Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
205 Cards in this Set
- Front
- Back
|
1.1. - You are a computer forensic examiner tasked with determining what evidence is on a seized computer. On what part of the computer system will you find data of evidentiary value?
B. USB controller C. Hard drive D. PCI expansion slots |
1.1. - C. A CPU is the central processing unit, which means it’s a microprocessor that performs |
|
|
1.2. - What is the BIOS?
D. BIOS stands for Boot Initialization Operating System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer’s hardware and its operating system. |
1.2. - A. BIOS stands for Basic Input Output System and consists of all the low-level software that is the interface between the system hardware and its operating system. It loads, typically, from three sources: the ROM/BIOS on the motherboard; the various BIOS ROMs on video cards, SCSI cards, and so forth; and finally, the device drivers. |
|
|
1.3. - What is the definition of POST?
B. A diagnostic test of the computer’s hardware and software for presence and operability during the boot sequence prior to running the operating system
C. A diagnostic test of the computer’s software for presence and operability during the boot sequence prior to running the operating system
D. A diagnostic test of the computer’s hardware for presence and operability during the boot sequence prior to running the operating system |
1.3. - D. Power On Self-Test is a diagnostic test of the computer’s hardware, such as the motherboard, memory, CD-ROM drive, and so forth. POST does not test the computer’s software. |
|
|
1.4. - Is the information stored on a computer’s ROM chip lost during a proper shutdown?
A. Yes B. No |
1.4. - B. Information contained on a ROM chip, read-only memory, is not lost after the computer has been shut down. |
|
|
1.5. - Is the information contained on a computer’s RAM chip accessible after a proper shutdown?
B. No |
1.5. - B. Unlike a ROM chip, information contained on a computer’s RAM chip is not readily accessible after a proper shutdown. |
|
|
1.6. - Can information stored in the BIOS ever change?
B. No |
1.6. - A. Although not very common, information stored in the BIOS can change, such as when the BIOS needs to be upgraded to support new hardware. |
|
|
1.7. - What is the purpose or function of a computer’s ROM chip?
B. Temporary storage area to run applications
C. Permanent storage area for programs and files
D. A portable storage device |
1.7. - A. Read-only memory (ROM) contains information about the computer, such as hardware configuration. Unlike RAM, the information is not lost once power is disconnected. |
|
|
1.8. - Information contained in RAM memory (system’s main memory), which is located on the
B. nonvolatile |
1.8. - A. Information contained in RAM memory is considered volatile, which means the data is lost after the computer has been disconnected. |
|
|
1.9. - What is the maximum number of drive letters assigned to hard drive(s) partitions on a system?
B. 16 C. 24 D. Infinity |
1.9. - C. The answer is 24 drive letters (C–Z), with drive letters A and B reserved for floppy drives. |
|
|
1.10. - The smallest area on a drive that data can be written to is a _______, while the smallest area on a drive that a file can be written to is a ________.
B. sector and cluster C. volume and drive D. memory and disk |
1.10. - B. Data is written to sectors, and files are written to clusters. |
|
|
1.11. - The size of a physical hard drive can be determined by which of the following?
|
1.11. - E. Multiplying C, H, and S gives the total amount of sectors in older systems if the number of sectors per track is constant. When it’s not, total LBA sectors give total sectors. Multiplying the total number of sectors from the appropriate method by 512 bytes per sector gives the total number of bytes for the physical drive. Adding up the total size of partitions does not include areas outside the partitions, such as unused disk area. |
|
|
1.12. - Which is not considered exclusively an output device?
|
1.12. - C. A CD-RW (rewritable) drive is both an input and output device, as opposed to a CD drive, which only reads and inputs data to the computer system. |
|
|
1.13. - The electrical pathway used to transport data from one computer component to another is called what?
|
1.13. - A. A bus performs two functions: it transports data from one place to another and directs the information where to go. |
|
|
1.14. - What is the main component of a computer to which essential internal devices such as CPU, memory chips, and other chipsets are attached?
|
1.14. - B. The motherboard is the main circuit board used to attach internal hardware devices to its connectors. |
|
|
1.15. - IDE, SCSI, and SATA are different types of interfaces describing what device?
|
1.15. - D. Integrated Drive Electronics (IDE), Small Computer System Interface (SCSI), and Serial Advanced Technology Attachment (SATA) describe different hard drive interfaces. |
|
|
1.16. - What do the terms master, slave, and Cable Select refer to?
B. Cable types for external hardware C. Jumper settings for internal hardware such as IDE hard drives and CD drives D. Jumper settings for internal expansion cards |
1.16. - C. Master, Slave, and Cable Select are settings for internal devices such as IDE hard drives and CD drives to identify and differentiate the devices on the same channel. |
|
|
1.17. - What can you assume about a hard drive that is pinned as CS?
|
1.17. - A. SATA and SCSI hard drives do not require jumper setting configurations. |
|
|
1.18. - What is found at Cylinder 0, Head 0, Sector 1 on a hard drive?
|
1.18. - A. The master boot record is always located at the first physical sector on a hard drive. This record stores key information about the drive itself, such as the master partition |
|
|
1.19. - What is the first sector on a volume called?
|
1.19. - B. The first sector on a volume is called the volume boot record or volume boot sector. This sector contains the disk parameter block and volume boot code. |
|
|
1.20. - Which of the following is incorrect?
A. The MBR is typically written when the drive is partitioned with FDISK or DISKPART.
B. A file system is a system or method of storing and retrieving data on a computer system that allows for a hierarchy of directories, subdirectories, and files.
C. The VBR is typically written when the drive is high-level formatted with a utility such as format.
|
1.20. - D. All are true statements, except for a portion of D. The partition table is contained within the MBR and consists of a total of 64 bytes, not 16 bytes, which describes up to four partitions using 16 bytes each to do so, not 4 bytes each. |
|
|
2.1. - On a FAT file system, FAT is defined as which of the following?
B. A table created during the format that the operating system reads to locate data on a drive C. A table consisting of filenames and file attributes D. A table consisting of filenames, deleted filenames, and their attributes |
2.1. - B. The file allocation table is created by the file system during format and contains pointers to clusters located on a drive. |
|
|
2.2. - How does a corrupted sector located in the data area of a hard drive affect the corresponding cluster number on a FAT in a FAT file system?
|
2.2. - D. When the FAT marks a cluster as being bad, the entire cluster is prevented from being written to. |
|
|
2.3. - Which of the following describes a partition table?
|
2.3. - D. A partition table is located in the master boot record and is always located in the very first sector of a physical drive. The partition table keeps track of the partitionism located on the physical drive. |
|
|
2.4. - Which selection keeps track of a fragmented file in a FAT (not exFAT) file system?
|
2.4. - A. The FAT assigns numbers to each cluster entry pointing to the next cluster in the cluster run until the last cluster is reached, which is marked as EOF. |
|
|
2.5. - If the FAT, in a FAT file system, lists cluster number 2749 with a value of 0, what does this mean about this specific cluster?
|
2.5. - D. When the FAT marks a cluster as 0, it is in unallocated blusters, which means it is freely available to store data. |
|
|
2.6. - Which of the following is true about a volume boot record?
