EnCE Practice Test Questions

Which selection keeps track of a fragmented file in a FAT (not exFAT) file system? A. File Allocation Table B. Directory structure C. Volume boot record D. Master file table

A. File Allocation Table

What can you assume about a hard drive that is pinned as CS? A. It's an IDE drive B. It's a SATA drive C. It's a SCSI drive D. All of the above

A. It's an IDE drive

Information contained in RAM memory (system's main memory), which is located on the motherboard, is _________. A. Volatile B. Nonvolatile

A. Volatile

Can information stored in the BIOS ever change? A. Yes B. No

A. Yes

In Linux, what describes hdb2? (Choose all that apply.) A. Refers to the primary master B. Refers to the primary slave C. Refers to hard drive number 2 D. Refers to the second partition E. Refers to the secondary master

B and D

You are a computer forensic examiner tasked with determining what evidence is on a seized computer. On what part of the computer system will you find data of evidentiary value? A. Microprocessor or CPU B. USB controller C. Hard drive D. PCI Expansions

C. Hard drive

At which user level must the examiner function when using LinEn? A. Administrator B. Admin C. Root D. Any user E. None of the above

C. Root

Which of the following is true about a volume boot record? A. It is always located at the first sector of its logical partition. B. It immediately follows the master boot record. C. It contains BIOS parameter block and volume boot code. D. Both A and C.

D. Both A and C.

You are a computer forensic examiner and want to reduce the number of files required for examination by identifying and filtering out known good or system files. What EnCase process would you use to identify such files? A. File signature analysis B. Recover Folders feature C. File content search D. File hash analysis

D. File hash analysis

A console prompt that displayed backslashes (\) as part of its display would most likely be which of the following? A. Red Hat Linux operating system B. Unix operating system C. Linux or Unix operating system logged in as root D. MS-DOS

D. MS-DOS

What are some variables regarding items to be seized that you should consider prior to responding to a scene? A. Location(s) of computers B. Type of operating system C. Workstations or mainframes D. System-critical or auxiliary machine E. All of the above

E. All of the above

Which describes an HPA? (Choose all that apply.) A. Stands for Host Protected Area B. Is not normally seen by the BIOS C. Is not normally seen through Direct ATA access D. Was introduced in the ATA-6 specification

A and B

You are a computer forensic examiner and need to search for the name of a suspect in an EnCase evidence file. You enter the name of the suspect into the EnCase keyword interface as John Doe. What search hits will be found with this search term with the default settings? (Choose all that apply.)' A. John Doe B. John D. C. john doe D. John.Doe

A and C

Select all that are true about EE and FIM. A. They can acquire or preview a system live without shutting it down. B. They can capture live system-state volatile data using the Snapshot feature. C. With EE, the SAFE is on a separate PC, administered by the keymaster. D. With FIM, the SAFE is on the examiner's PC and the keymaster and the examiner are the same person. E. FIM can be licensed to private individuals.

A, B, C and D

Which are true with regard to EnCase Portable? (Choose all that apply.) A. Storage media must be prepared using the Portable Management tool before it can be used by EnCase Portable. B. If booting using the EnCase Portable Boot CD to boot, the EnCase Portable dongle must also be connected so that the license can be accessed. C. The EnCase Portable can triage and collect evidence in a forensically sound manner from live machines or to do so in a boot mode. D. The EnCase Portable can be configured with custom tasks created by the examiner using the Portable Management tool.

A, B, C and D

You are preparing to lead a team to serve a search warrant on a business suspected of committing large-scale consumer fraud. Ideally, you would assign which tasks to search team members? (Choose all that apply.) A. Photographer B. Search and seizure specialists C. Recorder D. Digital evidence search and seizure specialists

A, B, C and D

You are a computer forensic examiner investigating media on a seized computer. You recovered a document containing potential evidence. EnCase reports the file system on the forensic image of the hard drive is New Technology File System (NTFS). What information about the document file can be found in the NTFS master file table on the media? (Choose all that apply.) A. Name of the file B. Date and time stamps of the file C. Starting cluster of the file D. Fragmentation of the file E. Ownership of the file

A, B, C, D and E

You are a computer forensic examiner and want to examine any email sent and received by the user of the computer system under investigation. What email formats are supported by EnCase? (Choose all that apply.) A. Outlook PSTs B. Outlook Express C. America Online D. MBOX E. Lotus Notes NSF F. Microsoft Exchange EDB

A, B, C, D, E and F

A directory entry in a FAT file system has a logical size of which of the following? A. 0 bytes B. 8 bytes C. 16 bytes D. One sector

A. 0 bytes

What is the BIOS? A. BIOS stands for Basic Input Output System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer's hardware and its operating system. B. BIOS stands for Bootstrap Initialization Operating System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer's hardware and its operating system. C. BIOS stands for Boot-level Input Output System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer's hardware and its operating system. D. BIOS stands for Boot Initialization Operating System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer's hardware and its operating system.

