The Official EnCE:Encase Certified Examiner Study Guide Second Edition Chapter 8 Review Questions
A file header is which of the following?
A file header identifies the type of file and is located in the beginning of the file's data.
A hash ___ is comprised of hash ___ , which is comprised of hash ___ .
A hash library is comprised of hash sets, which are comprised of hash values.
When running a signature analysis, EnCase will do which of the following?
A signature analysis will compare a file's header or signature to its file extension.
Can a file with a unique header share multiple file extensions?
A unique file header can share multiple file extensions. An example of such a case is a .JPEG or JPG file, which shares the same file header \xFF\xD8\xFF[\xFF\xE0\xE1].
A user can manually add new file headers and extensions by doing which of the following?
A user can manually add new file headers and extensions by accessing the File Signature views and creating a new header and extension in the appropriate folder.
Select the correct answer that completes the following statement: An MD5 has ___ .
An MD5 hash is a 128-bit hash value, and the odds of two different files having the same value is one in 2128. A file's MD5 hash value is based on the file's data area, not it's file name, which resides outside the data area.
EnCase can create a hash value for the following:
EnCase can calculate hash values for any of the options listed.
What portion of an evidence file does EnCase analyze during the verification process to yield an MD5 has value.
EnCase will analyze the data area of an evidence file only during the verification process.
With regard to hash categories, evidentiary files or files of interest are categorized as which of the following?
Evidentiary files or files of interest are categorized as Notable.
Information regarding a file's header information and extension is saved by EnCase in the ___ file.
Information about a file's header and extension is saved in the FileSignature.ini file.
Will changing a file's name affect the file's MD5 hash value?
Merely changing a file's name will not affect its MD5 hash value because the hash value is based on the file's data, not its file name.
An MD5 hash of a specific media generated by EnCase will yield the same hash value as an independent third-party MD5 hashing utility.
Regardless of the MD5 hashing utility, the hash value generated will have the same result, because the MD5 hash is an industry-standard algorithm.
The Windows operating system uses a file name's ___ to associate files with the proper applications.
The Windows operating system uses a file's extension to associate the file with the proper application.
Usually a hash value found in a hash set named Windows XP Home Edition would be reported in the Hash Category column as which of the following?
These hash sets have been procured from known safe sources and are categorized as Known. In most cases they are nonevidentiary and can be ignored when conducting searches and other analyses.
Unix (including Linux) operating systems use a file's ___ to associate file types to specific applications.
Unix (including Linux) operating systems use a file's header information to associate file types to specific applications.
When a file's signature is unknown and a valid file extension exists, EnCase will display the following result after a signature analysis is performed:
When a file signature is unknown and a valid extension is present, EnCase will display the status as being !Bad Signature.
When a file's signature and extension are not recognized, EnCase will display the following result after a signature analysis is performed:
When a file's signature and extension are not recognized, EnCase will display the result as unknown.
When a file's signature is known and the file extension matches, EnCase will display the following result after a signature analysis is performed:
When a file's signature is known and an accurate file extension is present, EnCase will display the result as a match.
When a file's signature is known and the file extension does not match, EnCase will display the following result after a signature analysis is performed:
When a file's signature is known and an inaccurate file extension is present, EnCase reports the alias in the File Signature column and may update the File Category column.
The Mac OS X operating systems uses which of the following file information to associate a file to a specific application?
When determining which application to use to open a file, Mac OS X gives first precedence to user defined settings, second preference to creator code metadata, and third precedence to file name extensions. If none of these are present, other rules come into play.
