Term
When an EnCase user double-clicks on a file within EnCase what determines the action that will result? A. The settings in the case file. B. The settings in the FileTypes.ini file. C. The setting in the evidence file. |
|
Definition
B. The settings in the FileTypes.ini file |
|
|
Term
Search results are found in which of the following files?
Select all that apply.
A. The evidence file
B. The configuration Searches.ini file
C. The case file |
|
Definition
|
|
Term
If cluster #3552 entry in the FAT table contains a value of ?? this would mean:
A. The cluster is unallocated
B. The cluster is the end of a file
C. The cluster is allocated
D. The cluster is marked bad |
|
Definition
A. The cluster is unallocated |
|
|
Term
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Bob@[a-z]+.com
A. Bob@New zealand.com
B. Bob@My-Email.com
C. Bob@America.com
D. Bob@a-z.com |
|
Definition
|
|
Term
You are an investigator and have encountered a computer that is running at the home of a suspect. The computer does not appear to be a part of a network. The operating system is Windows XP Home. No programs are visibly running. You should:
A. Pull the plug from the back of the computer.
B. Turn it off with the power button.
C. Pull the plug from the wall.
D. Shut it down with the start menu. |
|
Definition
A. Pull the plug from the back of the computer. |
|
|
Term
A physical file size is:
A. The total size in sectors of an allocated file.
B. The total size of all the clusters used by the file measured in bytes.
C. The total size in bytes of a logical file.
D. The total size of the file including the ram slack in bytes. |
|
Definition
B. The total size of all the clusters used by the file |
|
|
Term
In Unicode, one printed character is composed of ____ bytes of data.
A. 8
B. 4
C. 2
D. 1 |
|
Definition
|
|
Term
If cluster number 10 in the FAT contains the number 55, this means:
A. That cluster 10 is used and the file continues in cluster number 55.
B. That the file starts in cluster number 55 and continues to cluster number 10.
C. That there is a cross-linked file.
D. The cluster number 55 is the end of an allocated file. |
|
Definition
A. That cluster 10 is used and the file continues in cluster number 55. |
|
|
Term
How are the results of a signature analysis examined?
A. By sorting on the category column in the Table view. By sorting on the category column in the Table view.
B. By sorting on the signature column in the Table view. By sorting on the signature column in the Table view.
C. By sorting on the hash sets column in the Table view. By sorting on the hash sets column in the Table view.
D. By sorting on the hash library column in the Table view. By sorting on the hash library column in the Table view. |
|
Definition
B. By sorting on the signature column in the Table view. By sorting on the signature column in the Table view. |
|
|
Term
The acronym ASCII stands for:
A. American Standard Communication Information Index B. American Standard Code for Information Interchange C. Accepted Standard Code for Information Interchange D. Accepted Standard Communication Information Index |
|
Definition
B. American Standard Code for Information Interchange |
|
|
Term
The default export folder remains the same for all cases.
A. True
B. False |
|
Definition
|
|
Term
The EnCase default export folder is:
A. A case-specific setting that cannot be changed.
B. A case-specific setting that can be changed.
C. A global setting that can be changed.
D. A global setting that cannot be changed. |
|
Definition
B. A case-specific setting that can be changed. |
|
|
Term
Hash libraries are commonly used to:
A. Compare a file header to a file extension.
B. Identify files that are already known to the user.
C. Compare one hash set with another hash set.
D. Verify the evidence file. |
|
Definition
B. Identify files that are already known to the user. |
|
|
Term
Which is the proper formula for determining the size in bytes of a hard drive that uses cylinders (C), heads (H), and sectors (S) geometry?
A. C X H + S
B. C X H X S + 512
C. C X H X S X 512
D. C X H X S |
|
Definition
|
|
Term
Within EnCase, clicking on Save on the toolbar affects what file(s)?
A. All of the above
B. The evidence files
C. The open case file
D. The configuration .ini files |
|
Definition
|
|
Term
EnCase uses the _________________ to conduct a signature analysis.
A. Both a and b
B. file signature table
C. hash library
D. file Viewers |
|
Definition
|
|
Term
EnCase is able to read and examine which of the following file systems?
A. NTFS
B. EXT3
C. FAT
D. HFS |
|
Definition
A. NTFS
B. EXT3
C. FAT
D. HFS |
|
|
Term
ROM is an acronym for:
A. Read Open Memory
B. Random Open Memory
C. Read Only Memory
D. Relative Open Memory |
|
Definition
|
|
Term
If a floppy diskette is in the ?drive, the computer will always boot to that drive before any other device. If a floppy diskette is in the ??drive, the computer will always boot to that drive before any other device.
