EnCE study guide

¡Supera tus tareas y exámenes ahora con Quizwiz!

In hexadecimal notation, one byte is represented by _____ character(s). A. 2 B. 1 C. 8 D. 4

A. 2

Within EnCase, you highlight a range of data within a file. The length indicator displays the value 30. How many bytes have you actually selected? A. 30 B. 3 C. 60 D. 15

A. 30

A hard drive has 8 sectors per cluster. File Mystuff.doc has a logical file size of 13,000 bytes. How many clusters will be used by Mystuff.doc? A. 4 B. 1 C. 2 D. 3

A. 4 512 bytes per sector, 4096 bytes per cluster 4096 x 4 = 16384

How many clusters can a FAT 16 system address? A. 65,536 B. 4,096 C. 268,435,456 D. 4,294,967,296

A. 65,536

A CPU is: A. A chip that would be considered the brain of a computer, which is installed on a motherboard. B. A Central Programming Unit. C. A motherboard with all required devices connected. D. An entire computer box, not including the monitor and other attached peripheral devices.

A. A chip that would be considered the brain of a computer, which is installed on a motherboard.

Which of the following would most likely be an add-in card? A. A video card that is connected to the motherboard in the AGP slot B. Anything plugged into socket 7 C. A motherboard D. The board that connects to the power supply Reveal Solution Discussion

A. A video card that is connected to the motherboard in the AGP slot

In the FAT file system, the size of a deleted file can be found: A. In the FAT B. In the directory entry C. In the file footer D. In the file header Reveal Solution

B. In the directory entry

In Windows, the file MyNote.txt is deleted from C Drive and is automatically sent to the Recycle Bin. The long filename was MyNote.txt and the short filename wasMYNOTE.TXT. When viewing the Recycle Bin with EnCase, how will the long filename and MyNote.txt and the short filename was MYNOTE.TXT? A. MyNote.txt, CD0.txt B. MyNote.txt, DC0.txt C. MyNote.del, DC1.del D. MyNote.del, DC0.del

B. MyNote.txt, DC0.txt

You are at an incident scene and determine that a computer contains evidence as described in the search warrant. When you seize the computer, you should: A. Record nothing to avoid inaccuracies that might jeopardize the use of the evidence. B. Record the location that the computer was recovered from. C. Record the identity of the person(s) involved in the seizure. D. Record the date and time the computer was seized.

B. Record the location that the computer was recovered from. C. Record the identity of the person(s) involved in the seizure. D. Record the date and time the computer was seized.

A personal data assistant was placed in an evidence locker until an examiner has time to examine it. Which of the following areas would require special attention? A. Chain-of-custody B. Storage C. There is no concern D. Cross-contamination

B. Storage

To undelete a file in the FAT file system, EnCase computes the number of _______ the file will use based on the file ______. A. Clusters;starting extent B. Sectors;starting extent C. Clusters;file size D. Sectors;file size

C. Clusters;file size

A hard drive was imaged using EnCase. The original drive was placed into evidence. The restore feature was used to make a copy of the original hard drive.EnCase verifies the restored copy using: A. An MD5 hash B. A 32 bit CRC C. Nothing. Restored volumes are not verified. D. A running log

A. An MD5 hash

The EnCase signature analysis is used to perform which of the following actions? A. Analyzing the relationship of a file signature to its file extension. B. Analyzing the relationship of a file signature to its file header. C. Analyzing the relationship of a file signature to a list of hash sets. D. Analyzing the relationship of a file signature to its computed MD5 hash value. Reveal Solution Discussion Previous QuestionsNext Questions

A. Analyzing the relationship of a file signature to its file extension.

Which of the following items could contain digital evidence? A. Credit card readers B. Personal assistant devices C. Cellular phones D. Digital cameras

A. Credit card readers B. Personal assistant devices C. Cellular phones D. Digital cameras

To later verify the contents of an evidence file 7RODWHUYHULI\WKHFRQWHQWVRIDQHYLGHQFHILOH A. EnCase writes a CRC value for every 64 sectors copied. B. EnCase writes a CRC value for every 128 sectors copied. C. EnCase writes an MD5 hash value every 64 sectors copied. D. EnCase writes an MD5 hash value for every 32 sectors copied.