A. BIOS stands for Basic Input Output System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer's hardware and its operating system.

The electrical pathway used to transport data from one computer component to another is called what? A. Bus B. RAM C. CMOS D. BIOS

A. Bus

Which of the following is not true regarding the exFAT file system? A. Cluster allocation is tracked in the File Allocation Table (FAT). B. When a file is deleted, the corresponding entries in the File Allocation Table (FAT) are reset or zeroed out. C. Cluster allocation is tracked in an allocation bitmap. D. An entry in the FAT of 00 00 00 00 means that the FAT is not tracking allocation for this file.

A. Cluster allocation is tracked in the File Allocation Table (FAT).

You are a computer forensic examiner and need to determine whether any Microsoft Office documents have been renamed with image extensions to obscure their presence. What EnCase process would you use to find such files? A. File signature analysis B. Recover Folders feature C. File content search D. File hash analysis

A. File signature analysis

Which of the following are true? A. LinEn contains no write-blocking capability. Rather, write blocking is achieved by disabling the automount feature within the host Linux operating system. B. LinEn contains its own onboard write blocking drivers and therefore can be safely run on any version of Linux. C. LinEn can format drives to both NTFS and FAT formats. D. Before using a target drive onto which to write evidence files, LinEn must be used to unlock the target drive and render it writable. E. LinEn can format drives to EXT2 or EXT3 format.

A. LinEn contains no write-blocking capability. Rather, write blocking is achieved by disabling the automount feature within the host Linux operating system.

What is the purpose or function of a computer's ROM chip? A. Long-term or permanent storage of information and instructions B. Temporary storage area to run applications C. Permanent storage area for programs and files D. A portable storage device

A. Long-term or permanent storage of information and instructions

What is found at Cylinder 0, Head 0, Sector 1 on a hard drive? A. Master boot record B. Master file table C. Volume boot record D. Volume boot sector

A. Master boot record

You are a computer forensic examiner at a scene and have determined you will seize a Linux server, which, according to your source of information, contains the database records for the company under investigation for fraud. What is the best practice for "taking down" the server for collection? A. Photograph the screen and note any running programs or messages, capture volatile data, and so on, and use the normal shutdown procedure. B. Photograph the screen and note any running programs or messages, capture volatile data, and so on, and pull the plug from the wall. C. Photograph the screen and note any running programs or messages, capture volatile data, and so on, and pull the plug from the rear of the computer. D. Photograph the screen and note any running programs or messages, capture volatile data, and so on, and ask the user at the scene to shut down the server.

A. Photograph the screen and note any running programs or messages, capture volatile data, and so on, and use the normal shutdown procedure.

Generally speaking, if you encounter a Unix/Linux machine, how should you take down the machine? A. Shut down using its operating system. B. Shut down by pulling the power cord from the outlet. C. Shut down by pulling the plug from the computer box. D. All of the above.

A. Shut down using its operating system.

Generally speaking, if you encounter a computer running Windows 2008 Server, how should you take down the machine? A. Shut down using its operating system. B. Shut down by pulling the power cord from the outlet. C. Shut down by pulling the plug from the computer box. D. All of the above.

A. Shut down using its operating system.

When unplugging a desktop computer, from where is it best to pull the plug? A. The back of the computer B. The wall outlet C. A or B

A. The back of the computer

What three things occur when a file is created in a FAT32 file system? A. The directory entry for the file is created, the FAT assigns the necessary clusters to the file, and the file's data is filled in to the assigned clusters. B. The filename is entered in to the FAT, the directory structure assigns the number of clusters, and the file's data is filled in to the assigned clusters. C. The directory entry for the file is created, the number of clusters is assigned by the directory structure, and the file's data is filled in to the FAT. D. The directory structure maintains the amount of clusters needed, the filename is recorded in the FAT, and the file's data is filled in to the assigned clusters.

A. The directory entry for the file is created, the FAT assigns the necessary clusters to the file, and the file's data is filled in to the assigned clusters.

