|
|
An evidence file was archived onto five CD-Rom disks with the third file segment on disk number three. Can the contents of the third file segment be verified by itself while still on the CD?
A. No. Archived files are compressed and cannot be verified until un-archived. B. No. All file segments must be put back together. C. Yes. Any segment of an evidence file can be verified through re-computing and comparing the CRCs, even if it is on a CD. D. No. EnCase cannot verify files on CDs. |
C. Yes. Any segment of an evidence file can be verified through re-computing and comparing the CRCs, even if it is on a CD.
|
|
|
The case file should be archived with the evidence files at the termination of a case.
A. True B. False |
A. True
|
|
|
A signature analysis has been run on a case. The result "Bad Signature” means:
A. The file signature is known and does not match a known file header. B. The file signature is known and the file extension is known. C. The file signature is known and does not match a known file extension. D. The file signature is unknown and the file extension is known. |
D. The file signature is unknown and the file extension is known.
|
|
|
A standard DOS 6.22 boot disk is acceptable for booting a suspect drive.
A. True B. False |
B. False
|
|
|
When can an evidence file containing a NTFS partition be logically restored to a FAT 32 partition?
A. Never B. When the FAT 32 has the same number of sectors / clusters. C. When the FAT 32 is the same size or bigger. D. Both b and c |
A. Never
|
|
|
Which of the following selections would be used to keep track of a fragmented file in the FAT file system?
A. The directory entry for the fragmented file B. The partition table of extents C. The File Allocation Table D. All of the above |
C. The File Allocation Table
|
|
|
What files are reconfigured or deleted by EnCase during the creation of an EnCase boot disk?
A. command.com B. autoexec.bat C. drvspace.bin D. io.sys |
A. command.com
C. drvspace.bin D. io.sys |
|
|
A signature analysis has been run on a case. The result ?*JPEG? in the signature column means:
A. The file signature is unknown and the header is a JPEG. B. The file signature is a JPEG signature and the file extension is incorrect. C. The file signature is unknown and the file extension is JPEG. D. None of the above |
B. The file signature is a JPEG signature and the file extension is incorrect.
|
|
|
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result.
[\x00-\x05]\x00\x00\x00 A. FF 0000 00 00 FF BA B. 0000 00 01 FF FF BA C. 04 06 000 00 FF FF BA D. 04 0000 00 FF FF BA |
D. 04 0000 00 FF FF BA
|
|
|
Which of the following items could contain digital evidence? (select all that apply)
A. Credit card readers B. Personal assistant devices C. Cellular phones D. Digital cameras |
A. Credit card readers
B. Personal assistant devices C. Cellular phones D. Digital cameras |
|
|
What information in a FAT file system directory entry refers to the location of a file on the hard drive?
A. The file size B. The file attributes C. The starting cluster D. The fragmentation settings |
C. The starting cluster
|
|
|
The EnCase methodology dictates that ________ be created prior to acquiring evidence.
A. a unique directory on the lab drive for case management B. a text file for notes C. All of the above D. an .E01 file on the lab drive |
A. a unique directory on the lab drive for case management
|
|
|
Select the appropriate name for the highlighted area of the binary numbers.
0000 A. Byte B. Dword C. Bit D. Word E. Nibble |
E. Nibble
|
|
|
Which of the following is commonly used to encode e-mail attachments?
A. GIF B. EMF C. JPEG D. Base64 |
D. Base64
|
|
|
Select the appropriate name for the highlighted area of the binary numbers.
0 A. Byte B. Dword C. Word D. Bit E. Nibble |
D. Bit
|
|
|
If cases are worked on a lab drive in a secure room, without any cleaning of the contents of the drive, which of the following areas would be of most concern?
A. There is no concern B. Cross-contamination C. Chain-of-custody D. Storage |
B. Cross-contamination
|
|
|
Temp files created by EnCase are deleted when EnCase is properly closed.
A. True B. False |
A. True
|
|
|
A file extension and signature can be manually added by:
A. Using the new library feature under hash libraries. B. Right-clicking on a file and selecting dd.? C. Using the new set feature under hash sets. D. Using the new file signature feature under file signatures. |
D. Using the new file signature feature under file signatures.
|
|
|
Using good forensic practices, when seizing a computer at a business running Windows 2000 Server you should:
A. Pull the plug from the-back of the computer. B. Press the power button and hold it in. C. Shut it down normaly D. Pull the plug from the wall. |
C. Shut it down normaly
|
|
|
Which of the following statements is more accurate?