A. False
B. True |
|
Definition
|
|
Term
A standard Windows 98 boot disk is acceptable for booting a suspect drive.
A. True
B. False |
|
Definition
|
|
Term
Search terms are case sensitive by default.
A. False
B. True |
|
Definition
|
|
Term
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Jan 1st , 2?0?00
A. Jan 1st , 1900
B. Jan 1st , 2100
C. Jan 1st , 2001
D. Jan 1st , 2000 |
|
Definition
|
|
Term
An evidence file can be moved to another directory without changing the file verification.
A. False
B. True |
|
Definition
|
|
Term
Pressing the power button on a computer that is running could have which of the following results?
A. The computer will instantly shut off.
B. The computer will go into stand-by mode.
C. Nothing will happen.
D. All of the above could happen. E. The operating system will shut down normally. |
|
Definition
D. All of the above could happen. |
|
|
Term
How does EnCase verify that the evidence file contains an exact copy of the suspect hard drive? How does EnCase verify that the evidence file contains an exact copy of the suspect's hard drive?
A. By means of a CRC value of the suspect hard drive compared to a CRC value of the data stored in the evidence file.By means of a CRC value of the suspect? hard drive compared to a CRC value of the data stored in the evidence file.
B. By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of the data stored in the evidence file. By means of an MD5 hash of the suspect? hard drive compared to an MD5 hash of the data stored in the evidence file.
C. By means of a CRC value of the evidence file itself.
D. By means of an MD5 hash value of the evidence file itself. |
|
Definition
B. By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of the data stored in the evidence file. By means of an MD5 hash of the suspect? Hard drive compared to an MD5 hash of the data stored in the evidence file. |
|
|
Term
By default, EnCase will display the data from the end of a logical file, to the end of the cluster, in what color:
A. Red
B. Red on black
C. Black on red
D. Black |
|
Definition
|
|
Term
A SCSI drive is pinned as a master when it is:
A. The only drive on the computer.
B. The primary of two drives connected to one cable.
C. Whenever another drive is on the same cable and is pinned as a slave.
D. A SCSI drive is not pinned as a master. |
|
Definition
D. A SCSI drive is not pinned as a master. |
|
|
Term
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. [^a-z]Tom[^a-z]
A. Tomato
B. om? ? RP
C. Toms
D. Stomp |
|
Definition
|
|
Term
This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search:
A. Will not find it unlessile slack is checked on the search dialog box.
B. Will find it because EnCase performs a logical search. C. Will not find it because EnCase performs a physical search only.
D. Will not find it because the letters of the keyword are not contiguous. |
|
Definition
B. Will find it because EnCase performs a logical |
|
|
Term
An evidence file was archived onto five CD-Rom disks with the third file segment on disk number three. Can the contents of the third file segment be verified by itself while still on the CD?
A. No. Archived files are compressed and cannot be verified until un-archived.
B. No. All file segments must be put back together.
C. Yes. Any segment of an evidence file can be verified through re-computing and comparing the CRCs, even if it is on a CD.
D. No. EnCase cannot verify files on CDs. |
|
Definition
C. Yes. Any segment of an evidence file can be verified through re-computing and comparing the CRCs, even if it is on a CD. |
|
|
Term
You are a computer forensic examiner tasked with determining what evidence is on a seized computer. On what part of the computer system will you find data of evidentiary value?
A. Microprocessor or CPU
B. USB controller
C. Hard drive
D. PCI expansion slots |
|
Definition
|
|
Term
You are a computer forensic examiner explaining how computers store and access the data you recovered as evidence during your examination. The evidence was a log file and was recovered as an artifact of user activity on the ____________, which was stored on the _____________, contained within a ____________ on the media.
A. partition, operating system, file system
B. operating system, file system, partition
C. file system, operating system, hard drive
D. operating system, partition, file system |
|
Definition
B. operating system, file system, partition |
|
|
Term
You are a computer forensic examiner investigating a seized computer. You recovered a document containing potential evidence. EnCase reports the file system on the forensic image of the hard drive is FAT (File Allocation Table). What information about the document file can be found in the FAT on the media? (Choose all that apply.)