B. It immediately follows the master boot record. C. It contains BIOS parameter block and volume boot code. D. Both A and C. |
2.6. - D. The volume boot record is always located at the first sector of its logical partition and contains the BIOS parameter block and volume boot code. |
|
|
2.7. - The NTFS file system does which of the following?
|
2.7. - D. The NTFS file system supports long filenames, compresses files and directories, and supports file sizes in excess of 4 GB. |
|
|
2.8. - How many clusters can a FAT32 file system manage?
|
2.8. - D. A FAT32 file system theoretically allows up to 228 = 268,435,456 clusters. The extra 4 bits are reserved by the file system, however, and there is an MBR-imposed limit of 67,092,481 clusters, which means FAT32 is capable of supporting a partition size of 2 terabytes. |
|
|
2.9. - In a FAT file system, the FAT tracks the _____________ while the directory entry tracks the _____________ .
B. The file’s starting cluster and file’s last cluster (EOF) C. The file’s last cluster (EOF) and file’s starting cluster D. The file size and file fragmentation |
2.9. - C. The FAT tracks the location of the last cluster for a file (EOF), while the directory entry maintains the file’s starting cluster number. |
|
|
2.10. - How many copies of the FAT does each FAT32 volume maintain in its default configuration?
|
2.10. - B. Each volume maintains two copies (one for backup): FAT1 and FAT2. |
|
|
2.11. - Which of the following is not true regarding the NTFS file system?
B. Cluster allocation is tracked in the $Bitmap file. C. Data that is stored in clusters is called nonresident data. D. Cluster allocation is tracked in the File Allocation Table (FAT). |
2.11. - D. A, B, and C are all true statements regarding NTFS; however, there is no FAT in an NTFS file system. FAT is an element of the FAT file system. |
|
|
2.12. - A file’s physical size is which of the following?
B. The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster C. Both A and B D. None of the above |
2.12. - B. A file’s physical size is the number of bytes to the end of the last cluster, and a file’s logical size is the number of bytes that the actual file contains. A file’s physical size can be the same as its logical size. |
|
|
2.13. - A directory entry in a FAT file system has a logical size of which of the following?
|
2.13. - A. A directory entry in a FAT file system has no logical size. |
|
|
2.14. - Each directory entry in a FAT file system is ____ bytes in length.
|
2.14. - D. In a FAT file system, each directory entry is 32 bytes in length. |
|
|
2.15. - By default, what color does EnCase use to display directory entries within a directory structure?
|
2.15. - B. Because directory entries are just names with no logical size and because they do not contain any actual data, EnCase displays the information in red. |
|
|
2.16. - What is the area between the end of a file’s logical size and the file’s physical size called?
|
2.16. - D. The area between a file’s logical size and its physical size is commonly referred to as slack space. |
|
|
2.17. - What three things occur when a file is created in a FAT32 file system?
|
2.17. - A. The directory structure records the file’s information, the FAT tracks the number of clusters allocated to the file, and the file’s data is filled in to the assigned clusters. |
|
|
2.18. - How does EnCase recover a deleted file in a FAT file system?
|
2.18. - C. EnCase recovers deleted files by first obtaining the file’s starting cluster number and its size from the directory entry. Then, EnCase determines the number of clusters needed based on the file’s size and then attempts to recover the data from the starting extent through the amount of clusters needed. |
|
|
2.19. - What does EnCase do when a deleted file’s starting cluster number is assigned to another file?
|
2.19. - C. When EnCase determines that the starting cluster listed in the FAT has been reassigned to an existing file, it reports the previously deleted file as being overwritten. |
|
|
2.20. - Which of the following is not true regarding the exFAT file system?
|
2.20. - A. All are true regarding exFAT except A, since cluster allocation is not tracked by the FAT but rather by an allocation bitmap. |
|
|
3.1. - What is the first consideration when responding to a scene?
|
3.1. - A. Without consideration for your own personal safety, none of the other considerations can be accomplished. |
|
|
3.2. - What are some variables regarding a facility that you should consider prior to responding to a scene?
B. How large is the structure? C. What are the hours of operation? D. Is there a helpful person present to aid in your task? E. All of the above. |
3.2. - E. When responding to a facility, your most helpful ally is prior knowledge of the location, its hours of activity, and the people who occupy it. |
|
|
3.3. - What are some variables regarding items to be seized that you should consider prior to responding to a scene?
|
3.3. - E. When responding to a facility, having prior knowledge of the types and functions of the computers and their locations will help reduce any unforeseen complications, thus easing the task. |
|
|
3.4. - Generally speaking, if you encounter a desktop computer running Windows 7, how should you take down the machine?
|
3.4. - C. Pulling the plug on a workstation, unlike doing so on a server, will not lose any critical information. |
|
|
3.5. - Generally speaking, if you encounter a computer running Windows 2008 Server, how
|
3.5. - A. Unlike with a Windows desktop computer, certain information may not be recovered if a server is not properly shut down. It is best to properly shut down a Windows server and document your actions. |
|
|
3.6. - Generally speaking, if you encounter a Unix/Linux machine, how should you take down the machine?
|
3.6. - A. Unix/Linux machines can store critical information that may be lost if the machine |
|
|
3.7. - When unplugging a desktop computer, from where is it best to pull the plug?
|
3.7. - A. When unplugging a desktop computer, it is best to unplug a power cord from the back of the computer at the power supply. Unplugging a cord from the outlet connected to an uninterrupted power supply (UPS) will not shut down the computer. |
|
|
3.8. - What is the best method to shut down a notebook computer?
|
3.8. - D. Removing both the power cord (AC) and the battery (DC) will ensure that no electricity is being fed to the computer. |
|
|
3.9. - Generally speaking, if you encounter a Macintosh computer, how should you take down the machine?
|
3.9. - C. A Mac should generally be shut down by pulling the power plug from the back of the computer. |
|
|
3.10. - Which selection displays the incorrect method for shutting down a computer?
|
3.10. - D. The best way to shut down a Linux/Unix system is to perform a proper shutdown using the operating system. |
|
|
3.11. - When shutting down a computer, what information is typically lost?
|
3.11. - E. When the system is shut down normally or the plug is pulled, all the other live system-state data mentioned is lost. |
|
|
3.12. - Which of the following is not acceptable for “bagging” a computer workstation?
B. Brown wrapping paper. C. Plastic garbage bag. D. Large antistatic plastic bag. E. All of the above are acceptable for bagging a workstation. |
3.12. - C. A plastic garbage bag has properties that are conducive to static electricity discharge, which could damage sensitive computer components, including media. |
|
|
3.13. - In which circumstance is pulling the plug to shut down a computer system considered the best practice?
|
3.13. - E. In all circumstances described, the best course of action would be a normal shutdown, and thus pulling the plug is considered best practice for any of these. |
|
|
3.14. - How is the chain of custody maintained?