A. The Recycle Bin increases the chance of locating the existence of a file on a computer. B. The Recycle Bin reduces the chance of locating the existence of a file on a computer. |
A. The Recycle Bin increases the chance of locating the existence of a file on a computer.
|
|
|
The maximum file segment size for an EnCase evidence file is:
A. 1500 MB B. 1000 MB C. 2000 MB D. There is no limit. E. 500 MB |
C. 2000 MB
|
|
|
When a file is deleted in the FAT file system, what happens to the FAT?
A. The FAT entries for that file are marked as allocated. B. Nothing C. It is deleted as well. D. The FAT entries for that file are marked as available. |
D. The FAT entries for that file are marked as available.
|
|
|
Select the appropriate name for the highlighted area of the binary numbers.
0000 0000 A. Word B. Byte C. Bit D. Nibble E. Dword |
B. Byte
|
|
|
Consider the following path in a FAT file system:
C:\Documents and Settings\Default User\My Documents\My Pictures A. From the My Pictures directory B. From the My Documents directory C. From the root directory c:\ D. From itself |
A. From the My Pictures directory
|
|
|
The EnCase case file can be best described as:
A. The file that runs EnCase for Windows. B. A file contains configuration settings for cases. C. None of the above. D. A file that contains information specific to once case |
D. A file that contains information specific to once case
|
|
|
Before utilizing an analysis technique on computer evidence, the investigator should:
A. Test the technique on simulated evidence in a controlled environment to confirm that the results are consistent. B. Be trained in the employment of the technique. C. Botha a and b D. Neither a or b |
C. Botha a and b
|
|
|
A hard drive has 8 sectors per cluster. File Mystuff.doc has a logical file size of 13,000 bytes. How many clusters will be used by Mystuff.doc?
A. 4 B. 1 C. 2 D. 3 |
A. 4
|
|
|
Encase marks a file as overwritten when _____________ has been allocated to another file.
A. all of the file B. the starting cluster of the file C. the directory entry for the file D. any part of the file |
B. the starting cluster of the file
|
|
|
When a document is printed using EMF in Windows, what file(s) are generated in the spooling process?
A. The.SHD file B. The.SPL file C. Neither a or b D. Both a and b |
D. Both a and b
|
|
|
An Enhanced Metafile would best be described as:
A. A compressed zip file. B. A graphics file attached to an e-mail message. C. A compound e-mail attachment. D. A file format used in the printing process by Windows. |
D. A file format used in the printing process by Windows.
|
|
|
How many clusters can a FAT 16 system address?
A. 65,536 B. 4,096 C. 268,435,456 D. 4,294,967,296 |
A. 65,536
|
|
|
The EnCase evidence file logical filename can be changed without affecting the verification of the acquired evidence.
A. True B. False |
A. True
|
|
|
In the FAT file system, the size of a deleted file can be found:
A. In the FAT B. In the directory entry C. In the file footer D. In the file header |
B. In the directory entry
|
|
|
A sector on a floppy disk is the same size as a sector on a NTFS formatted hard drive.
A. False B. True |
B. True
|
|
|
A suspect typed a file on his computer and saved it to a floppy diskette. The filename was MyNote.txt. You receive the floppy and the suspect computer. The suspect denies that the floppy disk belongs to him. You search the suspect computer and locate only the filename within a .LNK file. The .LNK file is located in the folder C:\Windows\Recent. How you would use the .LNK file to establish a connection between the file on the floppy diskette and the suspect computer?
A. Both b and c B. The date and time of the file found in the LNK file, at file offset 28 C. The full path of the file, found in the LNK file D. The file signature found in the .LNK file |
A. Both b and c
|
|
|
Select the appropriate name for the highlighted area of the binary numbers.
0000 0000 0000 0000 0000 0000 0000 0000 A. Word B. Dword C. Byte D. Nibble E. Bit |
B. Dword
|
|
|
The Encase methodology dictates that the lab drive for evidence have a ______ prior to making an image.
A. FAT 16 partition B. NTFS partition C. unique volume label D. bare, unused partition |
C. unique volume label
|
|
|
In hexadecimal notation, one byte is represented by ______ character(s).
A. 2 B. 1 C. 8 D. 4 |
A. 2
|
|
|
A personal data assistant was placed in an evidence locker until an examiner has time to examine it. Which of the following areas would require special attention?
A. Chain-of-custody B. Storage C. There is no concern D. Cross-contamination |
B. Storage
|
|
|
When a non-compressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence will remain the same for both files.