A. Name of the file
B. Date and time stamps of the file
C. Starting cluster of the file
D. Fragmentation of the file
E. Ownership of the file |
|
Definition
C. Starting cluster of the file D. Fragmentation of the file |
|
|
Term
You are a computer forensic examiner investigating media on a seized computer. You recovered a document containing potential evidence. EnCase reports the file system on the forensic image of the hard drive is NTFS (New Technology File System). What information about the document file can be found in the NTFS master file table on the media? (Choose all that apply.)
A. Name of the file
B. Date and time stamps of the file
C. Starting cluster of the file
D. Fragmentation of the file
E. Ownership of the file |
|
Definition
A. Name of the file
B. Date and time stamps of the file
C. Starting cluster of the file
D. Fragmentation of the file
E. Ownership of the file |
|
|
Term
You are preparing to lead a team to serve a search warrant on a business suspected of committing large-scale consumer fraud. Ideally, you would you assign which tasks to search team members? (Choose all that apply.)
A. Photographer
B. Search and seizure specialists
C. Recorder
D. Digital evidence search and seizure specialists |
|
Definition
A. Photographer
B. Search and seizure specialists
C. Recorder
D. Digital evidence search and seizure specialists |
|
|
Term
You are a computer forensic examiner at a scene and have determined you will seize a Linux server, which according to your source of information contains the database records for the company under investigation for fraud. What is the best practice for “taking down” the server for collection?
A. Photograph the screen and note any running programs or messages, and so on, and use the normal shutdown procedure.
B. Photograph the screen and note any running programs or messages, and so on, and pull the plug from the wall.
C. Photograph the screen and note any running programs or messages, and so on, and pull the plug from the rear of the computer.
D. Photograph the screen and note any running programs or messages, and so on, and ask the user at the scene to shut down the server. |
|
Definition
A. Photograph the screen and note any running programs or messages, and so on, and use the normal shutdown procedure. |
|
|
Term
You are a computer forensic examiner at a scene and are authorized to seize only media that can be determined to have evidence related to the investigation. What options do you have to determine whether evidence is present before seizure and a full forensic examination? (Choose all that apply.)
A. Use a DOS boot floppy or CD to boot the machine, and browse through the directory for evidence.
B. Use an EnCase boot floppy or CD to boot the machine into Linux, and use LinEn to preview the hard drive through a crossover cable with EnCase for Windows.
C. Remove the subject hard drive from the machine, and preview the hard drive in EnCase for Windows with a hardware write blocker such as FastBloc.
D. Use an EnCase boot floppy or CD to boot the machine into DOS, and use EnCase for DOS to preview the hard drive through a crossover cable with EnCase for Windows. |
|
Definition
B. Use an EnCase boot floppy or CD to boot the machine into Linux, and use LinEn to preview the hard drive through a crossover cable with EnCase for Windows.
C. Remove the subject hard drive from the machine, and preview the hard drive in EnCase for Windows with a hardware write blocker such as FastBloc.
D. Use an EnCase boot floppy or CD to boot the machine into DOS, and use EnCase for DOS to preview the hard drive through a crossover cable with EnCase for Windows. |
|
|
Term
You are a computer forensic examiner at a scene and have determined you will need to image a hard drive in a workstation while on-site. What are your options for creating a forensically sound image of the hard drive? (Choose all that apply.)
A. Use a DOS boot floppy or CD to boot the machine, and use EnCase for DOS to image the subject hard drive to a second hard drive attached to the machine.
B. Use a forensically sound Linux boot CD to boot the machine into Linux, and use LinEn to image the subject hard drive to a second hard drive attached to the machine.
C. Remove the subject hard drive from the machine, and image the hard drive in EnCase for Windows with a hardware write blocker such as FastBloc.
D. Use an EnCase boot floppy or CD to boot the machine into DOS, and use EnCase for DOS to image the hard drive through a crossover cable with EnCase for Windows. |
|
Definition
B. Use a forensically sound Linux boot CD to boot the machine into Linux, and use LinEn to image the subject hard drive to a second hard drive attached to the machine.
C. Remove the subject hard drive from the machine, and image the hard drive in EnCase for Windows with a hardware write blocker such as FastBloc.
D. Use an EnCase boot floppy or CD to boot the machine into DOS, and use EnCase for DOS to image the hard drive through a crossover cable with EnCase for Windows. |
|
|
Term
You are a computer forensic examiner and have imaged a hard drive on site. Before you leave the scene, you want to ensure the image completely verifies as an exact forensic duplicate of the original. To verify the EnCase evidence file containing the image, you should do which of the following?