A. By bagging evidence and sealing it to protect it from contamination or tampering
|
3.14. - E. The evidence steps described here are an important component in maintaining the chain of custody and hence the integrity of the evidence. |
|
|
3.15. - It is always safe to pull the plug on a Windows 7 Enterprise operating system.
|
3.15. - B. In a business setting, anything is possible. A large business database could be hosted on a Windows 7 Enterprise operating system, as could a number of other critical applications, which include access control systems, critical process control software, life-support systems, life-safety alarm monitoring, and so forth. |
|
|
3.16. - On a production Linux/Unix server, you must generally be which user to shut down the system?
|
3.16. - C. Generally, unless configured otherwise, you must be root to shut down a Linux/Unix system in a production environment. This prevents a typical user from stopping the system and halting mission-critical computing processes. |
|
|
3.17. - When would it be acceptable to navigate through a live system?
C. To detect mounted encryption
D. To access virtual storage facility (if search warrant permits; some are very specific about physical location) E. All of the above |
3.17. - E. Certain information may not be retrievable after the system has been shut down. Given that, it is acceptable to access a system to retrieve information of evidentiary value as long as the actions are justified, documented, and explained. |
|
|
3.18. - A console prompt that displayed backslashes (\) as part of its display would most likely be which of the following?
B. Unix operating system
C. Linux or Unix operating system logged in as root
D. MS-DOS |
3.18. - D. Microsoft PC operating systems use backslashes (\) for the directory path structure, whereas Linux/Unix uses forward slashes (/) for the same purpose. |
|
|
3.19. - When called to a large office complex with numerous networked machines, it is always a good idea to request the assistance of the network administrator.
|
3.19. - B. Although most of the time the network administrator knows much more about the computers than the responding examiner and may be of great help, requesting that person’s assistance may be detrimental to the investigation if the network administrator is the target of the investigation. As part of your preplanning, you must determine whether the administrator is part of the problem or part of the solution before you make such an approach. |
|
|
3.20. - Subsequent to a search warrant where evidence is seized, what items should be left behind?
|
3.20. - E. Upon leaving the scene of a search, you should leave behind a copy of the signed search warrant and a list of items seized. |
|
|
4.1. - When acquiring a hard drive using a Linux boot disk with LinEn, what would be the cause of EnCase (LinEn) not detecting partition information?
B. The partition(s) are not recognized by Linux.
C. Both A and B.
D. None of the above. |
4.1. - C. When partitions have been removed or the partitions are not recognized by Linux, EnCase still recognizes the physical drive and acquires it as such. |
|
|
4.2. - LinEn contains a write blocker that protects the target media from being altered.
A. True |
4.2. - B. LinEn does not have a built-in write blocker. Rather, it relies upon Linux’s automount feature having been disabled. |
|
|
4.3. - As a good forensic practice, why would it be a good idea to wipe a forensic drive before reusing it?
|
4.3. - B. Although EnCase only examines the contents within the evidence files, it is still good forensic practice to wipe/sterilize each hard drive prior to reusing it to eliminate the argument of possible cross-contamination. |
|
|
4.4. - If the number of sectors reported by EnCase does not match the number reported by the manufacturer for the drive, what should you do?
A. Suspect HPA. |
4.4. - E. You should suspect an HPA or a DCO. Booting with LinEn or using Tableau or FastBloc SE should enable you to see all sectors. |
|
|
4.5. - When acquiring digital evidence, why shouldn’t the evidence be left unattended in an unsecured location?
|
4.5. - C. Digital evidence must be treated like any other evidence, whereas a chain of custody must be established to account for everyone who has access to the property. |
|
|
4.6. - Which describes an HPA? (Choose all that apply.)
A. Stands for Host Protected Area |
4.6. - A and B. HPA stands for Host Protected Area and is not normally seen by the BIOS. It was introduced in the ATA-4 specification, not ATA-6, and is seen when directly accessed via the Direct ATA mode. |
|
|
4.7. - Which describes a DCO?
A. Was introduced in the ATA-6 specification.
B. Stands for Device Configuration Overlay.
C. Is not normally seen by the BIOS.
D. It may contain hidden data, which can be seen by switching to the Direct ATA mode in
E. All of the above. |
4.7. - E. All are correct statements with regard to DCO. |
|
|
4.8. - At which user level must the examiner function when using LinEn?
A. Administrator |
4.8. - C. LinEn runs on the Linux OS, and the user must be the root user to successfully work with LinEn. |
|
|
4.9. - Reacquiring an image and adding compression will change the MD5 value of the acquisition hash.
|
4.9. - B. When reacquiring an image, the MD5 of the original data stream remains the same despite the compression applied. |
|
|
4.10. - When reacquiring an image, you can change the name of the evidence.
|
4.10. - B. When reacquiring, you can change the compression, you can add or remove a password, you can change the file segment size, you can change the block and error granularity sizes, or you can change the start and stop sectors. Other properties can’t be changed. |
|
|
4.11. - Which of the following should you do when creating a storage volume to hold an EnCase evidence file that will be created with LinEn? (Choose all that apply.)
A. Format the volume with the FAT file system.
B. Give the volume a unique label to identify it.
C. Wipe the volume before formatting to conform to best practices, and avoid claims of
|
4.11. - F. All of the above are correct answers. Linux can read or write to both FAT and NTFS file systems. |
|
|
4.12. - In Linux, what describes hdb2? (Choose all that apply.)
A. Refers to the primary master |
4.12. - B and D. Here, hdb2 refers to the second partition on the primary slave. |
|
|
4.13. - In Linux, what describes sdb? (Choose all that apply.)
A. Refers to an IDE device |
4.13. - B, C, and D. Linux will name an IDE device, normally, with hda, hdb, hdc, or hdd, to denote their position on the ATA controller (primary master, primary slave, secondary master, secondary slave, respectively). sdb is the second SCSI device, and since Linux calls USB or FireWire devices SCSI devices, any of the three (B, C, or D) could be represented by sdb. |
|
|
4.14. - When acquiring USB flash memory, you could write-protect it by doing what?
A. Engaging the write-protect switch, if equipped B. Modifying the registry in Windows XP SP2 (or higher) to make USB read-only C. Using ENBD/ENBCD USB DOS drivers and having EnCase for DOS “lock” the Flash media D. Using LinEn in Linux with automount of file system disabled E. Using FastBloc SE to write block USB, FireWire, SCSI drives F. All of the above |
4.14. - F. All are methods of write-protecting USB devices, some arguably better than others, but methods nevertheless. |
|
|
4.15. - Which are true with regard to EnCase Portable? (Choose all that apply.)