A. True B. False |
A. True
|
|
|
To generate an MD5 hash value for a file, EnCase:
A. Computes the hash value including the logical file and filename. B. Computes the hash value including the physical file and filename. C. Computes the hash value based on the logical file. D. Computes the hash value based on the physical file. |
C. Computes the hash value based on the logical file.
|
|
|
Which of the following is found in the FileSignatures.ini configuration file?
A. The results of a hash analysis B. The information contained in the signature table C. The results of a signature analysis D. Pointers to an evidence file |
B. The information contained in the signature table
|
|
|
During the power-up sequence, which of the following happens first?
A. The boot sector isolated on the hard drive. B. The Power On Self-Test (POST) C. The floppy drive is checked for a diskette. D. The BIOS on an add-in card is executed. |
B. The Power On Self-Test (POST)
|
|
|
A restored floppy diskette will have the same hash value as the original diskette.
A. True B. False |
A. True
|
|
|
A hard drive was imaged using EnCase. The original drive was placed into evidence. The restore feature was use to make a copy of the original hard drive. EnCase verifies the restored copy using:
A. An MD5 hash B. A 32 bit CRC C. Nothing. Restored volumes are not verified. D. A running log |
A. An MD5 hash
|
|
|
To later verify contents of an evidence file
A. Encase writes a CRC value for every 64 sectors copied. B. EnCase writes a CRC value for every 128 sectors copied. C. EnCase writes an MD5 hash value every 64 sectors copied. D. EnCase writes an MD5 hash value for every 32 sectors copied. |
A. Encase writes a CRC value for every 64 sectors copied.
|
|
|
Assume that MyNote.txt had been deleted. The FAT file system directory entry for that file has been overwritten. The data for MyNote.txt is now:
A. Overwritten B. Allocated C. Cross-linked D. Unallocated |
D. Unallocated
|
|
|
When an Encase user double-clicks on a valid jpg file, that file is:
A. Copied to the default export folder and opened by an associated program. B. Renamed to JPG_0001.jpg and copied to the default export folder. C. Copied to the EnCase Specified temp folder and opened by an associated program. D. Opened by EnCase. |
C. Copied to the EnCase Specified temp folder and opened by an associated program.
|
|
|
When un-deleting a file in the FAT file system, EnCase will check the _______ to see if it has already been overwritten.
A. data on the hard drive B. deletion table C. directory entry D. FAT |
D. FAT
|
|
|
You are assigned to assist with the search and seizure of several computers. The magistrate ordered that the computers cannot be seized unless they are found to contain any one of ten previously identified images. You currently have ten images in JPG format. Using the EnCase methodology, how would you best handle this situation?
A. UseFastBloc or a network/parallel port cable to preview the hard drives. Go to the Gallery view and search for the previously identified images. B. UseFastBloc or a network/parallel port cable to acquire forensic images of the hard drives, then search the evidence files for the previously identified images. C. UseFastBloc or a network/parallel port cable to preview the hard drives. Conduct a hash analysis of the files on the hard drives, using a hash library containing the hash values of the previously identified images. D. Use an EnCase DOS boot disk to conduct a text search for child porn? |
C. UseFastBloc or a network/parallel port cable to preview the hard drives. Conduct a hash analysis of the files on the hard drives, using a hash library containing the hash values of the previously identified images.
|
|
|
The EnCase signature analysis is used to perform which of the following actions?
A. Analyzing the relationship of a file signature to its file extension. B. Analyzing the relationship of a file signature to its file header. C. Analyzing the relationship of a file signature to a list of hash sets. D. Analyzing the relationship of a file signature to its computed MD5 hash value. |
A. Analyzing the relationship of a file signature to its file extension.
|
|
|
A SCSI host adapter would most likely perform which of the following tasks?
A. Configure the motherboard settings to the BIOS. B. None of the above C. Set up the connection of IDE hard drives. D. Make SCSI hard drives and other SCSI devices accessible to the operating system. |
D. Make SCSI hard drives and other SCSI devices accessible to the operating system.
|
|
|
A CPU is:
A. A chip that would be considered the brain of a computer, which is installed on a motherboard. B. A Central Programming Unit. C. A motherboard with all required devices connected. D. An entire computer box, not including the monitor and other attached peripheral devices. |
A. A chip that would be considered the brain of a computer, which is installed on a motherboard.
|
|
|
In Windows, the file MyNote.txt is deleted from C Drive and is automatically sent to the Recycle Bin. The long filename was MyNote.txt and the short filename was MYNOTE.TXT. When viewing the Recycle Bin with EnCase, how will the long filename and MyNote.txt and the short filename was MYNOTE.TXT.