A. EnCase writes a CRC value for every 64 sectors copied.

Calls to the C:\ volume of the hard drive are not made by DOS when a computer is booted with a standard DOS6.22 boot disk. A. False B. True Reveal Solution

A. False

Search terms are case sensitive by default. A. False B. True

A. False

Consider the following path in a FAT file system: A. From the My Pictures directory B. From the My Documents directory C. From the root directory c:\ D. From itself

A. From the My Pictures directory ??? Question seems incomplete

EnCase is able to read and examine which of the following file systems? A. NTFS B. EXT3 C. FAT D. HFS

A. NTFS B. EXT3 C. FAT D. HFS

When can an evidence file containing a NTFS partition be logically restored to a FAT 32 partition? A. Never B. When the FAT 32 has the same number of sectors / clusters. C. When the FAT 32 is the same size or bigger. D. Both B and C

A. Never

You are an investigator and have encountered a computer that is running at the home of a suspect. The computer does not appear to be a part of a network. The operating system is Windows XP Home. No programs are visibly running. You should: A. Pull the plug from the back of the computer. B. Turn it off with the power button. C. Pull the plug from the wall. D. Shut it down with the start menu.

A. Pull the plug from the back of the computer.

By default, EnCase will display the data from the end of a logical file, to the end of the cluster, in what color: A. Red B. Red on black C. Black on red D. Black

A. Red

If cluster number 10 in the FAT contains the number 55, this means: A. That cluster 10 is used and the file continues in cluster number 55. B. That the file starts in cluster number 55 and continues to cluster number 10. C. That there is a cross-linked file. D. The cluster number 55 is the end of an allocated file.

A. That cluster 10 is used and the file continues in cluster number 55.

Which of the following statements is more accurate? A. The Recycle Bin increases the chance of locating the existence of a file on a computer. B. The Recycle Bin reduces the chance of locating the existence of a file on a computer.

A. The Recycle Bin increases the chance of locating the existence of a file on a computer.

Bookmarks are stored in which of the following files? A. The case file B. The evidence file C. The configuration Bookmarks.ini file D. All of the above

A. The case file

If cluster #3552 entry in the FAT table contains a value of ?? this would mean: A. The cluster is unallocated B. The cluster is the end of a file C. The cluster is allocated D. The cluster is marked bad

A. The cluster is unallocated

You are investigating a case of child pornography on a hard drive containing Windows XP. In the C:\Documents and Settings\Bad Guy\Local Settings\TemporaryInternet Files folder you find three images of child pornography. You find no other copies of the images on the suspect hard drive, and you find no other copies of the filenames. What can be deduced from your findings? A. The presence and location of the images is not strong evidence of possession. B. The presence and location of the images is strong evidence of possession. C. The presence and location of the images proves the images were intentionally downloaded. D. Both a and c Reveal Solution

A. The presence and location of the images is not strong evidence of possession.

A restored floppy diskette will have the same hash value as the original diskette. A. True B. False

A. True

EnCase can build a hash set of a selected group of files. A. True B. False

A. True

Temp files created by EnCase are deleted when EnCase is properly closed. A. True B. False

A. True

The EnCase evidence file logical filename can be changed without affecting the verification of the acquired evidence. A. True B. False

A. True

The case file should be archived with the evidence files at the termination of a case. A. True B. False

A. True

When a non-compressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence will remain the same for both files. A. True B. False

A. True

This question addresses the EnCase for Windows search process. If a target word is located in the unallocated space, and the word is fragmented between clusters 10 and 15, the search: A. Will not find it because the letters of the keyword are not contiguous. B. Will not find it because EnCase performs a physical search only. C. Will find it because EnCase performs a logical search. D. Will not find it unlessile slack is checked on the search dialog box.

