quizes 644
Bookmarks can appear in canned reports.
True
With regards to EnCase acquisition, what is an "image?"
An exact copy - bit for bit - of a hard drive
In what ways can computers be associated with a crime or inappropriate use?
Answers 1, 2, and 3
If a technician uses a hardware write blocker to connect to a target hard drive, it's not necessary to make an image of the drive as the drive is protected from write commands.
False
What are the odds of two files having the same CRC value?
One in 4.2 billion
What is the benefit to indexed keyword searches vs raw searches using keywords? What is the drawback of raw searches using keywords?
One of the key benefits of using indexed keyword searches is that they are faster and one drawback of raw searches is that they do not show what is actually inside of a file such as a PDF.
By default, multiple copies of the FAT are maintained by FAT file systems. Which sentence best describes how the FATs are maintained?
The FATs are stored one immediately following the other at the beginning of the drive.
At the end of an acquisition with EnCase, an MD5 has is calculated and appended to the end of the file. What is the basis of the MD5 value?
The MD5 value is based on the entire evidence file except for the header, the CRCs, and any footer information.
When analyzing a file on a system using NTFS, you come across a file with the following four time stamps. What do you conclude from this information? Creation Date: 04/28/14 12:34:20PM Last Modified Date: 04/28/14 11:18:55AM Last Accessed Date: 04/28/14 12:34:20PM MFT Entry: 04/28/14 12:34:20PM
The file was created on or before 4/28/14 at 11:18:55AM and then moved to its current location from an external storage device.
What is the most significant concern when performing a forensic examination where the examiner changes the boot sequence and modifies the boot order to CD or floppy disk?
The most significant concern when this is done is that the data the forensics examiner is handling could be changed or corrupted.
What is the benefit of performing a live analysis over a traditional dead box forensics?
A live analysis is more beneficial because you can see all of the programs that are currently running. This is not true for a dead box analysis.
In EnCase keyword searches can be conducted in which of the following manners?
ASCII Case sensitive Unicode Based on a format of numbers or characters where the actual values are not known.
If one of the data blocks within an existing EnCase evidence file is determined to be corrupt or altered, EnCase will:
Allow the user to access all uncorrupted areas of the image.
Which boot sequence is correct?
BIOS > POST > Boot Partition > Load the OS
What is the term used to describe the securing of physical evidence to ensure it is not compromised or tampered with?
Chain of custody
When an evidence file is dragged into the EnCase window, the verification process automatically starts. This could be very resource intensive. How can examiner stop the verification process?
Double-click the status bar in the lower right corner of the screen and select "cancel."
FastBloc is a _________ developed to work in conjunction with EnCase, but it does not require EnCase.
Hardware write blocker
Why might an examiner not want to use the Ex01 file format?
It is not backwards compatible with EnCase, i.e., version 6. It is not compatible with FTK Imager and other tools.
If you were to come across a file with the extension .Ex03, what would that indicate to you?
It is the third part of an EnCase evidence file and it needs to be combined with .Ex01 and .Ex02.
The FAT and NTFS file systems handle time/date stamps differently. Which two time/date stamps are handled differently with those operating systems?
Last accessed date and Master File Table (MFT) entry date
Compatible compact discs may use ISO 9660 and Joilet file systems on the same disc. When the ISO 9660 directory and Joilet directory are made, does each copy contain a fully copy of the data stored on the disc?
NO
What file system supports file sizes in excess of 4GB?
NTFS
In EnCase, is the case file the same as the evidence file?
No
What are the odds of two files having the same MD5 hash?
One in 340 billion billion billion billion
A volume is a collection of sectors that are used by an operating system. The sectors are arranged logically and do not need to be consecutive.
True
The FAT file system records whether or not the operating system was shut down and dismounted properly.
True
In what ways can EnCase be used to make a forensic copy of a hard drive?
Via a network cable. (This would be a network cable if a switch or hub is involved or a cross-over cable if direct computer-to-computer connection was used.) Drive to drive With bootable floppy disks or bootable CD
Is it possible for EnCase to search for data that has been orphaned in file slack space?
Yes, EnCase will search data in the file slack space; however, the examiner must decide what type of data is present.
If all compression is disabled during acquisition, an EnCase evidence file will be:
Larger than the original source drive.
Typically, how large are sectors on a hard disk?
512 bytes
In NTFS, what is the purpose of the $Bitmap file?
It tracks the allocation of clusters.
If an examiner creates an acquisition of a hard drive in E01 format; i.e., the EnCase format, using EnCase or FTK Imager, the two pieces of software will return different MD5 hash values.
False
In 7-bit ASCII, the uppercase letter "B" has the same ASCII code as lower case letter "b".
False
When FDISK is used to remove a partition, the partition table entry is removed and the data on the hard drive is overwritten.
False
When keyword searches are performed with the Evidence Processor, the keyword search must be performed the very first time the Evidence is Processor is run.
False
When making an EnCase evidence file, the target disk must be the same size as the source disk.
False
In NTFS, what is the purpose of the $MFT file?
It is a database with an entry for every file and every directory in the partition.
When should an image be verified and why?
The image should be verified at the beginning and at the end to make sure nothing has been changed.
What is the signature for the end of a Windows (FAT/NTFS) volume boot sector?
0x55AA
When a file is deleted from a disk using the FAT file system, the status byte is changed. To what value is it changed?
0xE5
How many bits are used to represent characters in Unicode?
2 bytes
Which of the following is an example of a valid MD5 hash?
329ef2841faba3928ae8d9b9c37862a1
How many primary partitions may exist on a disk with the FAT file system?
4
It is the third part of an EnCase evidence file and it needs to be combined with .Ex01 and .Ex02.
4 bytes
By default, how big are blocks of data during the acquisition of a hard drive?
64 sectors
What version of FAT is associated with floppy diskettes?
FAT12
Keyword searches can examine, which of the following?
File slack space Readable files Unallocated space
What is the benefit of the Ex01 file format vs. E01 file format?
-It supports encryption of the data. - Can use different compression algorithms.
What is the purpose of a DCO or HPA?
It's the place on the drive for vendors to store recovery, security, and registration information that are invisible to the BIOS.
A blank cluster is made up of 16 sectors and totals 8,192 bytes. If a file of 7,600 bytes is written to the cluster, how much space is RAM/sector slack and how much is file slack space?
RAM sector slack: 80 bytes; file slack space: 512 bytes
What type of bookmark is used when highlighting characters in the View Pane?
Sweeping bookmarks
Which of the items below contain non-volatile data?
Hard Drive