Question 1 ( Topic 0 )
When an EnCase user double-clicks on a file within EnCase what determines the action that will result? Select all that apply
A. The settings in the case file.
B. The settings in the FileTypes.ini file.
C. The setting in the evidence file.
Answer : B
Question 2 ( Topic 0 )
Search results are found in which of the following files? Select all that apply.
A. The evidence file
B. The configuration Searches.ini file
C. The case file
Answer : C
Question 3 ( Topic 0 )
If cluster #3552 entry in the FAT table contains a value of ?? this would mean:
A. The cluster is unallocated
B. The cluster is the end of a file
C. The cluster is allocated
D. The cluster is marked bad
Answer : A
Question 4 ( Topic 0 )
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Bob@ [a-z]+.com
A. Bob@New zealand.com
B. [email protected]
C. [email protected]
D. [email protected]
Answer : C
Question 5 ( Topic 0 )
You are an investigator and have encountered a computer that is running at the home of a suspect. The computer does not appear to be a part of a network. The operating system is
Windows XP Home. No programs are visibly running. You should:
A. Pull the plug from the back of the computer.
B. Turn it off with the power button.
C. Pull the plug from the wall.
D. Shut it down with the start menu.
Answer : A
Question 6 ( Topic 0 )
A physical file size is:
A. The total size in sectors of an allocated file.
B. The total size of all the clusters used by the file measured in bytes.
C. The total size in bytes of a logical file.
D. The total size of the file including the ram slack in bytes.
Answer : B
Question 7 ( Topic 0 )
In Unicode, one printed character is composed of ____ bytes of data.
A. 8
B. 4
C. 2
D. 1
Answer : C
Question 8 ( Topic 0 )
If cluster number 10 in the FAT contains the number 55, this means:
A. That cluster 10 is used and the file continues in cluster number 55.
B. That the file starts in cluster number 55 and continues to cluster number 10.
C. That there is a cross-linked file.
D. The cluster number 55 is the end of an allocated file.
Answer : A
Question 9 ( Topic 0 )
How are the results of a signature analysis examined?
A. By sorting on the category column in the Table view. By sorting on the category column in the Table view.
B. By sorting on the signature column in the Table view. By sorting on the signature column in the Table view.
C. By sorting on the hash sets column in the Table view. By sorting on the hash sets column in the Table view.
D. By sorting on the hash library column in the Table view. By sorting on the hash library column in the Table view.
Answer : B
Question 10 ( Topic 0 )
The acronym ASCII stands for:
A. American Standard Communication Information Index
B. American Standard Code for Information Interchange
C. Accepted Standard Code for Information Interchange
D. Accepted Standard Communication Information Index
Answer : B
Question 11 ( Topic 0 )
The default export folder remains the same for all cases.
A. True
B. False
Answer : B
Question 12 ( Topic 0 )
The EnCase default export folder is:
A. A case-specific setting that cannot be changed.
B. A case-specific setting that can be changed.
C. A global setting that can be changed.
D. A global setting that cannot be changed.
Answer : B
Question 13 ( Topic 0 )
Hash libraries are commonly used to:
A. Compare a file header to a file extension.
B. Identify files that are already known to the user.
C. Compare one hash set with another hash set.
D. Verify the evidence file.
Answer : B
Question 14 ( Topic 0 )
Which is the proper formula for determining the size in bytes of a hard drive that uses cylinders (C), heads (H), and sectors (S) geometry?
A. C X H + S
B. C X H X S + 512
C. C X H X S X 512
D. C X H X S
Answer : C
Question 15 ( Topic 0 )
Within EnCase, clicking on Save on the toolbar affects what file(s)?
A. All of the above
B. The evidence files
C. The open case file
D. The configuration .ini files
Answer : C
Question 16 ( Topic 0 )
EnCase uses the _________________ to conduct a signature analysis.
A. Both a and b
B. file signature table
C. hash library
D. file Viewers
Answer : B
Question 17 ( Topic 0 )
EnCase is able to read and examine which of the following file systems?
A. NTFS
B. EXT3
C. FAT
D. HFS
Answer : A,B,C,D
Question 18 ( Topic 0 )
ROM is an acronym for:
A. Read Open Memory
B. Random Open Memory
C. Read Only Memory
D. Relative Open Memory
Answer : C
Question 19 ( Topic 0 )
If a floppy diskette is in the ?drive, the computer will always boot to that drive before any other device. If a floppy diskette is in the ??drive, the computer will always boot to that drive before any other device.
A. False
B. True
Answer : A
Question 20 ( Topic 0 )
A standard Windows 98 boot disk is acceptable for booting a suspect drive.
A. True
B. False
Answer : A
Question 21 ( Topic 0 )
Search terms are case sensitive by default.
A. False
B. True
Answer : A
Question 22 ( Topic 0 )
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Jan 1st, 2?0?00
A. Jan 1st , 1900
B. Jan 1st , 2100
C. Jan 1st , 2001
D. Jan 1st , 2000
Answer : D
Question 23 ( Topic 0 )
An evidence file can be moved to another directory without changing the file verification.
