Winter Sale Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ex2p65

Exact2Pass Menu

Login / Register

Question # 4

An Enhanced Metafile would best be described as:

A.

A compressed zip file.

B.

A graphics file attached to an e-mail message.

C.

A compound e-mail attachment.

D.

A file format used in the printing process by Windows.

Full Access
Question # 5

When can an evidence file containing a NTFS partition be logically restored to a FAT 32 partition?

A.

Never

B.

When the FAT 32 has the same number of sectors / clusters.

C.

When the FAT 32 is the same size or bigger.

D.

Both a and b

Full Access
Question # 6

The EnCase methodology dictates that the lab drive for evidence have a __________ prior to making an image.

A.

FAT 16 partition

B.

NTFS partition

C.

unique volume label

D.

bare, unused partition

Full Access
Question # 7

A file extension and signature can be manually added by:

A.

Using the new library feature under hash libraries.

B.

Right-clicking on a file and selecting dd.?

C.

Using the new set feature under hash sets.

D.

Using the new file signature feature under file signatures.

Full Access
Question # 8

All investigators using EnCase should run tests on the evidence file acquisition and verification process to:

A.

Insure that the investigator is using the proper method of acquisition.

B.

All of the above.

C.

Further the investigator understanding of the evidence file. Further the investigator?understanding of the evidence file.

D.

Give more weight to the investigator testimony in court. Give more weight to the investigator?testimony in court.

Full Access
Question # 9

The BIOS chip on an IBM clone computer is most commonly located on:

A.

The RAM chip

B.

The controller card

C.

The motherboard

D.

The microprocessor

Full Access
Question # 10

To undelete a file in the FAT file system, EnCase obtains the starting extent from the:

A.

Directory entry

B.

FAT

C.

Operating system

D.

File header

Full Access
Question # 11

A signature analysis has been run on a case. The result "Bad Signature " means:

A.

The file signature is known and does not match a known file header.

B.

The file signature is known and the file extension is known.

C.

The file signature is known and does not match a known file extension.

D.

The file signature is unknown and the file extension is known.

Full Access
Question # 12

A sector on a hard drive contains how many bytes?

A.

2048

B.

4096

C.

1024

D.

512

Full Access
Question # 13

EnCase marks a file as overwritten when _____________ has been allocated to another file.

A.

all of the file

B.

the starting cluster of the file

C.

the directory entry for the file

D.

any part of the file

Full Access
Question # 14

Which of the following selections is NOT found in the case file

A.

External viewers

B.

Pointers to evidence files

C.

Signature analysis results

D.

Search results

Full Access
Question # 15

This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search:

A.

Will not find it unlessile slack is checked on the search dialog box.

B.

Will find it because EnCase performs a logical search.

C.

Will not find it because EnCase performs a physical search only.

D.

Will not find it because the letters of the keyword are not contiguous.

Full Access
Question # 16

The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Jan 1st, 2?0?00

A.

Jan 1st , 1900

B.

Jan 1st , 2100

C.

Jan 1st , 2001

D.

Jan 1st , 2000

Full Access
Question # 17

EnCase can build a hash set of a selected group of files.

A.

True

B.

False

Full Access
Question # 18

If cases are worked on a lab drive in a secure room, without any cleaning of the contents of the drive, which of the following areas would be of most concern?

A.

There is no concern

B.

Cross-contamination

C.

Chain-of-custody

D.

Storage

Full Access
Question # 19

Select the appropriate name for the highlighted area of the binary numbers.

A.

Word

B.

Dword

C.

Byte

D.

Nibble

E.

Bit

Full Access
Question # 20

The EnCase default export folder is:

A.

A case-specific setting that cannot be changed.

B.

A case-specific setting that can be changed.

C.

A global setting that can be changed.

D.

A global setting that cannot be changed.

Full Access
Question # 21

An evidence file was archived onto five CD-Rom disks with the third file segment on disk number three. Can the contents of the third file segment be verified by itself while still on the CD?

A.

No. Archived files are compressed and cannot be verified until un-archived.

B.

No. All file segments must be put back together.

C.

Yes. Any segment of an evidence file can be verified through re-computing and comparing the CRCs, even if it is on a CD.

D.

No. EnCase cannot verify files on CDs.

Full Access
Question # 22

Select the appropriate name for the highlighted area of the binary numbers.

A.

Word

B.

Byte

C.

Bit

D.

Nibble

E.

Dword

Full Access
Question # 23

Two allocated files can occupy one cluster, as long as they can both fit within the allotted number of bytes.

A.

True

B.

False

Full Access
Question # 24

What information should be obtained from the BIOS during computer forensic investigations?

A.

The video caching information

B.

The date and time

C.

The port assigned to the serial port

D.

The boot sequence

Full Access
Question # 25

To generate an MD5 hash value for a file, EnCase:

A.

Computes the hash value including the logical file and filename.

B.

Computes the hash value including the physical file and filename.

C.

Computes the hash value based on the logical file.

D.

Computes the hash value based on the physical file.

Full Access
Question # 26

Within EnCase, clicking on Save on the toolbar affects what file(s)?

A.

All of the above

B.

The evidence files

C.

The open case file

D.

The configuration .ini files

Full Access