A. MyNote.txt, CD0.txt B. MyNote.txt, DC0.txt C. MyNote.del, DC1.del D. MyNote.del, DC0.del |
B. MyNote.txt, DC0.txt
|
|
|
This question addresses the EnCase for Windows search process. If a target word is located in the unallocated space, and the word is fragmented between clusters 10 and 15, the search:
A. Will not find it because the letters of the keyword are not contiguous. B. Will not find it because EnCase performs a physical search only. C. Will find it because EnCase performs a logical search. D. Will not find it unless file slack is checked on the search dialog box. |
A. Will not find it because the letters of the keyword are not contiguous.
|
|
|
A case file can contain ___ hard drive images?
A. 5 B. 1 C. any number of D. 10 |
C. any number of
|
|
|
RAM is tested during which phase of the power-up sequence?
A. Pre-POST B. After POST C. During POST D. None of the above. |
C. During POST
|
|
|
To undelete a file in the FAT file system, EnCase computes the number of ________ the file will use based on the file ______.
A. Clusters; starting extent B. Sectors; starting extent C. Clusters; file size D. Sectors; file size |
C. Clusters; file size
|
|
|
The following keyword was typed in exactly as shown. Choose the answer(s) that would result. All search criteria have default settings. Tom Jones
A. tom jones B. Tom C. Jones D. Tom Jones |
A. tom jones
D. Tom Jones |
|
|
Which statement would most accurately describe a motherboard?
A. An add-in cards that handles all RAM. B. Any circuit board, regardless of its function. C. The main circuit board that has slots for the microprocessor, RAM, ROM, and add-in cards. D. An add-in card that controls all hard drive activity. |
C. The main circuit board that has slots for the microprocessor, RAM, ROM, and add-in cards.
|
|
|
When a drive letter is assigned to a logical volume, that information is temporarily written the volume boot record on the hard drive
A. True B. False |
B. False
|
|
|
Changing the filename of a file will change the hash value of the file.
A. True B. False |
B. False
|
|
|
Calls to the C:\ volume of the hard drive are not made by DOS when a computer is booted with a standard DOS 6.22 boot disk.
A. False B. True |
B. True
|
|
|
Bookmarks are stored in which of the following files?
A. The case file B. The evidence file C. The configuration Bookmarks.ini file D. All of the above |
A. The case file
|
|
|
You are at an incident scene and determine that a computer contains evidence as described in the search warrant. When you seize the computer, you should:
A. Record nothing to avoid inaccuracies that might jeopardize the use of the evidence. B. Record the location that the computer was recovered from. C. Record the identity of the person(s) involved in the seizure. D. Record the date and time the computer was seized. |
B. Record the location that the computer was recovered from.
C. Record the identity of the person(s) involved in the seizure. D. Record the date and time the computer was seized. |
|
|
How many partitions can be found in the boot partition table found at the beginning of the drive?
A. 8 B. 4 C. 6 D. 2 |
B. 4
|
|
|
Within Encase, you highlight a range of data within a file. The length indicator displays the value 30. How many bytes have you actually selected?
A. 30 B. 3 C. 60 D. 15 |
A. 30
|
|
|
Which of the following would most likely be an add-in card?
A. A video card that is connected to the motherboard in the AGP slot B. Anything plugged into socket 7 C. A motherboard D. The board that connects to the power supply |
A. A video card that is connected to the motherboard in the AGP slot
|
|
|
The Windows 98 Start Menu has a selection called documents which displays a list of recently used files. Which of the following folders contain those files?
A. C:\Windows\History B. C:\Windows\Start menu\Documents C. C:\Windows\Documents D. C:\Windows\Recent |
D. C:\Windows\Recent
|
|
|
Will Encase allow a user to write data into an acquired evidence file
A. Yes, but only bookmarks. B. Yes, but only to resize the partitions. C. No. Data cannot be added to the evidence file after the acquisition is made. D. Yes, but only case information E. No, unless the user established a writing privilege when the evidence was acquired. |
C. No. Data cannot be added to the evidence file after the acquisition is made.
|
|
|
Which of the following would be a true statement about the function of the BIOS?
A. Both b and c B. The BIOS integrates compressed executable files with memory addresses for faster execution. C. The BIOS is responsible for checking and configuring the system after the power is turned on. D. The BIOS is responsible for swapping out memory pages when RAM fills up. |
C. The BIOS is responsible for checking and configuring the system after the power is turned on.
|
|
|
You are investigating a case of child pornography on a hard drive containing Windows XP. In the C:\Docwnents and Settings\Bad Guy\Local Settings\Temporary Internet Files\ folder you find three images of child pornography. You find no other copies of the images on the suspect hard drive, and you find no other copies of the filenames.