A. Use a hex editor to compare a sample of sectors in the EnCase evidence file with that of the original.
B. Load the EnCase evidence files into EnCase for Windows, and after the verification is more than halfway completed, cancel the verification and spot-check the results for errors.
C. Load the EnCase evidence files into EnCase for DOS, and verify the hash of those files.
D. Load the EnCase evidence files into EnCase for Windows, allow the verification process to finish, and then check the results for complete verification. |
|
Definition
D. Load the EnCase evidence files into EnCase for Windows, allow the verification process to finish, and then check the results for complete verification. |
|
|
Term
You are a computer forensic examiner and need to verify the integrity of an EnCase evidence file. To completely verify the file’s integrity, which of the following must be true?
A. The MD5 hash value must verify.
B. The CRC values and the MD5 hash value both must verify.
C. Either the CRC or MD5 hash values must verify.
D. The CRC values must verify. |
|
Definition
B. The CRC values and the MD5 hash value both must verify. |
|
|
Term
You are a computer forensic examiner and need to determine what files are contained within a folder called Business documents. What EnCase pane will you use to view the names of the files in the folder?
A. Tree pane
B. Table pane
C. View pane
D. Filter pane |
|
Definition
|
|
Term
You are a computer forensic examiner and need to view the contents of a file contained within a folder called Business documents. What EnCase pane will you use to view the contents of the file?
A. Tree pane
B. Table pane
C. View pane
D. Filter pane |
|
Definition
|
|
Term
You are a computer forensic examiner and are viewing a file in an EnCase evidence file. With your cursor, you have selected one character in the file. What binary term is used for the amount of data that represents a single character?
A. A byte
B. A nibble
C. A bit
D. A word
|
|
Definition
|
|
Term
You are a computer forensic examiner and need to search for the name of a suspect in an EnCase evidence file. You enter the name of the suspect into the EnCase keyword interface as John Doe. What search hits will be found with this search term with the default settings? (Choose all that apply.)
A. john doe
B. John D.
C. John Doe
D. John.Doe
|
|
Definition
|
|
Term
You are a computer forensic examiner and need to determine whether any Microsoft Office documents have been renamed with image extensions to obscure their presence. What EnCase process would you use to find such files?
A. File signature analysis
B. Recover Folders feature
C. File content search
D. File hash analysis
|
|
Definition
A. File signature analysis |
|
|
Term
You are a computer forensic examiner and want to reduce the number of files required for examination by identifying and filtering out known good or system files. What EnCase process would you use to identify such files?
A. File signature analysis
B. Recover Folders feature
C. File content search
D. File hash analysis |
|
Definition
|
|
Term
You are a computer forensic examiner and want to determine whether a user has opened or double-clicked a file. What folder would you look in for an operating system artifact for this user activity?
A. Temp
B. Recent
C. Cookies
D. Desktop |
|
Definition
|
|
Term
You are a computer forensic examiner and want to determine when a user deleted a file contained in a Windows XP Recycle Bin. In what file is the date and time information about the file deletion contained?
A. index.dat
B. Link file
C. INFO2
D. deleted.ini |
|
Definition
|
|
Term
You are a computer forensic examiner and want to determine how many times a program was executed. Where would you find information?
A. Temp folder
B. Registry
C. Recycle Bin
D. Program Files |
|
Definition
|
|
Term
You are a computer forensic examiner and want to examine any email sent and received by the user of the computer system under investigation. What email formats are supported by EnCase?
(Choose all that apply.)
A. Outlook
B. Outlook Express
C. America Online
D. Hotmail
E. Yahoo!
F. Mozilla Thunderbird |
|
Definition
A. Outlook
B. Outlook Express
C. America Online
D. Hotmail
E. Yahoo!
F. Mozilla Thunderbird |
|
|
Term
What is the definition of a CPU?
A. The physical computer case that contains all its internal components
B. The computer’s internal hard drive
C. A part of the computer whose function is to perform data processing
D. A part of the computer that stores and manages memory
|
|
Definition
C. A part of the computer whose function is to perform data processing |
|
|
Term
What is the BIOS?
A. BIOS stands for Basic Input Output System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer’s hardware and its operating system.
B. BIOS stands for Bootstrap Initialization Operating System and is a combination of lowlevel software and drivers that function as the interface, intermediary, or layer between a computer’s hardware and its operating system.
C. BIOS stands for Boot-level Input Output System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer’s hardware and its operating system.