A. Storage media must be prepared using the Portable Management tool before it can be used by EnCase Portable. B. If booting using the EnCase Portable Boot CD to boot, the EnCase Portable dongle must also be connected so that the license can be accessed. C. The EnCase Portable can triage and collect evidence in a forensically sound manner from live machines or to do so in a boot mode. D. The EnCase Portable can be configured with custom tasks created by the examiner using the Portable Management tool. |
4.15. - A, B, C, and D. All of these statements are true regarding EnCase Portable. |
|
|
4.16. - LinEn can be run under both Windows and DOS operating systems.
A. True |
4.16. - B. LinEn can’t be run under DOS and can’t be run under Windows. Rather, LinEn must be run under the Linux OS. |
|
|
4.17. - When using LinEn, the level of support for USB, FireWire, and SCSI devices is determined by what?
|
4.17. - C. The level of support for USB, FireWire, SCSI, and other devices is totally dependent on the Linux distribution being used to run LinEn. For the most support, try to use the latest Linux distribution available. |
|
|
4.18. - How should CDs be acquired using EnCase?
A. DOS |
4.18. - B. CDs can be safely acquired in the Windows environment. |
|
|
4.19. - Select all that are true about EE and FIM.
A. They can acquire or preview a system live without shutting it down.
B. They can capture live system-state volatile data using the Snapshot feature.
|
4.19. - A, B, C, and D. A FIM can be licensed only to law enforcement or military customers. All other statements are correct. |
|
|
4.20. - Which of the following are true? (Choose all that apply.)
A. LinEn contains no write-blocking capability. Rather, write blocking is achieved by disabling the automount feature within the host Linux operating system.
|
4.20. - A. Only A is correct. LinEn has no onboard drivers for write blocking, relying on the host OS to have its automount feature disabled. LinEn can’t format to any format because formatting is not included within the tool. EnCase for DOS contained an unlock feature by which the target drive was unlocked for writing. LinEn contains no such feature. |
|
|
5.1. - The EnCase evidence file is best described as follows:
device written to corresponding sectors of a secondary hard drive
to the corresponding sectors of a secondary hard drive
|
5.1. - D. An EnCase evidence file is a bitstream image of a source device such as a hard drive, CD-ROM, or floppy disk written to a file (.Ex01) or several file segments (.Ex02, .Ex03, and so on). |
|
|
5.2. - How does EnCase verify the contents of an evidence file, using the default settings?
A. EnCase writes an MD5 and/or SHA-1 hash value for every 32 sectors copied.
|
5.2. - D. EnCase writes a CRC value for every 64 sectors copied, by default. If the block size has been increased, the CRC frequency will be adjusted accordingly. |
|
|
5.3. - What is the smallest file size that an EnCase evidence file can be saved as?
A. 64 sectors |
5.3. - D. The smallest file size that an EnCase evidence file can be saved as is 30 MB. |
|
|
5.4. - What is the largest file segment size that an EnCase evidence file can be saved as?
A. 640 MB |
5.4. - D. The largest file size that an EnCase evidence file can be saved as is now 8,589,934,588 GB with EnCase 7. Naturally the file system storing the file must support this file size. |
|
|
5.5. - How does EnCase verify that the evidence file contains an exact copy of the source device?
|
5.5. - A. EnCase compares the MD5 hash value (alternatively SHA-1 or both) of the source |
|
|
5.6. - How does EnCase verify that the case information—such as case number, evidence number, notes, and so on—in an evidence file has not been damaged or altered after the evidence file has been written?
A. The case file writes a CRC value for the case information and verifies it when the case is opened.
|
5.6. - C. EnCase calculates a CRC value for the case information, which is verified when the |
|
|
5.7. - For an EnCase evidence file to successfully pass the file verification process, which of the following must be true?
A. The MD5 hash value (alternatively SHA-1 or both) must verify.
|
5.7. - B. When an evidence file is added to a case, EnCase verifies both the CRC and MD5 hash values (alternatively SHA-1 or both). All acquisition values (CRCs and hashes) must match the recalculated verification values. |
|
|
5.8. - The MD5 hash algorithm produces a _____ value.
|
5.8. - C. The MD5 hash algorithm produces a 128-bit value. |
|
|
5.9. - Regarding the EnCase backup process (EnCase 7.04 and newer), which are the following are true?
|
5.9. - E. Starting with EnCase 7.04, the backup process has been greatly enhanced and .cbak files are no longer used, making A no longer correct. Options B and C are true statements regarding the backup process. |
|
|
5.10. - If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later altered?
|
5.10. - B. EnCase will no longer (as of version 5) detect corrupted data on the fly. Therefore, EnCase will show and allow corrupted data to be searched, bookmarked, and so on.
Post-verification corruption, although rare, can occur, and therefore every case should be subjected to verification at the end of the case to assure no corruption has occurred. |
|
|
5.11. - Which of the following aspects of the EnCase evidence file can be changed during a reacquisition of the evidence file?
|
5.11. - D. The evidence file size can be changed during a reacquire. |
|
|
5.12. - An evidence file was archived onto five CD-ROMs with the third file segment on disc 3. Can the contents of the third file segment be verified by itself while still on the CD-ROM?
|
5.12. - B. EnCase can verify independent evidence file segments by comparing the CRC values of the data blocks. This function is accessed from the Tools menu and is called Verify Evidence Files. |
|
|
5.13. - Will EnCase allow a user to write data into an acquired evidence file?
A. Yes, when adding notes or comments to bookmarks.
|
5.13. - D. EnCase does not write to the evidence file after the acquisition is complete. |
|
|
5.14. - All investigators using EnCase should run tests on the evidence file acquisition and verification process to do which of the following?
|
5.14. - D. As with any forensic tool, the investigator should test the tools to better understand how the tool performs and to verify that it is functioning properly. |
|
|
5.15. - When a noncompressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence file will remain the same for both files.
|
5.15. - A. Compressing an evidence file does not change its MD5 and/or SHA-1 hash value(s). |
|
|
5.16. - The Ex01 evidence file format consists of three parts, which are the Ev2 Header, Data, and CRC record block.
|
5.16. - B. The three parts are the Ev2 Header, Data, and Link Record. There is no such part called CRC record. |
|
|
5.17. - The EnCase evidence file’s logical filename can be changed without affecting the verification of the acquired evidence.
|
5.17. - A. An EnCase evidence file’s logical filename can be renamed without affecting the verification of the acquired evidence. |
|
|
5.18. - An evidence file can be moved to another directory without changing the file verification.
A. True |
5.18. - A. EnCase evidence files can be moved without affecting the file verification. |
|
|
5.19. - What happens when EnCase attempts to reopen a case once the evidence file has been
A. EnCase reports that the file’s integrity has been compromised and renders the file useless.
|
5.19. - C. When an evidence file has moved from the previous path, EnCase will prompt for the new location of the evidence file. |
|
|
5.20. - During reacquisition, you can change which of the following? (Choose all that apply.)