What is the first consideration when responding to a scene? A. Your safety B. The safety of others C. The preservation of evidence D. Documentation

A. Your safety

You are a computer forensic examiner at a scene and are authorized to seize only media that can be determined to have evidence related to the investigation. What options do you have to determine whether evidence is present before seizure and a full forensic examination? (Choose all that apply.) A. Use a DOS boot floppy or CD to boot the machine, and browse through the directory for evidence. B. Use a forensically sound Linux boot CD to boot the machine into Linux, and use LinEn to preview the hard drive through a crossover cable with EnCase for Windows. C. Remove the subject's hard drive from the machine, and preview the hard drive in EnCase for Windows with a hardware write blocker such as FastBloc/Tableau. D. Boot the computer into Windows and use Explorer search utility to find the finds being sought.

B and C

In Linux, what describes sdb? (Choose all that apply.) A. Refers to an IDE device B. Refers to a SCSI device C. Refers to a USB device D. Refers to a FireWire device

B, C and D

You are a computer forensic examiner at a scene and have determined you will need to image a hard drive in a workstation while on-site. What are your options for creating a forensically sound image of the hard drive? (Choose all that apply.) A. Use a regular DOS boot floppy or CD to boot the machine, and use EnCase for DOS to image the subject hard drive to a second hard drive attached to the machine. B. Use a forensically sound Linux boot CD to boot the machine into Linux, and use LinEn to image the subject hard drive to a second hard drive attached to the machine. C. Remove the subject hard drive from the machine, and image the hard drive in EnCase for Windows with a hardware write blocker such as FastBloc/Tableau. D. Use a forensically sound Linux boot CD to boot the machine into Linux, and use LinEn to image the hard drive through a crossover cable with EnCase for Windows.

B, C and D

You are a computer forensic examiner and want to determine when a user deleted a file contained in a Windows 7 Recycle Bin. In what file is the date and time information about the file deletion contained? A. $R0F5B7C.docx B. $I0F5B7C.docx C. INFO2 D. deleted.ini

B. $I0F5B7C.docx

On a FAT file system, FAT is defined as which of the following? A. A table consisting of master boot record and logical partitions B. A table created during the format that the operating system reads to locate data on a drive C. A table consisting of filenames and file attributes D. A table consisting of filenames, deleted filenames, and their attributes

B. A table created during the format that the operating system reads to locate data on a drive

As a good forensic practice, why would it be a good idea to wipe a forensic drive before reusing it? A. Chain-of-custody B. Cross-contamination C. Different file and operating systems D. Chain of evidence E. No need to wipe

B. Cross-contamination

It is always safe to pull the plug on a Windows 7 Enterprise operating system. A. True B. False

B. False

LinEn can be run under both Windows and DOS operating systems. A. True B. False

B. False

LinEn contains a write blocker that protects the target media from being altered. A. True B. False

B. False

Reacquiring an image and adding compression will change the MD5 value of the acquisition hash. A. True B. False

B. False

When called to a large office complex with numerous networked machines, it is always a good idea to request the assistance of the network administrator. A. True B. False

B. False

When reacquiring an image, you can change the name of the evidence. A. True B. False

B. False

What is the main component of a computer to which essential internal devices such as CPU, memory chips, and other chipsets are attached? A. BIOS B. Motherboard C. Expansion card D. Processor

B. Motherboard

Is the information contained on a computer's RAM chip accessible after a proper shutdown? A. Yes B. No

B. No

Is the information stored on a computer's ROM chip lost during a proper shutdown? A. Yes B. No

B. No

You are a computer forensic examiner explaining how computers store and access the data you recovered as evidence during your examination. The evidence is a log file and was recovered as an artifact of user activity on the ________, which was stored on the _____________, contained within a _____________ on the media. A. Partition, operating system, file system B. Operating system, file system, partition C. File system, operating system, hard drive D. Operating system, partition, file system

B. Operating system, file system, partition

By default, what color does EnCase use to display directory entries within a directory structure? A. Black B. Red C. Gray D. Yellow

B. Red

You are a computer forensic examiner and want to determine how many times a program was executed. Where would you find information? A. Temp folder B. Registry C. Recycle Bin D. Program files

B. Registry

You are a computer forensic examiner and need to determine what files are contained within a folder called Business documents. What EnCase pane will you use to view the names of the files in the folder? A. Tree pane B. Table pane C. View pane D. EnScripts pane

B. Table pane

You are a computer forensic examiner and need to verify the integrity of an EnCase evidence file. To completely verify the file's integrity, which of the following must be true? A. The MD5 hash value must verify. B. The CRC values and the MD5 hash value both must verify. C. Either CRC or MD5 hash values must verify. D. The CRC values must verify.

