Winter Sale Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ex2p65

Exact2Pass Menu

Login / Register

Question # 4

EnCase marks a file as overwritten when _____________ has been allocated to another file.

A.

any part of the file

B.

all of the file

C.

the starting cluster of the file

D.

the directory entry for the file

Full Access
Question # 5

How does EnCase verify that the case information (Case Number, Evidence Number, Investigator Name, etc) in an evidence file has not been damaged or changed, after the evidence file has been written?

A.

The .case file writes a CRC value for the case information and verifies it when the case is opened.

B.

EnCase does not verify the case information and case information can be changed by the user as it becomes necessary.

C.

EnCase writes a CRC value of the case information and verifies the CRC value when the evidence is added to a case.

D.

EnCase writes an MD5 hash value for the entire evidence file, which includes the case information, and verifies the MD5 hash when the evidence is added to a case.

Full Access
Question # 6

A hard drive has 8 sectors per cluster. File Mystuff.doc has a logical file size of 13,000 bytes. How many clusters will be used by Mystuff.doc?

A.

1

B.

2

C.

3

D.

4

Full Access
Question # 7

A logical file would be best described as:

A.

The data from the beginning of the starting cluster to the length of the file.

B.

The data taken from the starting cluster to the end of the last cluster that is occupied by the file.

C.

A file including any RAM and disk slack.

D.

A file including only RAM slack.

Full Access
Question # 8

What are the EnCase configuration .ini files used for?

A.

Storing information that is specific to a particular case.

B.

Storing information that will be available to EnCase each time it is opened, regardless of the active case(s).

C.

Storing pointers to acquired evidence.

D.

Storing the results of a signature analysis.

Full Access
Question # 9

Within EnCase, what is purpose of the default export folder?

A.

This is the folder that will automatically store an evidence file when the acquisition is made in DOS.

B.

This is the folder that temporarily stores all bookmark and search results.

C.

This is the folder used to hold copies of files that are sent to external viewers.

D.

This is the folder that will be automatically selected when the copy/unerase feature is used.

Full Access
Question # 10

To undelete a file in the FAT file system, EnCase obtains the starting extent from the:

A.

FAT

B.

File header

C.

Operating system

D.

Directory entry

Full Access
Question # 11

A hard drive was imaged using EnCase. The original drive was placed into evidence. The restore feature was used to make a copy of the original hard drive. EnCase verifies the restored copy using:

A.

An MD5 hash

B.

A 32 bit CRC

C.

A running log

D.

Nothing. Restored volumes are not verified.

Full Access
Question # 12

Bookmarks are stored in which of the following files?

A.

The case file

B.

The configuration Bookmarks.ini file

C.

The evidence file

D.

All of the above

Full Access
Question # 13

RAM is tested during which phase of the power-up sequence?

A.

Pre-POST

B.

During POST

C.

After POST

D.

None of the above.

Full Access
Question # 14

The following keyword was typed in exactly as shown. Choose the answer(s) that would result. All search criteria have default settings. Tom Jones

A.

Tom

B.

Jones

C.

Tom Jones

D.

tom jones

Full Access
Question # 15

A sector on a floppy disk is the same size as a sector on a NTFS formatted hard drive.

A.

True

B.

False

Full Access
Question # 16

What files are reconfigured or deleted by EnCase during the creation of an EnCase boot disk?

A.

command.com

B.

io.sys

C.

drvspace.bin

D.

autoexec.bat

Full Access
Question # 17

A hash library would most accurately be described as:

A.

A file containing hash values from one or more selected hash sets.

B.

A master table of file headers and extensions.

C.

A list of the all the MD5 hash values used to verify the evidence files.

D.

Both a and b.

Full Access
Question # 18

The first sector on a volume is called the:

A.

Volume boot device

B.

Master boot record

C.

Master file table

D.

Volume boot sector or record

Full Access
Question # 19

Hash libraries are commonly used to:

A.

Identify files that are already known to the user.

B.

Compare one hash set with another hash set.

C.

Verify the evidence file.

D.

Compare a file header to a file extension.

Full Access
Question # 20

You are assigned to assist with the search and seizure of several computers. The magistrate ordered that the computers cannot be seized unless they are found to contain any one of ten previously identified images. You currently have the ten images in JPG format. Using the EnCase methodology, how would you best handle this situation?

A.

Use an EnCase DOS boot disk to conduct a text search for child porn

B.

Use FastBloc or a network/parallel port cable to acquire forensic images of the hard drives, then search the evidence files for the previously identified images.

C.

Use FastBloc or a network/parallel port cable to preview the hard drives. Go to the Gallery view and search for the previously identified images.

D.

Use FastBloc or a network/parallel port cable to preview the hard drives. Conduct a hash analysis of the files on the hard drives, using a hash library containing the hash values of the previously identified images.

Full Access
Question # 21

How are the results of a signature analysis examined?

A.

By sorting on the signature column in the table view.

B.

By sorting on the hash library column in the table view.

C.

By sorting on the hash sets column in the table view

D.

By sorting on the category column in the table view.

Full Access
Question # 22

GREP terms are automatically recognized as GREP by EnCase.

A.

True

B.

False

Full Access
Question # 23

You are examining a hard drive that has Windows XP installed as the operating system. You see a file that has a date and time in the deleted column. Where does that date and time come from?

A.

Inode Table

B.

Info2 file

C.

Directory Entry

D.

Master File Table

Full Access
Question # 24

In Windows, the file MyNote.txt is deleted from C Drive and is automatically sent to the recycle Bin. The long filename was MyNote.txt and the short filename was MYNOTE.TXT. When viewing the recycle Bin with EnCase, how will the long filename and short filename appear?

A.

MyNote.del, DC0.del

B.

MyNote.txt, CD0.txt

C.

MyNote.txt, DC0.txt

D.

MyNote.del, DC1.del

Full Access
Question # 25

The EnCase evidence file is best described as:

A.

A clone of the source hard drive.

B.

A sector-by-sector copy of the source hard drive written to the corresponding sectors of the target hard drive.

C.

A bit stream image of the source hard drive written to the corresponding sectors of the target hard drive.

D.

A bit stream image of the source hard drive written to a file, or several file segments.

Full Access
Question # 26

This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search:

A.

Will not find it because the letters of the keyword are not contiguous.

B.

Will not find it unless File slack is checked on the search dialog box.

C.

Will find it because EnCase performs a logical search.

D.

Will not find it because EnCase performs a physical search only.

Full Access