A. Block size and error granularity |
5.20. - A, B, D, and E. All may be changed during reacquisition with the exception of the investigator’s name. |
|
|
6.1. - In the EnCase Windows environment, must an examiner first create a new case before adding a device to examine?
|
6.1. - A. You must first create a new case before the Add Device option is available. |
|
|
6.2. - When EnCase 7 is used to create a new case, which files are created automatically in the case folder under the folder bearing the name of the case?
|
6.2. - C. EnCase 7 creates Email, Export, Tags, and Temp. The Evidence folder would have to be created manually by the user if the user opted to place it in this location. |
|
|
6.3. - From the EnCase 7 Home screen, which of the following cannot be carried out?
A. Opening a case |
6.3. - E. A, B, C, and D can all be carried out from the Home screen. |
|
|
6.4. - When creating a new case, the Case Options dialog box prompts for which of the following?
|
6.4. - E. The Case Options dialog box asks for all the options listed when a new case is created. |
|
|
6.5. - What determines the action that will result when a user double-clicks a file within EnCase?
A. The settings in the TEXTSTYLES.INI file |
6.5. - B. The data in the File Types database (stored in the FILETYPES.INI file) determines which file types will be opened by which viewers upon double-clicking or opening the file. |
|
|
6.6. - In the EnCase environment, the term external viewers is best described as which of the following?
|
6.6. - C. External viewers are programs that EnCase uses to open specific file types and are configured by the user |
|
|
6.7. - Where is the list of external viewers kept within EnCase?
A. The settings in the TEXTSTYLES.INI file |
6.7. - D. The VIEWERS.INI file stores information on external programs that EnCase uses to open specific file types. |
|
|
6.8. - When EnCase sends a file to an external viewer, to which folder does it send the file?
A. Scratch |
6.8. - C. When EnCase sends a file to an external viewer, the file is placed in the temp folder. |
|
|
6.9. - How is the Disk view launched?
A. By simply switching to the Disk view tab on the Table pane
|
6.9. - B. It is launched as an option from the Device menu. |
|
|
6.10. - Which of the following is true about the Gallery view?
A. Files that are determined to be images by their file extension will be displayed.
|
6.10. - D. All are true regarding the Gallery view. |
|
|
6.11. - True or false? The right-side menu is a collection of the menus and tools found on its toolbar.
|
6.11. - A. The right-side menu is a collection of the menus and tools found on the toolbar to its left. It is akin to the content formerly found on the right-click mouse button. |
|
|
6.12. - True or false? The results of conditions and filters are seen immediately in the Table pane of the Evidence tab Entries view.
A. True |
6.12. - B. When a filter or condition is run, the results are shown in the Results view or tab. |
|
|
6.13. - How do you access the setting to adjust how often a backup file (.cbak) is saved?
A. Select Tools a Options a Case Options. |
6.13. - C. To adjust the amount of minutes the backup file is saved, select Tools in the menu bar, select Options, and then change the time in the Auto Save Minutes box on the Global tab of the resulting dialog box. |
|
|
6.14. - What is the maximum number of columns that can be sorted simultaneously in the Table view tab?
|
6.14. - C. EnCase allows the user to sort up to six columns in the Table view tab. |
|
|
6.15. - How would a user reverse-sort on a column in the Table view?
|
6.15. - C. The user can use either method to reverse-sort on a column. |
|
|
6.16. - How can you hide a column in the Table view?
A. Place the cursor on the selected column, and press Ctrl+H.
C. Place cursor on the selected column, open the right-side menu, open the Columns submenu, and select Hide.
|
6.16. - E. All four methods will hide selected columns from the Table view. |
|
|
6.17. - What does the Gallery view tab use to determine graphics files?
A. Header or file signature |
6.17. - B. The Gallery view displays images based on the File Category – Picture setting, which is determined by file extensions until such time that a file signature analysis is run. |
|
|
6.18. - Will the EnCase Gallery view display a .jpeg file if its file extension was renamed to .txt?
B. Yes, because the Gallery view looks at a file’s header information and not the file extension
C. Yes, but only if a signature analysis is performed to correct the File Category to Picture based on its file header information
|
6.18. - C. When a signature analysis is performed, EnCase will update or correct the file category to Picture, in this particular case, based on the information contained in the file header. |
|
|
6.19. - How would a user change the default colors and text fonts within EnCase?
A. The user cannot change the default colors and fonts settings.
|
6.19. - D. A user can change the way colors and fonts appear by selecting the Tools tab and then clicking Options to change colors and fonts. |
|
|
6.20. - An EnCase user will always know the exact location of the selected data in the evidence file by looking at which of the following?
A. Navigation Data on status bar |
6.20. - A. Navigation Data (also called the GPS bar in the field) displays the selected data’s exact location, including the full path, physical sector, logical sector number, cluster number, sector offset, and file offset. |
|
|
7.1. - Computers use a numbering system with only two digits, 0 and 1. This system is referred to as which of the following?
|
7.1. - C. Binary is a numbering system consisting of 0 and 1 used by computers to process information. |
|
|
7.2. - A bit can have a binary value of which of the following?
A. 0 or 1 |
7.2. - A. Bi refers to two; therefore, a bit can have only two values, 0 or 1. |
|
|
7.3. - A byte consists of ___ bits.
A. 2 |
7.3. - C. A byte consists of 8 bits or two 4-bit nibbles, commonly referred to as the left nibble and right nibble. |
|
|
7.4. - If 1 bit can have two unique possibilities, 2 bits can have four unique possibilities, and 3 bits can have eight unique possibilities. This is known as the power of 2. How many unique possibilities are there in 8 bits (28)?
|
7.4. - D. 28 is 2 n 2 eight times, or 2 n 2 n 2 n 2 n 2 n 2 n 2 n 2 = 256. |
|
|
7.5. - When the letter A is represented as 41h, it is displayed in which of the following?
|
7.5. - A. Values expressed with the letter h as a suffix are hexadecimal characters. EnCase can display the letter A in text or hexadecimal formats |
|
|
7.6. - What is the decimal integer value for the binary code 0000-1001?
A. 7 |
7.6. - B. Starting from the right, the bits are “on” for bit positions 1 and 8, which totals 9. |
|
|
7.7. - Select all of the following that depict a Dword value.
A. 0000 0001 |
7.7. - C and D. A Dword is a 32-bit value. A is incorrect because it depicts 8 binary bits or one byte. B is incorrect because it depicts 4 binary bits or one nibble. C is correct because it represents four hexadecimal values with each being 8 bits (4 n 8 = 32 bits). D is correct because it represents 32 binary bits. |
|
|
7.8. - How many characters can be addressed by the 7-bit ASCII character table? 16-bit Unicode?
A. 64 and 256 |
7.8. - D. 27 is 2 n 2 seven times or 2 n 2 n 2 n 2 n 2 n 2 n 2 = 128, while 216 is 2 n 2 sixteen times = 65,536. |
|
|
7.9. - Which of the following are untrue with regard to the EnCase Evidence Processor?