B. The CRC values and the MD5 hash values both must verify

A file's physical size is which of the following? A. Always greater than the file's logical size B. The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster C. Both A and B D. None of the above

B. The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster

How many copies of the FAT does each FAT32 volume maintain in its default configuration? A. One B. Two C. Three D. Four

B. Two

What is the first sector on a volume called? A. File Allocation Table B. Volume boot record or sector C. Master boot record D. Volume boot device

B. Volume boot record or sector

How should CDs be acquired using EnCase? A. DOS B. Windows

B. Windows

You are a computer forensic examiner and want to determine whether a user has opened or double-clicked a file. What folder would you look in for an operating system artifact for this user activity? A. Temp B. Windows Registry C. Cookies D. Desktop

B. Windows Registry

The smallest area on a drive that data can be written to is a _______, while the smallest area on a drive that a file can be written to is a ________. A. Bit, byte B. sector, cluster C. volume, drive D. memory, disk

B. sector, cluster

You are a computer forensic examiner investigating a seized computer. You recovered a document containing potential evidence. EnCase reports the file system on the forensic image of the hard drive is File Allocation Table (FAT). What information about the document file can be found in the FAT on the media? (Choose all that apply.) A. Name of the file B. Date and time stamps of the file C. Starting cluster of the file D. Fragmentation of the file E. Ownership of the file

C and D

What is the maximum number of drive letters assigned to hard drive(s) partitions on a system? A. 4 B. 16 C. 24 D. Infinity

C. 24

You are a computer forensic examiner and are viewing a file in an EnCase evidence file. With your cursor, you have selected one character in the file. What binary term is used for the amount of data that represents a single character? A. A bit B. A nibble C. A byte D. A word

C. A byte

What is the definition of a CPU? A. The physical computer case that contains all its internal components B. The computer's internal hard drive C. A part of the computer whose function is to perform data processing D. A part of the computer that stores and manages memory

C. A part of the computer whose function is to perform data processing

When acquiring a hard drive using a Linux boot disk with LinEn, what would be the cause of EnCase (LinEn) not detecting partition information? A. The drive has been FDisked and the partition(s) removed. B. The partition(s) are not recognized by Linux. C. Both A and B. D. None of the above.

C. Both A and B.

Which is not considered exclusively an output device? A. Monitor B. Print C. CD-RW drive D. Speaker

C. CD-RW drive

When acquiring digital evidence, why shouldn't the evidence be left unattended in an unsecured location? A. Cross-contamination B. Storage C. Chain-of-custody D. Not an issue

C. Chain-of-custody

What does EnCase do when a deleted file's starting cluster number is assigned to another file? A. EnCase reads the entire existing data as belonging to the deleted file. B. EnCase reads the amount of data only from the existing file that is associated with the deleted file. C. EnCase marks the deleted file as being overwritten. D. EnCase does not display a deleted filename when the data has been overwritten.

C. EnCase marks the deleted file as being overwritten.

How does EnCase recover a deleted file in a FAT file system? A. It reads the deleted filename in the FAT and searches for the file by its starting cluster number and logical size. B. It reads the deleted filename in the directory entry and searches for the corresponding filename in unallocated clusters. C. It obtains the deleted file's starting cluster number and size from the directory entry to obtain the data's starting location and number of clusters required. D. It obtains the deleted file's starting cluster number and size from the FAT to locate the starting location and amount of clusters needed.

C. It obtains the deleted file's starting cluster number and size from the directory entry to obtain the data's starting location and number of clusters required.

What do the terms master, slave, and Cable Select refer to? A. External SCSI drives B. Cable types for external hardware C. Jumper settings for internal hardware such as IDE hard drives and CD drives D. Jumper settings for internal expansion cards

C. Jumper settings for internal hardware such as IDE hard drives and CD drives

Which of the following is not acceptable for "bagging" a computer workstation? A. Large paper bag. B. Brown wrapping paper. C. Plastic garbage bag. D. Large antistatic plastic bag. E. All of the above are acceptable for bagging a workstation.

C. Plastic garbage bag.

Generally speaking, if you encounter a Macintosh computer, how should you take down the machine? A. Shut down using the operating system. B. Shut down by pulling the power cord from the outlet. C. Shut down by pulling the plug from the computer box. D. All of the above.