A. Will not find it because the letters of the keyword are not contiguous.

The EnCase methodology dictates that ________ be created prior to acquiring evidence. A. a unique directory on the lab drive for case management B. a text file for notes C. an .E01 file on the lab drive D. All of the above

A. a unique directory on the lab drive for case management

What files are reconfigured or deleted by EnCase during the creation of an EnCase boot disk? A. command.com B. autoexec.bat C. drvspace.bin D. io.sys

A. command.com C. drvspace.bin D. io.sys

EnCase uses the _________________ to conduct a signature analysis. A. file signature table B. hash library C. file Viewers D. Both a and b

A. file signature table

The following keyword was typed in exactly as shown. Choose the answer(s) that would result. All search criteria have default settings. Tom Jones A. tom jones B. Tom C. Jones D. Tom Jones

A. tom jones D. Tom Jones

How many partitions can be found in the boot partition table found at the beginning of the drive? A. 8 B. 4 C. 6 D. 2

B. 4

The EnCase default export folder is: A. A case-specific setting that cannot be changed. B. A case-specific setting that can be changed. C. A global setting that can be changed. D. A global setting that cannot be changed.

B. A case-specific setting that can be changed.

The acronym ASCII stands for: A. American Standard Communication Information Index B. American Standard Code for Information Interchange C. Accepted Standard Code for Information Interchange D. Accepted Standard Communication Information Index

B. American Standard Code for Information Interchange

How does EnCase verify that the evidence file contains an exact copy of the suspect hard drive? A. By means of a CRC value of the suspect hard drive compared to a CRC value of the data stored in the evidence file. B. By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of the data stored in the evidence file. C. By means of a CRC value of the evidence file itself. D. By means of an MD5 hash value of the evidence file itself.

B. By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of the data stored in the evidence file.

How are the results of a signature analysis examined? A. By sorting on the category column in the Table view. B. By sorting on the signature column in the Table view. C. By sorting on the hash sets column in the Table view. D. By sorting on the hash library column in the Table view.

B. By sorting on the signature column in the Table view.

Select the appropriate name for the highlighted area of the binary numbers. A. Word B. Byte C. Bit D. Nibble E. Dword

B. Byte

If cases are worked on a lab drive in a secure room, without any cleaning of the contents of the drive, which of the following areas would be of most concern? A. There is no concern B. Cross-contamination C. Chain-of-custody D. Storage

B. Cross-contamination

A standard DOS 6.22 boot disk is acceptable for booting a suspect drive. A. True B. False

B. False

A standard Windows 98 boot disk is acceptable for booting a suspect drive. A. True B. False

B. False

Changing the filename of a file will change the hash value of the file. A. True B. False

B. False

The default export folder remains the same for all cases. A. True B. False

B. False

When a drive letter is assigned to a logical volume, that information is temporarily written the volume boot record on the hard drive. A. True B. False

B. False

Hash libraries are commonly used to: A. Compare a file header to a file extension. B. Identify files that are already known to the user. C. Compare one hash set with another hash set. D. Verify the evidence file.

B. Identify files that are already known to the user.

Which of the following would be a true statement about the function of the BIOS? A. The BIOS integrates compressed executable files with memory addresses for faster execution. B. The BIOS is responsible for checking and configuring the system after the power is turned on. C. The BIOS is responsible for swapping out memory pages when RAM fills up. D. Both a and c.

B. The BIOS is responsible for checking and configuring the system after the power is turned on.

During the power-up sequence, which of the following happens first? A. The boot sector is located on the hard drive. B. The Power On Self-Test (POST) C. The floppy drive is checked for a diskette. D. The BIOS on an add-in card is executed.