What can be deduced from your findings? A. The presence and location of the images is not strong evidence of possession. B. The presence and location of the images is strong evidence of possession. C. The presence and location of the images proves the images were intentionally downloaded. D. Both a and c |
A. The presence and location of the images is not strong evidence of possession.
|
|
|
Which of the following aspects of the EnCase evidence file can be changed during a re-acquire of the evidence file?
A. The evidence number B. None of the above C. The acquisition notes D. The investigator name |
B. None of the above
|
|
|
For an EnCase evidence file acquired with a hash value to pass verification, which of the following must be true?
A. The MD5 hash value must verify B. The CRC values must verify. C. The CRC values and the MD5 hash value both must verify. D. Either the CRC or MD5 hash values must verify. |
C. The CRC values and the MD5 hash value both must verify.
|
|
|
In Window 98 and ME, Internet based e-mail, such as Hotmail, will most likely be recovered in the
___________________ folder. A. C:\Windows\Online\Applications\email B. C:\Windows\Temporary Internet files C. C:\Windows\History\Email D. C:\Windows\Temp |
B. C:\Windows\Temporary Internet files
|
|
|
When a file is deleted in FAT file system, what happens to the filename?
A. It is zeroed out B. The first character of the directory entry is marked with a hex 00. C. It is wiped from directory D. The first character of the directory entry is marked with a hex E5. |
D. The first character of the directory entry is marked with a hex E5.
|
|
|
The signature table data is found in which of the following files?
A. The evidence file B. The configuration FileSignatures.ini file C. All of the above D. The case file |
B. The configuration FileSignatures.ini file
|
|
|
Creating an image of a hard drive that was seized as evidence:
A. May be done by anyone because it is a relatively simple procedure. B. May only be done by trained personnel because the process has the potential to alter the original evidence. C. May only be done by computer scientists. D. Should be done by the user, as they are most familiar with the hard drive. |
B. May only be done by trained personnel because the process has the potential to alter the original evidence.
|
|
|
4 bits allows what number of possibilities?
A. 16 B. 4 C. 2 D. 8 |
A. 16
|
|
|
If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later changed?
A. EnCase will allow the examiner to continue to access the rest of the evidence file that has not been changed. B. EnCase detect the error if the evidence file is manually re-verified. C. EnCase will detect the error when that area of the evidence file is accessed by the user. D. All of the above |
D. All of the above
|
|
|
The EnCase evidence file is best described as:
A. A clone of the source hard drive. B. A sector-by-sector copy of the source hard drive written to the corresponding sectors of the target hard drive. C. A bit stream image of the source hard drive written to a file, or several file segments. D. A bit stream image of the source hard drive written to the corresponding sectors of the target hard drive. |
C. A bit stream image of the source hard drive written to a file, or several file segments.
|
|
|
An EnCase evidence file of a hard drive is restored to another hard drive of equal or greater size.
A. can B. cannot |
A. can
|
|
|
Searches and bookmarks are stored in the evidence file.
A. False B. True |
A. False
|
|
|
The MD5 hash algorithm produces a ______ number.
A. 32 bit B. 256 bit C. 64 bit D. 128 bit |
D. 128 bit
|
|
|
By default, what color does EnCase use for the contents of a logical file
A. Red B. Red on black C. Black D. Black on red |
C. Black
|
|
|
In Windows 2000 and XP, which of the following directories contain user personal folders?
A. C:\Personnel Folders B. C:\WINNT\Profiles C. C:\Windows\Users D. C:\Documents and settings |
D. C:\Documents and settings
|
|
|
The first sector on a volume is called the:
A. Master file tab B. Volume boot device C. Volume boot sector or record D. Master boot record |
C. Volume boot sector or record
|
|
|
If a hash analysis is run on a case, EnCase:
A. Will compute a hash value of the evidence file and begin a verification process. B. Will generate a hash set for every file in the case. C. Will compare the hash value of the files in the case to the hash library. D. Will create a hash set to the user specifications. Will create a hash set to the user specifications. |
C. Will compare the hash value of the files in the case to the hash library.
|
|
|
RAM is used by the computer to:
A. Execute the POST during Start-Up B. Temporarily store electronic data that is being processed. C. Permanently store electronic data. D. Establish a connection with external devices. |
B. Temporarily store electronic data that is being processed.
|
|
|
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result.