D. BIOS stands for Boot Initialization Operating System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer’s hardware and its operating system.
|
|
Definition
A. BIOS stands for Basic Input Output System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer’s hardware and its operating system. |
|
|
Term
Is the information stored on a computer’s ROM chip lost during a proper shutdown?
A. Yes
B. No |
|
Definition
|
|
Term
Is the information contained on a computer’s RAM chip accessible after a proper shutdown?
A. Yes
B. No
|
|
Definition
|
|
Term
Can information stored in the BIOS ever change?
A. Yes
B. No |
|
Definition
|
|
Term
What is the purpose or function of a computer’s ROM chip?
A. Long-term or permanent storage of information and instructions
B. Temporary storage area to run applications
C. Permanent storage area for programs and files
D. A portable storage device |
|
Definition
A. Long-term or permanent storage of information and instructions |
|
|
Term
Information contained in RAM memory (system’s main memory), which is located on the
motherboard, is _________.
A. volatile
B. nonvolatile |
|
Definition
|
|
Term
What is the maximum number of drive letters assigned to hard drive(s) partitions on a system?
A. 4
B. 16
C. 24
D. Infinity |
|
Definition
|
|
Term
The smallest area on a drive that data can be written to is a _______, while the smallest area on a drive that a file can be written to is a ________.
A. bit and byte
B. sector and cluster
C. volume and drive
D. memory and disk
|
|
Definition
|
|
Term
The size of a physical hard drive can be determined by which of the following?
A. The cylinder × head × sector
B. The cylinder × head × sector × 512 bytes
C. The total LBA sectors ×512 bytes
D. Adding the total size of partitions
E. Both B and C |
|
Definition
|
|
Term
The electrical pathway used to transport data from one computer component to another is called what?
A. Bus
B. RAM
C. CMOS
D. BIOS
|
|
Definition
|
|
Term
What is the main component of a computer to which essential internal devices such as CPU, memory chips, and other chipsets are attached?
A. BIOS
B. Motherboard
C. Expansion card
D. Processor |
|
Definition
|
|
Term
IDE, SCSI, and SATA are different types of interfaces describing what device?
A. RAM chips
B. Flash memory
C. CPUs
D. Hard drives |
|
Definition
|
|
Term
What do the terms master, slave, and Cable Select refer to?
A. External SCSI devices
B. Cable types for external hardware
C. Jumper settings for internal hardware such as IDE hard drives and CD drives
D. Jumper settings for internal expansion cards |
|
Definition
C. Jumper settings for internal hardware such as IDE hard drives and CD drives |
|
|
Term
What can you assume about a hard drive that is pinned as CS?
A. It’s an IDE drive.
B. It’s a SATA drive.
C. It’s a SCSI drive.
D. All of the above. |
|
Definition
|
|
Term
What is found at Cylinder 0, Head 0, Sector 1 on a hard drive?
A. Master boot record
B. Master file table
C. Volume boot record
D. Volume boot sector |
|
Definition
|
|
Term
What is the first sector on a volume called?
A. File allocation table
B. Volume boot record or sector
C. Master boot record
D. Volume boot device |
|
Definition
B. Volume boot record or sector |
|
|
Term
Which of the following is incorrect?
A. The MBR is typically written when the drive is partitioned with FDISK or DISKPART.
B. A file system is a system or method of storing and retrieving data on a computer system that allows for a hierarchy of directories, subdirectories, and files.
C. The VBR is typically written when the drive is high-level formatted with a utility such
as format.
D. The partition table is contained within the MBR and consists of a total of 16 bytes, which describes up to four partitions using 4 bytes each to do so. |
|
Definition
D. The partition table is contained within the MBR and consists of a total of 16 bytes, which describes up to four partitions using 4 bytes each to do so. |
|
|
Term
FAT is defined as which of the following?
A. A table consisting of master boot record and logical partitions
B. A table created during the format that the operating system reads to locate data on a drive
C. A table consisting of file names and file attributes
D. A table consisting of file names, deleted file names, and their attributes |
|
Definition
B. A table created during the format that the operating system reads to locate data on a drive |
|
|
Term
How does a corrupted sector located in the data area of a hard drive affect the corresponding cluster number on a FAT table?
A. It does not affect the corresponding cluster number on a FAT table; therefore, the rest of the sectors associated with the assigned cluster can still be written to.
B. It does not affect the corresponding cluster number on a FAT table; only the corrupted portion of the sector is prevented from being written to.