B. The Power On Self-Test (POST)

A signature analysis has been run on a case. The result "JPEG" in the signature column means: A. The file signature is unknown and the header is a JPEG. B. The file signature is a JPEG signature and the file extension is incorrect. C. The file signature is unknown and the file extension is JPEG. D. None of the above.

B. The file signature is a JPEG signature and the file extension is incorrect.

Which of the following is found in the FileSignatures.ini configuration file A. The results of a hash analysis B. The information contained in the signature table C. The results of a signature analysis D. Pointers to an evidence file

B. The information contained in the signature table

Within EnCase, clicking on Save on the toolbar affects what file(s)? A. The evidence files B. The open case file C. The configuration .ini files D. All of the above

B. The open case file

When an EnCase user double-clicks on a file within EnCase what determines the action that will result? Select all that apply A. The settings in the case file. B. The settings in the FileTypes.ini file. C. The setting in the evidence file.

B. The settings in the FileTypes.ini file.

A physical file size is: A. The total size in sectors of an allocated file. B. The total size of all the clusters used by the file measured in bytes. C. The total size in bytes of a logical file. D. The total size of the file including the ram slack in bytes.

B. The total size of all the clusters used by the file measured in bytes.

The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. [^a-z] Tom[^a-z] A. Tomato B. Tom C. Toms D. Stomp

B. Tom

A sector on a floppy disk is the same size as a sector on a NTFS formatted hard drive. A. False B. True

B. True

An evidence file can be moved to another directory without changing the file verification. A. False B. True

B. True

If a floppy diskette is in the drive, the computer will always boot to that drive before any other device. A. False B. True

B. True

This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search: A. Will not find it unlessile slack is checked on the search dialog box. B. Will find it because EnCase performs a logical search. C. Will not find it because EnCase performs a physical search only. D. Will not find it because the letters of the keyword are not contiguous.

B. Will find it because EnCase performs a logical search.

EnCase marks a file as overwritten when _____________ has been allocated to another file. A. all of the file B. the starting cluster of the file C. the directory entry for the file D. any part of the file

B. the starting cluster of the file

In Unicode, one printed character is composed of ____ bytes of data. A. 8 B. 4 C. 2 D. 1

C. 2

The maximum file segment size for an EnCase evidence file is: A. 1500 MB B. 1000 MB C. 2000 MB D. There is no limit. E. 500 MB

C. 2000 MB

The EnCase case file can be best described as: A. The file that runs EnCase for Windows. B. A file that contains configuration settings for cases. C. A file that contains information specific to one case. D. None of the above.

C. A file that contains information specific to one case.

The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Bob@ [a-z]+.com A. Bob@New zealand.com B. [email protected] C. [email protected] D. [email protected]

C. [email protected]

A suspect typed a file on his computer and saved it to a floppy diskette. The filename was MyNote.txt. You receive the floppy and the suspect computer. The suspect denies that the floppy disk belongs to him. You search the suspect computer an d locate only the filename within a .LNK file. The .LNK file is located in the folder C:\Windows\Recent. How you would use the .LNK file to establish a connection between the file on the floppy diskette and the suspect computer? A. The file signature found in the .LNK file B. The dates and time of the file found in the .LNK file, at file offset 28 C. Both a and b D. The full path of the file, found in the .LNK file

C. Both a and b

Before utilizing an analysis technique on computer evidence, the investigator should: A. Test the technique on simulated evidence in a controlled environment to confirm that the results are consistent. B. Be trained in the employment of the technique. C. Both a and b. D. Neither a or b.

C. Both a and b.

Which is the proper formula for determining the size in bytes of a hard drive that uses cylinders (C), heads (H), and sectors (S) geometry? A. C X H + S B. C X H X S + 512 C. C X H X S X 512 D. C X H X S

C. C X H X S X 512

To generate an MD5 hash value for a file, EnCase: A. Computes the hash value including the logical file and filename. B. Computes the hash value including the physical file and filename. C. Computes the hash value based on the logical file. D. Computes the hash value based on the physical file.