[(]800[)- ]?555-1212 A. (800) 555-1212 B. 800-555-1212 C. 8005551212 D. 800.555.1212 |
A. (800) 555-1212
|
|
|
The case number in an evidence file can be changed without causing the verification feature to report an error if:
A. The user utilizes a text editor. B. The case information cannot be changed in an evidence file, without causing the verification feature to report an error. C. The user utilizes the case information editor within EnCase. D. The evidence file is reacquired |
B. The case information cannot be changed in an evidence file, without causing the verification feature to report an error.
|
|
|
The results of a hash analysis on an evidence file that has been added to a case will be stored in which of the following files?
A. The evidence file B. All of the above C. The case file D. The configuration HashAnalysis.ini file |
C. The case file
|
|
|
The following keyword was typed in exactly as shown. Choose the answer(s) that would result. All search criteria have default settings. Speed and Meth
A. Meth B. Meth Speed C. Speed and Meth D. Speed |
C. Speed and Meth
|
|
|
The spool files that are created during a print job are _________ after the print job is completed.
A. moved B. wiped C. deleted and wiped D. deleted |
D. deleted
|
|
|
Which of the following selections is NOT found in the case file?
A. External viewers B. Pointers to evidence files C. Signature analysis results D. Search results |
A. External viewers
|
|
|
A hash set would most accurately be described as:
A. A group of hash libraries organized by category. B. A group of hash values that can be added to the hash library. C. A table of file headers and extensions D. Both a and b |
B. A group of hash values that can be added to the hash library.
|
|
|
When does the POST operation occur?
A. When SCSI devices are configured B. When Windows starts up. C. After a computer begins to boot from a device D. When the power button to a computer is turned on. |
D. When the power button to a computer is turned on.
|
|
|
Within EnCase, What is the purpose of the default export folder?
A. This is the folder that will be automatically selected when the copy/un-erase feature is used. B. This is the folder that will automatically store an evidence file when the acquisition is made in DOS. C. This is the folder that temporarily stores all bookmark and search results. D. This is the folder used to hold copies of files that are sent to external viewers. |
A. This is the folder that will be automatically selected when the copy/un-erase feature is used.
|
|
|
The following keyword was typed in exactly as shown. Choose the answer(s) that would be found. All search criteria have default settings. Tom
A. Tomorrow B. TomJ@hotmail.com C. Tom D. Stomp |
A. Tomorrow
B. TomJ@hotmail.com C. Tom D. Stomp |
|
|
A FAT directory has a logical size of.
A. 0 bytes B. One cluster C. 128 bytes D. 64 bytes |
A. 0 bytes
|
|
|
Within EnCase, what is the purpose of the temp folder?
A. This is the folder used to hold copies of files that are sent to external viewers. B. This is the folder that will automatically store an evidence file when the acquisition is made in DOS. C. This is the folder that temporarily stores all bookmark and search results. D. This is the folder that will automatically select when the copy/un-erase feature is used. |
A. This is the folder used to hold copies of files that are sent to external viewers.
|
|
|
In the EnCase environment, the term external viewers are best described as:
A. Programs that are exported out of an evidence file. B. Any program that will work with EnCase. C. Any program that is loaded on the lab hard drive. D. Programs that are associated with EnCase to open specific file types. |
D. Programs that are associated with EnCase to open specific file types.
|
|
|
The end of a logical file to the end of the cluster that the file ends in is called:
A. Allocated space B. Slack C. Unallocated space D. Available space |
B. Slack
|
|
|
You are working in a computer forensics lab. A law enforcement investigator brings you a computer and a valid search warrant. You have legal authority to search the computer. The investigator hands you a piece of paper that has three printed checks on it. All three checks have the same check and account number. You image the suspect computer and open the evidence file with EnCase. You perform a text search for the account number and check number. Nothing returns on the search results. You perform a text search for all other information on the printed checks and there is still nothing returned in the search results. You run a signature analysis and check the gallery. You cannot locate any graphical copies of the printed checks in the gallery. At this point, is it safe to say that the checks are not located on the suspect computer?
A. No. The images could be located in a compressed file. B. No. The images could be embedded in a document. C. No. The images could be in unallocated clusters. D. No. The images could be in an image format not viewable inside EnCase. E. All of the above. |
E. All of the above.
|
|
|
The following keyword was typed in exactly as shown. Choose the answer(s) that would result. All search criteria have default settings. credit card
A. Card B. Credit Card C. credit card D. Credit |
B. Credit Card
C. credit card |
|
|
A hard drive has been formatted as NTFS and Windows XP was installed. The user used F-disk to remove all partitions from that drive. Nothing else was done. You have imaged the drive and have opened the evidence file with EnCase. What would be the best way to examine this hard drive?