C. It does affect the FAT table. The corresponding cluster number is marked as bad; however, only the corrupted sector within the cluster is prevented from being written to.
D. It does affect the FAT table. The corresponding cluster number is marked as bad, and the entire cluster is prevented from being written to. |
|
Definition
D. It does affect the FAT table. The corresponding cluster number is marked as bad, and the entire cluster is prevented from being written to. |
|
|
Term
Which of the following describes a partition table?
A. It is located at cylinder 0, head 0, sector 1.
B. Is located in the master boot record.
C. It keeps track of the partitions on a hard drive.
D. All of the above. |
|
Definition
|
|
Term
Which selection keeps track of a fragmented file in a FAT file system?
A. File allocation table
B. Directory structure
C. Volume boot record
D. Master file table |
|
Definition
|
|
Term
If the FAT table lists cluster number 2749 with a value of 0, what does this mean about this specific cluster?
A. It is blank and contains no data.
B. It is marked as bad and cannot be written to.
C. It is allocated to a file.
D. It is unallocated and is available to store data. |
|
Definition
D. It is unallocated and is available to store data. |
|
|
Term
Which of the following is true about a volume boot record?
A. It is always located at the first sector of its logical partition.
B. It immediately follows the master boot record.
C. It contains BIOS parameter block and volume boot code.
D. A and C. |
|
Definition
|
|
Term
The NTFS file system does which of the following?
A. Supports long file names
B. Compresses individual files and directories
C. Supports large file sizes in excess of 4GB
D. All of the above |
|
Definition
|
|
Term
How many clusters can a FAT32 file system manage?
A. 2 × 32 = 64 clusters
B. 232 = 4,294,967,296 clusters
C. 2 × 28 = 56 clusters
D. 228 = 268,435,456 clusters |
|
Definition
D. 228 = 268,435,456 clusters |
|
|
Term
The FAT tracks the ________ while the directory entry tracks the ________.
A. file name and file size
B. file’s starting cluster and file’s last cluster (EOF)
C. file’s last cluster (EOF) and file’s starting cluster
D. file size and file fragmentation |
|
Definition
C. file’s last cluster (EOF) and file’s starting cluster |
|
|
Term
How many copies of the FAT does each FAT32 volume maintain in its default configuration?
A. One
B. Two
C. Three
D. Four |
|
Definition
|
|
Term
A file’s logical size is displayed as?
A. The number of sectors needed that the logical file contains
B. The number of clusters that the logical file contains
C. The number of bytes that the logical file contains
D. The number of bits that the logical file contains |
|
Definition
C. The number of bytes that the logical file contains |
|
|
Term
A file’s physical size is?
A. Always greater than the file’s logical size
B. The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster
C. Both A and B
D. None of the above |
|
Definition
B. The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster |
|
|
Term
A directory entry in a FAT file system has a logical size of which of the following?
A. 0 bytes
B. 8 bytes
C. 16 bytes
D. One sector |
|
Definition
|
|
Term
Each directory entry in a FAT file system is ____ bytes in length.
A. 0
B. 8
C. 16
D. 32 |
|
Definition
|
|
Term
By default, what color does EnCase use to display directory entries within a directory structure?
A. Black
B. Red
C. Gray
D. Yellow |
|
Definition
|
|
Term
What is the area between the end of a file’s logical size and the file’s physical size called?
A. Unused disk area
B. Unallocated clusters
C. Unallocated sectors
D. Slack space |
|
Definition
|
|
Term
What three things occur when a file is created in a FAT32 file system?
A. Directory entry for the file is created, the FAT assigns the necessary clusters to the file, and the file’s data is filled in to the assigned clusters.
B. The file name is entered in to the FAT, the directory structure assigns the number of
clusters, and the file’s data is filled in to the assigned clusters.
C. The directory entry for the file is created, the number of clusters is assigned by the directory structure, and the file’s data is filled in to the FAT.
D. The directory structure maintains the amount of clusters needed, the file name is recorded in the FAT, and the file’s data is filled in to the assigned clusters. |
|
Definition
A. Directory entry for the file is created, the FAT assigns the necessary clusters to the file, and the file’s data is filled in to the assigned clusters. |
|
|
Term
How does EnCase recover a deleted file?
A. It reads the deleted file name in the FAT and searches for the file by its starting cluster number and logical size.
B. It reads the deleted file name in the directory entry and searches for the corresponding file name in unallocated clusters.
C. It obtains the deleted file’s starting cluster number and size from the directory entry to obtain the data’s starting location and number of clusters required.
