EnCE Study Guide
Which of the following would be a raw search hit for the "His" keyword? A. this B. His C. history D. [email protected] E. All of the above
E. Since the entry allows for characters to precede and follow the keyword and the default setting does not have the Case Sensitive option enabled, all the selections apply.
A byte consists of ___ bits.
C. A byte consists of 8 bits or two 4-bit nibbles, commonly referred to as the left nibble and right nibble.
Which of the following is not correct regarding EnCase 7 index searches? A. Before searching, the index must first be created using the Create Index EnScript. B. Before searching, the index must first be created using the EnCase Evidence Processor. C. All queries are case insensitive regardless of any witches or settings, because that is the nature of all indexed searches. D. By default, queries are case insensitive but can be configured to be case sensitive. E. A query for any word in the noise file will not return any items as all words in the noise file are ignored and excluded from the index.
A and C. An index is required first before searching but is created by the EnCase Evidence Processor and not by an EnScript named Create Index. Queries are case insensitive, by default, but do have the ability to be case sensitive if preceded by <c>.
A bit can have a binary value of which of the following? A. 0 or 1 B. 0-9 C. 0-9 and A-F D. On or Off
A. Bi refers to two; therefore, a bit can have only two values, 0 or 1.
By selecting the Unicode box for a raw search, EnCase searches for both ASCII and Unicode formats. True or false?
A. By selecting the Unicode box, EnCase will search for both ASCII and Unicode formats.
Which of the following will not be a search hit for the following GREP expression? [^#]123[ \-]45[ \-}6789[^#] A. A1234567890 B. A123 45-6789 C. A123-45-6789 D. A123 45 6789
A. The GREP expression [^#] means that it cannot be a number, meaning the first character and last character following the 9 can't be numbers. Therefore, A will not return as a search hit because the number 0 follows the number 9.
Which of the following would be a search hit for the following index search expression? <c>Saddam npre/3 Hussein A. Saddam Alfonso Adolph Cano Hitler Hussein B. saddam alfonso adolph cano hitler hussein C. Saddam Alfonso Hussein Adolph Cano Hitler D. saddam alfonso hussein adolph cano hitler E. Hussein Hitler Cano Adolph Alfonso Saddam F. None of the above
A. This index search expression calls first for a case-sensitive search, because of the <c>. The npre/2 means at least three words apart AND Saddam must precede Hussein. Only A meets this query.
When the letter A is represented as 41h, it is displayed in which of the following?
A. Values expressed with the letter h as a suffix are hexadecimal characters. EnCase can display the letter A in text or hexadecimal formats.
By default, search terms are case sensitive. True or false?
B. False. By default, the Case Sensitive option is not selected therefore, search terms are not case sensitive unless you select that option.
What is the decimal integer value for the binary code 0000-1001?
B. Starting from the right, the bits are "on" for bit positions 1 and 8, which totals 9.
Which of the following would be a search hit for the following GREP expression? [\x00-\x07]\x00\x00\x00... A. 00 00 00 01 A0 EE F1 B. 06 00 00 00 A0 EE F1 C. 0A 00 00 00 A0 EE F1 D. 08 00 00 00 A0 EE F1
B. The GREP expression in the question permits a hexadecimal range from 00 through 07 followed by hexadecimal values 00 00 00 and any other characters.
Select all of the following that depict a Dword value. A. 0000 0001 B. 0001 C. FF 00 10 AF D. 0000 0000 0000 0000 0000 0000 0000 0001
C and D. A Dword is a 32-bit value. A is incorrect because it depicts 8 binary bits or one byte. B is incorrect because it depicts 4 binary bits or one nibble. C is correct because it represents four hexadecimal values with each being 8 bits (4x8=32 bits). D is correct because it represents 32 binary bits.
Which of the following are untrue with regard to the EnCase Evidence Processor? A. A device must be acquired first before processing or be acquired as a requisite first step within the EnCase Evidence Processor. B. A live device can be subjected to normal processing by the EnCase Evidence Processor and does not have to be acquired first. C. Items marked with red flags denote items that are not applicable to the file system being processed. D. Items marked with red flags denote items that must be run during the first or initial run of the EnCase Evidence Processor and can't be run in any subsequent run thereafter. E. A raw keyword search can be conducted during processing by the EnCase Evidence Processor.
C. A device must be an image or be acquired first by the EnCase Evidence Processor. Live devices can be subjected to direct processing by the EnCase Evidence Processor. Red flags denote items that must be run during the first run of the processor. If you don't run them then, you can't run them later. It's now or never, so to speak.
Computers use a numbering system with only two digits, 0 and 1. This system is referred to as which of the following? A. Hexadecimal B. ASCII C. Binary D. FAT
C. Binary is a numbering system consisting of 0 and 1 used by computers to process information.
When performing a keyword search in Windows, EnCase searches which of the following? A. The logical files B. The physical disk in unallocated clusters and other unused disk areas C. Both A and B D. None of the above
C. EnCase performs a search not only of logical files but of the entire disk to include unallocated clusters and unused disk areas outside the logical partition.
Which of the following would be a search hit for the following GREP expression? [^a-z]Liz[^a-z] A. Elizabeth B. Lizzy C. Liz1 D. None of the above
C. The GREP symbol ^ means to exclude the following characters. So, the GREP expression in the question excludes the alpha characters (a through z) before and after the keyword but will find nonalpha characters such as numbers.
A sweep or highlight of a specific range of text is referred to as which of the following? A. Table view bookmark B. Single item bookmark C. Highlighted data bookmark D. Notable file bookmark E. Notes bookmark
C. The highlighted data bookmark is a sweep or highlight of a specific text fragment.
How many characters can be addressed by the 7-bit ASCII character table? 16-bit Unicode?
D. 2^7 is 2x2 seven times or 2x2x2x2x2x2x2=128, while 2^16 is 2x2 sixteen times = 65,536.
If 1 bit can have two unique possibilities, 2 bits can have four unique possibilities, 3 bits can have eight unique possibilities. This is known as the power of 2. How many unique possibilities are there in 8 bits (2^8)?
D. 2^8 is 2x2 eight times, or 2x2x2x2x2x2x2x2=256.
With regard to a search using EnCase in the Windows environment, can EnCase find a word or phrase that is fragmented or spans in noncontiguous clusters?
D. EnCase can perform both physical searches as well as logical searches for keyword(s) that span noncontiguous clusters.