A. Use the add Partition feature to rebuild the partition and then examine the system. B. EnCase will not see a drive that has been F-disked. C. Conduct a physical search of the hard drive and bookmark any evidence. D. Use the Recovered Deleted Partitions feature and then examine the system. |
A. Use the add Partition feature to rebuild the partition and then examine the system.
|
|
|
The term signature and header as they relate to a signature analysis are
A. None of the above B. The signature is the file extension. The header is a standard pattern normally found at the beginning of a file. C. Synonymous D. Areas compared with each other to verify the correct file type. |
C. Synonymous
|
|
|
RAM is an acronym for:
A. Random Addressable Memory B. Relative Addressable Memory C. Random Access Memory D. Relative address memory |
C. Random Access Memory
|
|
|
EnCase can build a hash set of a selected group of files.
A. True B. False |
A. True
|
|
|
When handling computer evidence, an investigator should:
A. Both b and d B. Make any changes to the evidence that will further the investigation. C. Neither b or d D. Avoid making-any changes to the original evidence. |
D. Avoid making-any changes to the original evidence.
|
|
|
Assume that MyNote.txt was allocated to clusters 5, 9, and 11. Cluster 6, 7, and 8 belong to MyResume.doc. Both files have been deleted and the directory entry in the FAT file system for MyResume.doc has been overwritten. What clusters would EnCase use to undelete MyNote.txt?
A. 5,9,11 B. 5,6,7 C. 7,8,9 D. 6,7,8 |
B. 5,6,7
|
|
|
By default, what color does EnCase use for slack?
A. Black on red B. Red on black C. Red D. Black |
C. Red
|
|
|
When a file is deleted in the FAT or NTFS file systems, what happens to the data on the hard drive?
A. Nothing B. It is moved to a special area.. C. It is overwritten with zeroes. D. The file header is marked with a Sigma so the file is not recognized by the operating system. |
A. Nothing
|
|
|
GREP terms are automatically recognized as GREP by EnCase.
A. True B. False |
B. False
|
|
|
Search terms are stored in what .ini configuration file
A. FileSignatures.ini B. Keywords.ini C. TextStyle.ini D. FileTypes.ini |
B. Keywords.ini
|
|
|
Within EnCase for Windows, the search process is:
A. None of the above B. both c and d C. a search of the physical disk in unallocated clusters and other unused disk areas D. a search of the logical files |
B. both c and d
|
|
|
How does EnCase verify that the case information (Case Number, Evidence Number, Investigator Name, etc) in an evidence file has not been damaged or changed, after the evidence file has been written?
A. EnCase writes a CRC value of the case information and verifies the CRC value when the evidence is added to a case. B. EnCase does not verify the case information and case information can be changed by the user as it becomes necessary. C. The .case file writes a CRC value for the case information and verifies it when the case is opened. D. EnCase writes an MD5 hash value for the entire evidence file, which includes the case information, and verifies the MD5 hash when the evidence is added to a case. |
A. EnCase writes a CRC value of the case information and verifies the CRC value when the evidence is added to a case.
|
|
|
A hash library would most accurately be described as:
A. A master table of file headers and extensions. B. A file containing hash values from one or more selected hash sets. C. Both a and b D. A list of the all the MD5 hash values used to verify the evidence files. |
B. A file containing hash values from one or more selected hash sets.
|
|
|
The FAT in the File Allocation Table file system keeps track of:
A. File fragmentation B. Clusters marked as bad C. Every addressable cluster on the partition D. All of the Above |
D. All of the Above
|
|
|
In DOS acquisition mode, if a physical drive is detected, but no partition information is displayed, what would be the cause?
A. Both b and d B. The partition scheme is not recognized by DOS. C. Neither b and d D. There are no partitions present. |
A. Both b and d
|
|
|
What information should be obtained from the BIOS during computer forensic investigations?
A. The video caching information B. The date and time C. The port assigned to the serial port D. The boot sequence |
B. The date and time
D. The boot sequence |
|
|
All investigators using EnCase should run tests on the evidence file acquisition and verification process to:
A. Insure that the investigator is using the proper method of acquisition. B. Further the investigator understanding of the evidence file. C. Give more weight to the investigator testimony in court. D. All of the above |
D. All of the above
|
|
|
Assume that an evidence file is added to a case, the case is saved, and the case is closed. What happens if the evidence file is moved, and the case is then opened?