D. It obtains the deleted file’s starting cluster number and size from the FAT to locate the starting location and amount of clusters needed. |
|
Definition
C. It obtains the deleted file’s starting cluster number and size from the directory entry to obtain the data’s starting location and number of clusters required. |
|
|
Term
What does EnCase do when a deleted file’s starting cluster number is assigned to another file?
A. EnCase reads the entire existing data as belonging to the deleted file.
B. EnCase only reads the amount of data from the existing file that is associated with the deleted file.
C. EnCase marks the deleted file as being overwritten.
D. EnCase does not display a deleted file name when the data has been overwritten. |
|
Definition
C. EnCase marks the deleted file as being overwritten. |
|
|
Term
What information does a file’s directory entry in a FAT file system store about itself?
A. File name
B. Date/time
C. File extension
D. Starting cluster (extent)
E. All of the above |
|
Definition
|
|
Term
What is the first consideration when responding to a scene?
A. Your safety
B. The safety of others
C. The preservation of evidence
D. Documentation |
|
Definition
|
|
Term
What are some variables regarding a facility that you should consider prior to responding to a scene?
A. What type of structure is it?
B. How large is the structure?
C. What are the hours of operation?
D. Is there a helpful person present to aid in your task?
E. All of the above. |
|
Definition
|
|
Term
What are some variables regarding items to be seized that you should consider prior to
responding to a scene?
A. Location(s) of computers
B. Type of operating system
C. Workstations or mainframes
D. System-critical or auxiliary machine
E. All of the above |
|
Definition
|
|
Term
Generally speaking, if you encounter a desktop computer running Windows XP, how should you take down the machine?
A. Shut down using Windows XP.
B. Shut down by pulling the power cord from the outlet.
C. Shut down by pulling the plug from the computer box.
D. All of the above. |
|
Definition
C. Shut down by pulling the plug from the computer box. |
|
|
Term
Generally speaking, if you encounter a computer running Windows 2000 Server, how should you take down the machine?
A. Shut down using its operating system.
B. Shut down by pulling the power cord from the outlet.
C. Shut down by pulling the plug from the computer box.
D. All of the above. |
|
Definition
A. Shut down using its operating system. |
|
|
Term
Generally speaking, if you encounter a Unix/Linux machine, how should you take down the machine?
A. Shut down using its operating system.
B. Shut down by pulling the power cord from the outlet.
C. Shut down by pulling the plug from the computer box.
D. All of the above. |
|
Definition
A. Shut down using its operating system. |
|
|
Term
When unplugging a desktop computer, from where is it best to pull the plug?
A. The back of the computer
B. The wall outlet
C. A or B |
|
Definition
A. The back of the computer |
|
|
Term
What is the best method to shut down a notebook computer?
A. Unplug from the back of the computer.
B. Unplug from the wall.
C. Remove the battery.
D. Both A and C. |
|
Definition
|
|
Term
Generally speaking, if you encounter a Macintosh computer, how should you take down the machine?
A. Shut down using the operating system.
B. Shut down by pulling the power cord from the outlet.
C. Shut down by pulling the plug from the computer box.
D. All of the above. |
|
Definition
C. Shut down by pulling the plug from the computer box. |
|
|
Term
Which selection displays the incorrect method for shutting down a computer?
A. DOS: Pull the plug.
B. Windows 2000: Pull the plug.
C. Windows XP: Pull the plug.
D. Linux: Pull the plug. |
|
Definition
|
|
Term
When shutting down a computer, what information is typically lost?
A. Data in RAM memory
B. Running processes
C. Current network connections
D. Current logged-in users
E. All of the above |
|
Definition
|
|
Term
Which of the following is not acceptable for “bagging” a computer workstation?