C. Computes the hash value based on the logical file.

RAM is tested during which phase of the power-up sequence? A. Pre-POST B. After POST C. During POST D. None of the above.

C. During POST

A SCSI host adapter would most likely perform which of the following tasks? A. Configure the motherboard settings to the BIOS. B. Set up the connection of IDE hard drives. C. Make SCSI hard drives and other SCSI devices accessible to the operating system. D. None of the above.

C. Make SCSI hard drives and other SCSI devices accessible to the operating system.

Will EnCase allow a user to write data into an acquired evidence file A. Yes, but only bookmarks. B. Yes, but only to resize the partitions. C. No. Data cannot be added to the evidence file after the acquisition is made. D. Yes, but only case information. E. No, unless the user established a writing privilege when the evidence was acquired.

C. No. Data cannot be added to the evidence file after the acquisition is made.

You are conducting an investigation and have encountered a computer that is running in the field. The operating system is Windows XP. A software program is currently running and is visible on the screen. You should: A. Navigate through the program and see what the program is all about, then pull the plug. B. Pull the plug from the back of the computer. C. Photograph the screen and pull the plug from the back of the computer. D. Pull the plug from the wall.

C. Photograph the screen and pull the plug from the back of the computer.

ROM is an acronym for: A. Read Open Memory B. Random Open Memory C. Read Only Memory D. Relative Open Memory

C. Read Only Memory

Using good forensic practices, when seizing a computer at a business running Windows 2000 Server you should: A. Pull the plug from the back of the computer. B. Press the power button and hold it in. C. Shut it down normally. D. Pull the plug from the wall.

C. Shut it down normally.

Which of the following selections would be used to keep track of a fragmented file in the FAT file system? A. The directory entry for the fragmented file B. The partition table of extents C. The File Allocation Table D. All of the above

C. The File Allocation Table

Search results are found in which of the following files? Select all that apply. A. The evidence file B. The configuration Searches.ini file C. The case file

C. The case file

Which statement would most accurately describe a motherboard? A. An add-in card that handles allRAM. B. Any circuit board, regardless of its function. C. The main circuit board that has slots for the microprocessor, RAM, ROM, and add-in cards. D. An add-in card that controls all hard drive activity.

C. The main circuit board that has slots for the microprocessor, RAM, ROM, and add-in cards.

What information in a FAT file system directory entry refers to the location of a file on the hard drive? A. The file size B. The file attributes C. The starting cluster D. The fragmentation settings

C. The starting cluster

You are assigned to assist with the search and seizure of several computers. The magistrate ordered that the computers cannot be seized unless they are found to contain any one of ten previously identified images. You currently have the ten images in JPG format. Using the EnCase methodology, how would you best handle this situation? A. UseFastBloc or a network/parallel port cable to preview the hard drives. Go to the Gallery view and search for the previously identified images. B. UseFastBloc or a network/parallel port cable to acquire forensic images of the hard drives, then search the evidence files for the previously identified images. C. UseFastBloc or a network/parallel port cable to preview the hard drives. Conduct a hash analysis of the files on the hard drives, using a hash library containing the hash values of the previously identified images. D. Use an EnCase DOS boot disk to conduct a text search for child porn.

C. UseFastBloc or a network/parallel port cable to preview the hard drives. Conduct a hash analysis of the files on the hard drives, using a hash library containing the hash values of the previously identified images.

An evidence file was archived onto five CD-Rom disks with the third file segment on disk number three. Can the contents of the third file segment be verified by itself while still on the CD? A. No. Archived files are compressed and cannot be verified until un-archived. B. No. All file segments must be put back together. C. Yes. Any segment of an evidence file can be verified through re-computing and comparing the CRCs, even if it is on a CD. D. No. EnCase cannot verify files on CDs.

C. Yes. Any segment of an evidence file can be verified through re-computing and comparing the CRCs, even if it is on a CD.