C. Shut down by pulling the plug from the computer box.

Generally speaking, if you encounter a desktop computer running Windows 7, how should you take down the machine? A. Shut down using Windows 7. B. Shut down by pulling the power cord from the outlet. C. Shut down by pulling the plug from the computer box. D. All of the above.

C. Shut down by pulling the plug from the computer box.

When using LinEn, the level of support for USB, FireWire, and SCSI devices is determined by what? A. The drivers built into LinEn B. The drivers provided with the ENBCD C. The distribution of Linux being used D. A and B E. None of the above

C. The distribution of Linux being used

You are a computer forensic examiner and need to view the contents of a file contained within a folder called Business documents. What EnCase pane will you use to view the contents of the file? A. Tree pane B. Table pane C. View pane D. EnScripts pane

C. View pane

In a FAT file system, the FAT tracks the ________ while the directory entry tracks the ________. A. filename, file size B. file's starting cluster, file's last cluster (EOF) C. file's last cluster (EOF), file's starting cluster D. file size, file fragmentation

C. file's last cluster (EOF), file's starting cluster

On a production Linux/Unix server, you must generally be which user to shut down the system? A. sysadmin B. administrator C. root D. system

C. root

How many clusters can a FAT32 file system manage? A. 2 x 32 = 64 clusters B. 2^32 = 4,294,967,296 clusters C. 2 x 28 = 56 clusters D. 2^28 = 268,435,456 clusters

D. 2^28 = 268,435,456 clusters

Each directory entry in a FAT file system is ____ bytes in length. A. 0 B. 8 C. 16 D. 32

D. 32

What is the definition of POST? A. A set of computer sequences the operating system executes upon a proper shutdown B. A diagnostic test of the computer's hardware and software for presence and operability during the boot sequence prior to running the operating system C. A diagnostic test of the computer's software for presence and operability during the boot sequence prior to running the operating system D. A diagnostic test of the computer's hardware for presence and operability during the boot sequence prior to running the operating system

D. A diagnostic test of the computer's hardware for presence and operability during the boot sequence prior to running the operating system

The NTFS file system does which of the following? A. Supports long filenames B. Compresses individual files and directories C. Supports large file sizes in excess of 4 GB D. All of the above

D. All of the above

Which of the following describes a partition table? A. It is located at cylinder 0, head 0, sector 1. B. Is located in the master boot record. C. It keeps track of the partitions on a hard drive. D. All of the above.

D. All of the above.

What is the best method to shut down a notebook computer? A. Unplug from the back of the computer. B. Unplug from the wall. C. Remove the battery. D. Both A and C.

D. Both A and C.

Which of the following is not true regarding the NTFS file system? A. Data for very small files can be stored in the MFT itself and is referred to as resident data. B. Cluster allocation is tracked in the $Bitmap file. C. Data that is stored in clusters is called nonresident data. D. Cluster allocation is tracked in the File Allocation Table (FAT).

D. Cluster allocation is tracked in the File Allocation Table (FAT).

IDE, SCSI, and SATA are different types of interfaces describing what device? A. RAM chips B. Flash memory C. CPUs D. Hard drives

D. Hard drives

How does a corrupted sector located in the data area of a hard drive affect the corresponding cluster number on a FAT in a FAT file system? A. It does not affect the corresponding cluster number on a FAT; therefore, the rest of the sectors associated with the assigned cluster can still be written to. B. It does not affect the corresponding cluster number on a FAT; only the corrupted portion of the sector is prevented from being written to. C. It does affect the FAT. The corresponding cluster number is marked as bad; however, only the corrupted sector within the cluster is prevented from being written to. D. It does affect the FAT. The corresponding cluster number is marked as bad, and the entire cluster is prevented from being written to.

D. It does affect the FAT. The corresponding cluster number is marked as bad, and the entire cluster is prevented from being written to.

If the FAT, in a FAT file system, lists cluster number 2749 with a value of 0, what does this mean about this specific cluster? A. It is blank and contains no data. B. It is marked as bad and cannot be written to. C. It is allocated to a file. D. It is unallocated and is available to store data.

D. It is unallocated and is available to store data.

Which selection displays the incorrect method for shutting down a computer? A. DOS: Pull the plug. B. Windows 7: Pull the plug. C. Windows XP: Pull the plug. D. Linux: Pull the plug.