A. EnCase reports that the file integrity has been compromised and renders the file useless. B. EnCase opens the case, excluding the moved evidence. C. EnCase asks for the location of the evidence file the next time the case is opened. D. EnCase reports a different hash value for the evidence file. |
C. EnCase asks for the location of the evidence file the next time the case is opened.
|
|
|
To undelete a file in the FAT file system, EnCase obtains the starting extent from the:
A. Directory entry B. FAT C. Operating System D. File header |
A. Directory entry
|
|
|
The Unicode system can address _________ characters?
A. 65,536 B. 16,384 C. 256 D. 1024 |
A. 65,536
|
|
|
In DOS and Windows, how many bytes are in one FAT directory entry?
A. Variable B. 32 C. 16 D. 64 E. 8 |
B. 32
|
|
|
What is the EnCase configuration .ini files used for?
A. Storing information that will be available to EnCase each time it is opened, regardless of the active case(s). B. Storing the results of a signature analysis. C. Storing information that is specific to a particular case. D. Storing pointers to acquired evidence. |
A. Storing information that will be available to EnCase each time it is opened, regardless of the active case(s).
|
|
|
The BIOS chip on an IBM clone computer is most commonly located on:
A. The RAM chip B. The controller card C. The motherboard D. The microprocessor |
C. The motherboard
|
|
|
The boot partition table found at the beginning of a hard drive is located in what sector?
A. Volume boot sector B. Master boot record C. Master file table D. Volume boot record |
B. Master boot record
|
|
|
EnCase can make an image of a USB flash drive.
A. False B. True |
B. True
|
|
|
What does acronym BIOS stand for?
A. Basic Integrated Operating System B. Basic Input/Output System C. Binary Input/Output System D. Binary Integrated Operating System |
B. Basic Input/Output System
|
|
|
If a hard drive is left in a room while acquiring, and several persons have access to that room, which of the following areas would be of most concern?
A. Storage B. There is no concern C. Cross-contamination D. Chain-of-custody |
D. Chain-of-custody
|
|
|
You are examining a hard drive that has Windows XP installed as the operating system. You see a file that has a date and time in the deleted column. Where does that date and time come from?
A. Directory Entry B. Master File Table C. Info2 file D. Inode Table |
C. Info2 file
|
|
|
When Unicode is selected for a search keyword, EnCase:
A. None of the above. B. Will find the keyword if it is either Unicode or ASCII. C. Unicode is not a search option for EnCase. D. Will only find the keyword if it is Unicode |
B. Will find the keyword if it is either Unicode or ASCII.
|
|
|
Two allocated files can occupy one cluster, as long as they can both fit within the allotted number of bytes.
A. True B. False |
B. False
|
|
|
Which of the following directories contain the information that is found on a Windows 98 Desktop?
A. C:\Program files\Programs\\Desktop B. C:\Desktop C. C:\Startup\Desktop\Items D. C:\Windows\Desktop |
D. C:\Windows\Desktop
|
|
|
The first sector on a hard drive is called the:
A. Master file table B. Master boot record C. Volume boot record D. Volume boot sector |
B. Master boot record
|
|
|
The temporary folder of a case cannot be changed once it has been set.
A. False B. True |
A. False
|
|
|
A logical file would be best described as:
A. The data taken from starting cluster to the end of the last cluster that is occupied by the file. B. A file including any RAM and disk slack. C. A file including only RAM slack. D. The data from the beginning of the starting cluster to the length of the file. |
D. The data from the beginning of the starting cluster to the length of the file.
|
|
|
How many copies of the FAT are located on a FAT 32, Windows 98-formatted partition?
A. 2 B. 3 C. 1 D. 4 |
A. 2
|
|
|
A sector on a hard drive contains how many bytes?
A. 2048 B. 4096 C. 1024 D. 512 |
D. 512
|
|
|
You are conducting an investigation and have encountered a computer that is running in the field. The operating system is Windows XP. A software program is currently running and is visible on the screen. You should:
A. Navigate through the program and see what the program is all about, then pull the plug. B. Pull the plug from the back of the computer. C. Photograph the screen and pull the plug from the back of the computer. D. Pull the plug from the wall. |
C. Photograph the screen and pull the plug from the back of the computer.
|
|
|
Select the appropriate name for the highlighted area of the binary numbers.
0000 0000 0000 0000 A. Bit B. Nibble C. Word D. Dword E. Byte |
C. Word
|