A case file can contain ____ hard drive images? A. 5 B. 1 C. any number of D. 10

C. any number of

The EnCase methodology dictates that the lab drive for evidence have a __________ prior to making an image. A. FAT 16 partition B. NTFS partition C. unique volume label D. bare, unused partition

C. unique volume label

The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. [\x00-\x05]\x00\x00\x00 A. FF 0000 00 00 FF BA B. 0000 00 01 FF FF BA C. 04 06 0000 00 FF FF BA D. 04 0000 00 FF FF BA

D. 04 0000 00 FF FF BA

A sector on a hard drive contains how many bytes? A. 2048 B. 4096 C. 1024 D. 512

D. 512

A SCSI drive is pinned as a master when it is: A. The only drive on the computer. B. The primary of two drives connected to one cable. C. Whenever another drive is on the same cable and is pinned as a slave. D. A SCSI drive is not pinned as a master.

D. A SCSI drive is not pinned as a master.

An Enhanced Metafile would best be described as: A. A compressed zip file. B. A graphics file attached to an e-mail message. C. A compound e-mail attachment. D. A file format used in the printing process by Windows.

D. A file format used in the printing process by Windows.

Which of the following is commonly used to encode e-mail attachments? A. GIF B. EMF C. JPEG D. Base64

D. Base64

When a document is printed using EMF in Windows, what file(s) are generated in the spooling process? A. The .SHD file B. The .SPL file C. Neither a or b D. Both a and b

D. Both a and b

The Windows 98 Start Menu has a selection called documents which displays a list of recently used files. Which of the following The Windows 98 Start Menu has a selection called documents which displays a list of recently used files. Which of the following folders contain those files? A. C:\Windows\History B. C:\Windows\Start menu\Documents C. C:\Windows\Documents D. C:\Windows\Recent

D. C:\Windows\Recent

When undeleting a file in the FAT file system, EnCase will check the _____________ to see if it has already been overwritten. A. data on the hard drive B. deletion table C. directory entry D. FAT

D. FAT

The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Jan 1st, 2?0?00 A. Jan 1st , 1900 B. Jan 1st , 2100 C. Jan 1st , 2001 D. Jan 1st , 2000

D. Jan 1st , 2000

When a file is deleted in the FAT file system, what happens to the FAT? A. The FAT entries for that file are marked as allocated. B. Nothing. C. It is deleted as well. D. The FAT entries for that file are marked as available.

D. The FAT entries for that file are marked as available.

A signature analysis has been run on a case. The result "Bad Signature " means: A. The file signature is known and does not match a known file header. B. The file signature is known and the file extension is known. C. The file signature is known and does not match a known file extension. D. The file signature is unknown and the file extension is known.

D. The file signature is unknown and the file extension is known.

Assume that MyNote.txt has been deleted. The FAT file system directory entry for that file has been overwritten.The data for MyNote.txt is now: A. Overwritten B. Allocated C. Cross-linked D. Unallocated

D. Unallocated

A file extension and signature can be manually added by: A. Using the new library feature under hash libraries. B. Right-clicking on a file and selecting add. C. Using the new set feature under hash sets. D. Using the new file signature feature under file signatures.

D. Using the new file signature feature under file signatures.

Pressing the power button on a computer that is running could have which of the following results? A. The computer will instantly shut off. B. The computer will go into stand-by mode. C. Nothing will happen. D. The operating system will shut down normally. E. All of the above could happen.

E. All of the above could happen.


Conjuntos de estudio relacionados

Psychology- Chapter 16 Therapy and Treatment

View Set

Practice test 3 Chpt 9 to 11 7th edition

View Set

CH 14 SOMATOSENSORY FUNCTION, PAIN & TEMPERATURE

View Set

AIR LAUNCHED GUIDED MISSILES & GUIDED MISSILE LAUNCHERS

View Set

Ionic/ Covalent bonds study guide

View Set

OB Exam 3 SPECIAL POPS 2, Maternity 1-3

View Set