A. A device must be acquired first before processing or be acquired as a requisite first step within the EnCase Evidence Processor.
|
7.9. - C. A device must be an image or be acquired first by the EnCase Evidence Processor. Live devices can be subjected to direct processing by the EnCase Evidence Processor. Red flags denote items that must be run during the first run of the processor. If you don’t run them then, you can’t run them later. It’s now or never, so to speak. |
|
|
7.10. - When performing a keyword search in Windows, EnCase searches which of the following?
|
7.10. - C. EnCase performs a search not only of logical files but of the entire disk to include unallocated clusters and unused disk areas outside the logical partition. |
|
|
7.11. - By default, search terms are case sensitive.
|
7.11. - B. By default, the Case Sensitive option is not selected; therefore, search terms are not case sensitive unless you select that option. |
|
|
7.12. - By selecting the Unicode box for a raw search, EnCase searches for both ASCII and Unicode formats.
|
7.12. - A. By selecting the Unicode box, EnCase will search for both ASCII and Unicode formats. |
|
|
7.13. - With regard to a search using EnCase in the Windows environment, can EnCase find a word or phrase that is fragmented or spans in noncontiguous clusters?
C. No, unless the File Slack option is deselected in the dialog box before the search.
D. Yes, EnCase performs both physical and logical searches. |
7.13. - D. EnCase can perform both physical searches as well as logical searches for keyword(s) that span noncontiguous clusters. |
|
|
7.14. - Which of the following would be a raw search hit for the His keyword?
A. this |
7.14. - E. Since the entry allows for characters to precede and follow the keyword and the default setting does not have the Case Sensitive option enabled, all the selections apply. |
|
|
7.15. - Which of the following would be a search hit for the following GREP expression? [^a-z]Liz[^a-z]
A. Elizabeth |
7.15. - C. The GREP symbol ^ means to exclude the following characters. So, the GREP expression in the question excludes the alpha characters (a through z) before and after the keyword but will find nonalpha characters such as numbers. |
|
|
7.16. - Which of the following would be a search hit for the following GREP expression?
A. 00 00 00 01 A0 EE F1 |
7.16. - B. The GREP expression in the question permits a hexadecimal range from 00 through 07 followed by hexadecimal values 00 00 00 and any other characters. |
|
|
7.17. - Which of the following would be a search hit for the following index search expression?
A. Saddam Alfonso Adolph Cano Hitler Hussein |
7.17. - A. This index search expression calls first for a case-sensitive search, because of the . The npre/3 means at least three words apart and Saddam must precede Hussein. Only A meets this query. |
|
|
7.18. - Which of the following will not be a search hit for the following GREP expression?
A. A1234567890 |
7.18. - A. The GREP expression [^#] means that it cannot be a number, meaning the first character and last character following the 9 can’t be numbers. Therefore, A will not return as a search hit because the number 0 follows the number 9. |
|
|
7.19. - A sweep or highlight of a specific range of text is referred to as which of the following?
A. Table view bookmark |
7.19. - C. The highlighted data bookmark is a sweep or highlight of a specific text fragment. |
|
|
7.20. - Which of the following is not correct regarding EnCase 7 index searches?
A. Before searching, the index must first be created using the Create Index EnScript.
|
7.20. - A and C. An index is required first before searching but is created by the EnCase Evidence Processor and not by an EnScript named Create Index. Queries are case insensitive, by default, but do have the ability to be case sensitive if preceded by . |
|
|
8.1. - When running a signature analysis, EnCase will do which of the following?
|
8.1. - D. A signature analysis will compare a file’s header or signature to its file extension. |
|
|
8.2. - A file header is which of the following?
A. A unique set of characters at the beginning of a file that identifies the file type.
|
8.2. - A. A file header identifies the type of file and is located at the beginning of the file’s data area. |
|
|
8.3. - The Windows operating system uses a filename’s ______________ to associate files with the proper applications.
A. signature |
8.3. - C. The Windows operating system uses a file’s extension to associate the file with the proper application. |
|
|
8.4. - Unix (including Linux) operating systems use a file’s ______________ to associate file types to specific applications.
|
8.4. - B. Unix (including Linux) operating systems use a file’s header information to associate file types to specific applications. |
|
|
8.5. - The Mac OS X operating system uses which of the following file information to associate a file to a specific application?
|
8.5. - D. When determining which application to use to open a file, Mac OS X gives first precedence to “user defined” settings, second precedence to creator code metadata, and third precedence to filename extensions. If none of these are present, other rules come into play. |
|
|
8.6. - Information regarding a file’s header information and extension is saved by EnCase 7 in the _______________ file.
A. FileTypes.ini |
8.6. - A. Information about a file’s header and extension is saved in the FileTypes.ini file. |
|
|
8.7. - When a file’s signature is unknown and a valid file extension exists, EnCase will display the following result after a signature analysis is performed.
|
8.7. - B. When a file’s signature is unknown and a valid extension is present, EnCase will display the status as being Bad Signature. |
|
|
8.8. - When a file’s signature is known and the file extension does not match, EnCase will display the following result after a signature analysis is performed.
|
8.8. - A. When a file’s signature is known and an inaccurate file extension is present, EnCase reports Alias in the Signature Analysis column, displays the true signature in the Signature column, and may update the Category column. |
|
|
8.9. - When a file’s signature is known and the file extension matches, EnCase will display the following result after a signature analysis is performed.
|
8.9. - D. When a file’s signature is known and an accurate file extension is present, EnCase will display the result as a Match. |
|
|
8.10. - When a file’s signature and extension are not recognized, EnCase will display the following result after a signature analysis is performed.
|
8.10. - C. When a file’s signature and extension are not recognized, EnCase will display the result as Unknown. |
|
|
8.11. - Can a file with a unique header share multiple file extensions?
A. Yes |
8.11. - A. A unique file header can share multiple file extensions. An example of such as case is a .jpeg or .jpg file, which shares the same file header \xFF\xD8\xFF[\xFE\xE0\xE1]. |
|
|
8.12. - A user can manually add new file headers and extensions by doing which of the following?
|
8.12. - C. A user can manually add new file headers and extensions by accessing the File Types view and creating a new entry, with new header and extension. |
|
|
8.13. - Select the correct answer that completes the following statement: An MD5 hash _________________.
A. is a 128-bit value |
8.13. - D. An MD5 hash is a 128-bit hash value, and the odds of two different files having the same value is one in 2128. A file’s MD5 hash value is based on the file’s data area, not its filename, which resides outside the data area. |
|
|
8.14. - EnCase can create a hash value for the following.
A. Physical devices |
8.14. - D. EnCase can calculate hash values for any of the options listed. |
|
|
8.15. - With EnCase 7, how many hash libraries can be applied at one time to any case?
A. One |
8.15. - B. EnCase 7 allows two hash libraries to be applied to a case at any given time. |
|
|
8.16. - Will changing a file’s name affect the file’s MD5 or SHA1 hash value?