D. Linux: Pull the plug.

You are a computer forensic examiner and have imaged a hard drive on site. Before you leave the scene, you want to ensure the image completely verifies as an exact forensic duplicate of the original. To verify the EnCase evidence file containing the image, you should do which of the following? A. Use a hex editor to compare a sample of sectors in the EnCase evidence file with that of the original. B. Load the EnCase evidence files into EnCase for Windows, and after the verification is more than halfway completed, cancel the verification and spot-check the results for errors. C. Load the EnCase evidence files into EnCase for DOS, and verify the hash of those files. D. Load the EnCase evidence files into EnCase for Windows, allow the verification process to finish, and then check the results for complete verification.

D. Load the EnCase evidence files into EnCase for Windows, allow the verification process to finish, and then check the results for complete verification.

What is the area between the end of a file's logical size and the file's physical size called? A. Unused disk area B. Unallocated clusters C. Unallocated sectors D. Slack space

D. Slack space

Which of the following is incorrect? A. The MBR is typically written when the drive is partitioned with FDISK or DISKPART. B. A file system is a system or method of storing and retrieving data on a computer system that allows for a hierarchy of directories, subdirectories, and files. C. The VBR is typically written when the drive is high-level formatted with a utility such as format. D. The partition table is contained within the MBR and consists of a total of 16 bytes, which describes up to four partitions using 4 bytes each to do so.

D. The partition table is contained within the MBR and consists of a total of 16 bytes, which describes up to four partitions using 4 bytes each to do so.

How is the chain of custody maintained? A. By bagging evidence and sealing it to protect it from contamination or tampering B. By documenting what, when, where, how, and by whom evidence was seized C. By documenting in a log the circumstances under which evidence was removed from the evidence control room D. By documenting the circumstances under which evidence was subjected to analysis E. All of the above

E. All of the above

When shutting down a computer, what information is typically lost? A. Data in RAM memory B. Running processes C. Current network connections D. Current logged-in users E. All of the above

E. All of the above

When would it be acceptable to navigate through a live system? A. To observe the operating system to determine the proper shutdown process B. To document currently opened files (if Enterprise/FIM edition is not available) C. To detect mounted encryption D. To access virtual storage facility (if search warrant permits; some are very specific about physical location) E. All of the above

E. All of the above

If the number of sectors reported by EnCase does not match the number reported by the manufacturer for the drive, what should you do? A. Suspect HPA B. Suspect DCO C. Use Tableau or FastBloc SE to access the sectors protected by HPA or DCO. D. Boot with LinEn in Linux. E. All of the above.

E. All of the above.

What are some variables regarding a facility that you should consider prior to responding to a scene? A. What type of structure is it? B. How large is the structure? C. What are the hours of operation? D. Is there a helpful person present to aid in your task? E. All of the above.

E. All of the above.

Which describes a DCO? A. Was introduced in the ATA-6 specification. B. Stands for Device Configuration Overlay. C. Is not normally seen by the BIOS. D. It may contain hidden data, which can be seen by switching to the Direct ATA mode in EnCase for DOS. E. All of the above.

E. All of the above.

Subsequent to a search warrant where evidence is seized, what items should be left behind? A. Copy of the affidavit B. Copy of the search warrant C. List of items seized D. A and B E. B and C

E. B and C

The size of a physical hard drive can be determined by which of the following? A. The cylinder x head x sector B. The cylinder x head x sector x 512 bytes C. The total LBA sectors x 512 bytes D. Adding the total size of partitions E. Both B and C

E. Both B and C

In which circumstance is pulling the plug to shut down a computer system considered the best practice? A. When the OS is Linux/Unix B. When the OS is Windows 7 and known to be running a large business database application C. When the OS is Windows (NT/2000/2003/2008) Server D. When Mac OS X Server is running as a web server E. None of the above

E. None of the above

When acquiring USB flash memory, you could write-protect it by doing what? A. Engaging the write-protect switch, if equipped B. Modifying the registry in Windows XP SP2 (or higher) to make USB read-only C. Using ENBD/ENBCD USB DOS drivers and having EnCase for DOS "lock" the Flash media D. Using LinEn in Linux with automount of file system disabled E. Using FastBloc SE to write block USB, FireWire, SCSI drives F. All of the above

F. All of the above

Which of the following should you do when creating a storage volume to hold an EnCase evidence file that will be created with LinEn? A. Format the volume with the FAT file system. B. Give the volume a unique label to identify it. C. Wipe the volume before formatting to conform to best practices, and avoid claims of cross-contamination. D. Create a directory to contain the evidence file. E. Format the volume with the NTFS file system. F. All of the above.

F. All of the above.