A. False
B. True
Answer : B
Question 24 ( Topic 0 )
Pressing the power button on a computer that is running could have which of the following results?
A. The computer will instantly shut off.
B. The computer will go into stand-by mode.
C. Nothing will happen.
D. All of the above could happen.
E. The operating system will shut down normally.
Answer : D
Question 25 ( Topic 0 )
How does EnCase verify that the evidence file contains an exact copy of the suspect hard drive? How does
EnCase verify that the evidence file contains an exact copy of the suspect's hard drive?
A. By means of a CRC value of the suspect hard drive compared to a CRC value of the data stored in the evidence file.By means of a CRC value of the suspect? hard drive compared to a CRC value of the data stored in the evidence file.
B. By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of the data stored in the evidence file.By means of an MD5 hash of the suspect? hard drive compared to an MD5 hash of the data stored in the evidence file.
C. By means of a CRC value of the evidence file itself.
D. By means of an MD5 hash value of the evidence file itself.
Answer : B
Question 26 ( Topic 0 )
By default, EnCase will display the data from the end of a logical file, to the end of the cluster, in what color:
A. Red
B. Red on black
C. Black on red
D. Black
Answer : A
Question 27 ( Topic 0 )
A SCSI drive is pinned as a master when it is:
A. The only drive on the computer.
B. The primary of two drives connected to one cable.
C. Whenever another drive is on the same cable and is pinned as a slave.
D. A SCSI drive is not pinned as a master.
Answer : D
Question 28 ( Topic 0 )
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. [^a-z] Tom[^a-z]
A. Tomato
B. om? ? RP
C. Toms
D. Stomp
Answer : B
Question 29 ( Topic 0 )
This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search:
A. Will not find it unlessile slack is checked on the search dialog box.
B. Will find it because EnCase performs a logical search.
C. Will not find it because EnCase performs a physical search only.
D. Will not find it because the letters of the keyword are not contiguous.
Answer : B
Question 30 ( Topic 0 )
An evidence file was archived onto five CD-Rom disks with the third file segment on disk number three. Can the contents of the third file segment be verified by itself while still on the CD?
A. No. Archived files are compressed and cannot be verified until un-archived.
B. No. All file segments must be put back together.
C. Yes. Any segment of an evidence file can be verified through re-computing and comparing the CRCs, even if it is on a CD.
D. No. EnCase cannot verify files on CDs.
Answer : C
Question 31 ( Topic 0 )
The case file should be archived with the evidence files at the termination of a case.
A. True
B. False
Answer : A
Question 32 ( Topic 0 )
A signature analysis has been run on a case. The result "Bad Signature " means:
A. The file signature is known and does not match a known file header.
B. The file signature is known and the file extension is known.
C. The file signature is known and does not match a known file extension.
D. The file signature is unknown and the file extension is known.
Answer : D
Question 33 ( Topic 0 )
A standard DOS 6.22 boot disk is acceptable for booting a suspect drive.
A. True
B. False
Answer : A
Question 34 ( Topic 0 )
When can an evidence file containing a NTFS partition be logically restored to a FAT 32 partition?
A. Never
B. When the FAT 32 has the same number of sectors / clusters.
C. When the FAT 32 is the same size or bigger.
D. Both a and b
Answer : A
Question 35 ( Topic 0 )
Which of the following selections would be used to keep track of a fragmented file in the
FAT file system?
A. The directory entry for the fragmented file
B. The partition table of extents
C. The File Allocation Table
D. All of the above
Answer : C
Question 36 ( Topic 0 )
What files are reconfigured or deleted by EnCase during the creation of an EnCase boot disk?
A. command.com
B. autoexec.bat
C. drvspace.bin
D. io.sys
Answer : A,C,D
Question 37 ( Topic 0 )
A signature analysis has been run on a case. The result ?*JPEG ?in the signature column means:
A. The file signature is unknown and the header is a JPEG.
B. The file signature is a JPEG signature and the file extension is incorrect.
C. The file signature is unknown and the file extension is JPEG.
D. None of the above.
Answer : B
Question 38 ( Topic 0 )
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result.[\x00-\x05]\x00\x00?>[?[@?[?[?[
A. FF 0000 00 00 FF BA
B. 0000 00 01 FF FF BA
C. 04 06 0000 00 FF FF BA
D. 04 0000 00 FF FF BA
Answer : D
Question 39 ( Topic 0 )
Which of the following items could contain digital evidence?
A. Credit card readers
B. Personal assistant devices
C. Cellular phones
D. Digital cameras
Answer : A,B,C,D
Question 40 ( Topic 0 )
What information in a FAT file system directory entry refers to the location of a file on the hard drive?
A. The file size
B. The file attributes
C. The starting cluster
D. The fragmentation settings
Answer : C
ENCE North America Questions + Answers
-
answerhappygod
- Site Admin
- Posts: 899603
- Joined: Mon Aug 02, 2021 8:13 am