A. Yes |
8.16. - B. Merely changing a file’s name will not affect its MD5 or SHA1 hash value because the hash value is based on the file’s data, not its filename. |
|
|
8.17. - Usually a hash value found in a hash set named Windows 7 would be reported in the Hash Category column as which of the following?
A. Known |
8.17. - A. These hash sets have been produced from known safe sources and are categorized as Known. In most cases, they are nonevidentiary and can be ignored when conducting searches and other analyses. |
|
|
8.18. - With regard to hash categories, evidentiary files or files of interest are categorized as which of the following?
|
8.18. - B. Evidentiary files or files of interest are usually categorized as Notable. |
|
|
8.19. - An MD5 or SHA1 hash of a specific media generated by EnCase will yield the same hash value as an independent third-party MD5 or SHA1 hashing utility.
|
8.19. - A. Regardless of the MD5 or SHA1 hashing utility, the hash value generated will have the same result, because the MD5 or SHA1 hash is an industry-standard algorithm. |
|
|
8.20. - A hash _______ is comprised of hash _______ , which is comprised of hash _______.
A. set(s), library(ies), value(s) |
8.20. - C. A hash library is comprised of hash sets, which are comprised of hash values. |
|
|
9.1. - An operating system artifact can be defined as which of the following?
|
9.1. - E. Operating system artifacts serve as information used by the computer to fulfill certain user- and system-specific requirements and needs. |
|
|
9.2. - A FAT file system stores date and time stamps in _______ , whereas the NTFS file system stores date and time stamps in _______ .
A. DOS directory, local time |
9.2. - C. A FAT file system stores date and time stamps in local time while the NTFS file system stores date and time stamps in GMT. |
|
|
9.3. - Where does Windows store the time zone offset?
A. BIOS |
9.3. - B. Windows stores the time zone offset in the registry. |
|
|
9.4. - In Windows 7, the date and time of when a file was sent to the Recycle Bin can be found where?
|
9.4. - D. If it is a Windows Vista (or beyond) Recycle Bin, the date and time when the file was deleted is saved in the $I index file that corresponds with the deleted file. If it is a pre-Vista operating system, when a file is sent to the Recycle Bin, the date and time of when the file was deleted is saved in the INFO2 file. |
|
|
9.5. - When a text file is sent a pre–Windows Vista Recycle Bin, Windows changes the short filename of the deleted file to DC0.txt in the Recycle Bin. Select the best choice that explains
|
9.5. - D. When a file is sent to the Recycle Bin, Windows changes the short filename to D for |
|
|
9.6. - When a document is opened, a link file bearing the document’s filename is created in the ____________ folder.
|
9.6. - B. When a user opens a document, a link file bearing the document’s filename is created in the Recent folder. |
|
|
9.7. - Link files are shortcuts or pointers to actual items. These actual items can be what?
A. Programs |
9.7. - E. Link files are shortcuts to a variety of items such as programs, documents, folders, and devices such as removable media. |
|
|
9.8. - In NTFS, information unique to a specific user is stored in the ____________ file.
A. USER.DAT |
9.8. - B. In NTFS, information unique to a specific user is stored in the NTUSER.DAT file. |
|
|
9.9. - In Windows XP, Windows Vista, or Window 7, by default, how many recently opened documents are displayed in the My Recent Documents or Recent Items folder?
|
9.9. - C. By default, the My Recent Documents folder displays 15 recently opened documents; however, the actual folder may contain hundreds more. |
|
|
9.10. - Most of a user’s desktop items on a Windows 7 operating system would be located in the ________________________ directory.
A. C:\WINDOWS\Desktop |
9.10. - D. A specific user’s desktop items are located in the path C:\Users\%User%\Desktop in a Windows 7 operating system. |
|
|
9.11. - Because this file will hold the contents of RAM when the machine is powered off, the ____________ file will be the approximate size of the system RAM and will be in the root directory.
|
9.11. - A. When the system goes into hibernation, the contents of RAM are written to the file hiberfil.sys, which is the exact size of RAM and located in the root of the system drive. |
|
|
9.12. - Where can you find evidence of web-based email such as from MSN Hotmail or Google Gmail on a Windows system?
A. In Temporary Internet Files under Local Settings in the user’s profile |
9.12. - E. Evidence of web-based email is commonly viewed but not saved. Therefore, its contents may be found in the Temporary Internet Files folder, Unallocated Clusters, or the pagefile.sys and hiberfil.sys folders. |
|
|
9.13. - Filenames with the .url extension that direct web browsers to a specific website are normally located in which folder?
A. Favorites folder |
9.13. - A. The Favorites folder contains link files that direct the browser to certain websites. These link files usually have a name that describes the website followed with the .url extension. |
|
|
9.14. - Data about Internet cookies such as URL names, date and time stamps, and pointers to the actual location of the cookie is stored where?
A. INFO2 file |
9.14. - B. Information about an Internet cookie such as the URL name, date and time stamps, and pointers to the actual cookie are stored in the index.dat file. |
|
|
9.15. - On a Windows 98 machine, which folder is the swap or page file contained in?
A. WIN386.SWP |
9.15. - A. The swap file is saved as WIN386.SWP in a Windows 98 machine and as pagefile.sys in Windows XP and newer. |
|
|
9.16. - When you are examining evidence that has been sent to a printer, which file contains an image of the actual print job?
|
9.16. - C. The .spl, or spool, file contains an image of what is sent to the printer to be printed. |
|
|
9.17. - The two modes for printing in Windows are ____________ and ____________ .
A. spooled, shadowed |
9.17. - D. The two printing modes in Windows are RAW and EMF. |
|
|
9.18. - Although the Windows operating system removed the EMF file upon a successful print job, the examiner may still recover the file as a result of a search on its unique header information in areas such as Unallocated Clusters or the swap file.
|
9.18. - A. Even though Windows deletes the EMF file after a print job has been completed, EnCase may still be able to recover the file by doing a search of its unique header information. |
|
|
9.19. - The index.dat files are system files that store information about other files. They track date and time stamps, file locations, and name changes. Select the folder that does not contain an index.dat file.
|
9.19. - C. The Recycle Bin does not contain an index.dat file; in Windows 2000/XP, it contains the INFO2 file. |
|
|
9.20. - The Temporary Internet Files directory contains which of the following?
A. Web page files that are cached or saved for possible later reuse
|
9.20. - D. The Temporary Internet Files directory contains all the previously mentioned items. |
|
|
10.1. - How many sector(s) on a hard drive are reserved for the master boot record (MBR)?
|
10.1. - E. The first 63 sectors of a hard drive are reserved for the MBR even though its contents are contained in the very first sector. |
|
|
10.2. - The very first sector of a formatted hard drive that contains an operating system is referred to as which of the following?
A. Absolute sector 0 |
10.2. - D. The first sector of a formatted hard drive with an operating system is referred to as a boot sector, which contains the MBR and is located at absolute sector 0. |
|
|
10.3. - How many logical partitions does the partition table in the master boot record allow for a physical drive?
A. 1 |
10.3. - C. The partition table allows for four logical partitions. It consists of 64 bytes, and each of the four partitions is described by 16-byte string. |
|
|
10.4. - The very first sector of a partition is referred to as which of the following?
A. Master boot record |
10.4. - D. The first sector of a partition contains the volume boot record. |
|
|
10.5. - If a hard drive has been fdisked, EnCase can still recover the deleted partition(s), if you point to the _________ and select Add Partition from the Partition menu.
|
10.5. - B. EnCase can still recover deleted partitions if you point to the first sector of the partition, which is the volume boot record, and select the Add Partition command from the Partition menu. |
|
|
10.6. - In an NTFS partition, where is the backup copy of the volume boot record (VBR) stored?
A. In the partition table. |
10.6. - C. When a hard drive is formatted with an NTFS partition, a backup of the VBR is stored in the last sector of the partition. |
|
|
10.7. - EnCase can mount a compound file, which can then be viewed in a hierarchical format. Select an example of a compound file.
A. Registry file (that is, .dat) |
10.7. - E. These file types are all examples of compound files that EnCase is able to display their contents in a hierarchical format. |
|
|
10.8. - Windows 7 contains two master keys in its registry. They are HKEY_LOCAL_MACHINE and which of the following?
|
10.8. - A. The other master key is HKEY_USERS. The other choices are derived keys that are linked to keys within the two master keys. |
|
|
10.9. - In Windows 7, information about a specific user’s preference is stored in the NTUSER.DAT file. This compound file can be found where?
|
10.9. - C. Each time a profile or username is created, the NTUSER.DAT file is also created for the specific profile. This compound file is stored locally in the root of C:\Users\%USERNAME%. |
|
|
10.10. - In an NTFS file system, the date and time stamps recorded in the registry are stored where?
|
10.10. - B. In an NTFS file system, the date and time stamps recorded in the registry are recorded in GMT, which is then displayed in local time based on the system’s time zone settings. |
|
|
10.11. - EnScript is a proprietary programming language and application programming interface (API) developed by Guidance Software, designed to function properly only within the EnCase environment.
|
10.11. - A. Since EnScript is a proprietary programming language, it is designed to function properly only in the EnCase environment. |
|
|
10.12. - Since EnScript is a proprietary programming language developed by Guidance Software, EnScripts can be created by and obtained only from Guidance Software.
|
10.12. - B. Although EnScript was developed by Guidance Software, anyone with computer programming skills and knowledge of the programming language can develop their own EnScripts. |
|
|
10.13. - Filters are a type of EnScript that “filters” a case for certain file properties such as file types, dates, and hash categories. Like EnScripts, filters can also be changed or created by a user.
|
10.13. - A. Since filters are in essence EnScripts, any user can modify an existing filter or create their own. |
|
|
10.14. - Select the type of email that EnCase 6 is not capable of recovering.
A. Microsoft Outlook |
10.14. - E. EnCase 7 can recognize and parse all these types of emails. |
|
|
10.15. - Which method is used to view the contents of a compound file that contains emails such as a PST file in EnCase 7?
A. Select View File Structure from the Entries options.
|
10.15. - C. EnCase 7 allows the user to view the contents of compound files containing emails either by selecting View File Structure or by running Find Email from within the EnCase Evidence Processor. While both will allow viewing the compound file, per se, only the latter method will send the output to the Records view. |
|
|
10.16. - EnCase 7 cannot process web-based email such as MSN Hotmail or Yahoo! Mail because the information can be found only on the mail servers.
|
10.16. - B. Contents of web-based emails may reside in areas such as Temporary Internet History, cache (pagefile.sys), hiberfil.sys, and unallocated clusters. Using the web mail finder option from the File Carver, EnCase can locate web mail fragments. |
|
|
10.17. - The EnCase Decryption Suite (EDS) will not decrypt Microsoft’s Encrypting File System (EFS) on the ___________ operating system.
|
10.17. - D. Microsoft Windows 7 Home Edition does not include the EFS feature nor does it support BitLocker. |
|
|
10.18. - At which levels can the VFS module mount objects in the Windows environment?
A. The case level |
10.18. - E. The VFS module can also mount data at the case, disk or device, volume, and folder levels. |
|
|
10.19. - The Physical Disk Emulator (PDE) module is similar to the Virtual File System (VFS); the module can mount a piece of media that is accessible in the Windows environment. Select the type(s) of media that the Physical Disk Emulator cannot mount.
A. Cases |
10.19. - E. The Physical Disk Emulator can mount volumes and physical disks in the Windows environment; however, it does not mount cases or folders. |
|
|
10.20. - The Virtual File System (VFS) module mounts data as _______, while the Physical Disk
A. network share, emulated disk |
10.20. - A. When a user selects the VFS module, EnCase will prompt the user with a Mount As Network Share dialog box. When a user selects the PDE module, EnCase will prompt the user with a Mount As Emulated Disk dialog box. |
|
|
HKEY_CLASSES_ROOT
|
Used to associate file types with programs that open them and alsoused to register classes for Component Object Model (COM) objects.
It is the largest of the root keys in terms of the registry space it occu-pies . This key is derived from a linked merger of two keys, which areHKLM\Software\Classes and HKCU\Software\Classes . This mergereffectively blends default settings with per-user settings . |
|
|
HKEY_CURRENT_USER
|
Used to configure the environment for the console user . It is a per-user setting (specific only to this user) and is derived from a link toHKU\SID, where the SID is the user’s security identifier .
|
|
|
HKEY_CURRENT_CONFIG
|
Used to establish the current hardware configuration profile . Thiskey is derived from a link to HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current . Current is derived from a link toHKLM\SYSTEM\CurrentControlSet\Hardware Profiles\####,where #### is a number that increments starting at 0000 . HKLM\SYSTEM\CurrentControlSet, in turn, is a link to HKLM\SYSTEM\ControlSet###, where ### is a number that increments starting at000 . Which control set is current and used to create this key andsubsequent link is determined by the value located in HKLM\SYS-TEM\Select\Current .
|
|
|
HKEY_LOCAL_MACHINE
|
Used to establish the per-computer settings . Settings found in thiskey apply to the machine and all of its users, covering all facets ofthe computer’s function . This key is a master key and is not, there-fore, derived from any link as are the previous three keys.
|
|
|
HKEY_USERS
|
Used for environment settings for the console user as well as otherusers who have logged onto the system . There will be at leastthree subkeys—.DEFAULT, SID, and SID_Classes, where the SID isthat of the console user . You may also find SIDs S-1-5-18, S-1-5-19,and S-1-5-20, which are for the LocalSystem, LocalService, andNetworkService accounts, respectively . Any other SIDs found herewill belong to other users who have logged on to the machine . Thiskey is a master key and is not, therefore, derived from any link.
|