A. Large paper bag.
B. Brown wrapping paper.
C. Plastic garbage bag.
D. Large antistatic plastic bag.
E. All of the above are acceptable for bagging a workstation. |
|
Definition
|
|
Term
|
Definition
Encase Certified Examiner |
|
|
Term
|
Definition
Small Computer Systems Interface |
|
|
Term
|
Definition
Integrated Drive Electronics |
|
|
Term
|
Definition
Serial Advanced Technology Attachment |
|
|
Term
|
Definition
Redundant Array of Inexpensive Disks |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
Institute of Electrical and Electronics Engineers |
|
|
Term
|
Definition
|
|
Term
|
Definition
Industry Standard Architecture |
|
|
Term
|
Definition
IBM Micro Channel Architecture |
|
|
Term
|
Definition
Extended Industry Standard Architecture |
|
|
Term
|
Definition
Peripheral Component Interconnect |
|
|
Term
|
Definition
Accelerated Graphics Port |
|
|
Term
|
Definition
Personal Computer Memory Card International Association |
|
|
Term
|
Definition
Peripheral Component Interconnect |
|
|
Term
|
Definition
Complementary Metal-Oxide Semiconductor |
|
|
Term
|
Definition
Extensible Firmware Interface |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
File Allocation Table (12, 16 or 32) |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
Read only
Bit Flag Values for Attribute Field at Byte Offset 11 |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
In which circumstance is pulling the plug to shut down a computer system considered the best practice?
A. When the OS is Linux/Unix
B. When the OS is Windows 2000 and known to be running a large business database
application
C. When the OS is Windows (NT/2K/2003) Server
D. When Mac OS X Server is running as a web server
E. None of the above |
|
Definition
|
|
Term
How is the chain of custody maintained?
A. By bagging evidence and sealing it to protect it from contamination or tampering
B. By documenting what, when, where, how, and by whom evidence was seized
C. By documenting in a log the circumstances under which evidence was removed from the evidence control room
D. By documenting the circumstances under which evidence was subjected to analysis
E. All of the above |
|
Definition
|
|
Term
It is always safe to pull the plug on a Windows 2000 Professional operating system.
A. True
B. False |
|
Definition
|
|
Term
On a production Linux/Unix server, you must generally be which user to shut down the system?
A. sysadmin
B. administrator
C. root
D. system |
|
Definition
|
|
Term
When would it be acceptable to navigate through a live system?
A. To observe the operating system to determine the proper shutdown process
B. To document currently opened files (if Enterprise/FIM edition is not available)
C. To observe an encryption program running
D. To access virtual storage facility (if search warrant permits; some are very specific about physical location)
E. All of the above |
|
Definition
|
|
Term
A console prompt that displayed backslashes (\) as part of its display would most likely be which of the following?
A. Red Hat Linux operating system
B. Unix operating system
C. Linux or Unix operating system logged in as root
D. MS-DOS |
|
Definition
|
|
Term
When called to a large office complex with numerous networked machines, is it always a good idea to request the assistance of the network administrator.
A. True
B. False |
|
Definition
|
|
Term
Subsequent to a search warrant where evidence is seized, what items should be left behind?
A. Copy of the affidavit
B. Copy of the search warrant
C. List of items seized
D. A and B
E. B and C |
|
Definition
|
|
Term
|
Definition
Secure Authentication for EnCase
|
|
|
Term
|
Definition
|
|
Term
|
Definition
Device Configuration Overlay |
|
|
Term
|
Definition
Message-Digest algorithm 5.
The odds of any two files having the same MD5 are 1 in 2128, which is, more graphically, 1 in 340,282,366,920,938,000,000,000,000,000,000,000,000. |
|
|
Term
|
Definition
cyclic redundancy check (CRC) or polynomial code checksum |
|
|
Term
When acquiring a hard drive in the DOS mode, what would be the cause of EnCase not detecting partition information?
A. The drive has been FDisked and the partition(s) removed.
B. The partition(s) are not recognized by DOS.
C. Both A and B.
D. None of the above. |
|
Definition
|
|
Term
A standard DOS 6.22 boot disk does not make calls to the C: volume of a hard drive when the diskette is booted.
A. True
B. False |
|
Definition
|
|
Term
As a good forensic practice, why would it be a good idea to wipe a forensic drive before reusing it?
A. Chain-of-custody
B. Cross-contamination
C. Different file and operating systems
D. Chain of evidence
E. No need to wipe |
|
Definition
|
|
Term
If the number of sectors reported by EnCase does not match the number reported by the manufacturer for the drive, what should you do?
A. Suspect HPA
B. Suspect DCO
C. Boot with EnCase for DOS and switch to Direct ATA access
D. Boot with LinEn in Linux
E. All of the above |
|
Definition
|
|
Term
What system files are changed or in any way modified by EnCase when creating an EnCase boot disk?
A. IO.SYS
B. COMMAND.COM
C. DRVSPACE.BIN
D. All of the above
E. None of the above |
|
Definition
|
|
Term
Reacquiring an image and adding compression will change the MD5 value of the acquisition hash.
A. True
B. False |
|
Definition
|
|
Term
When reacquiring an image, you can change the name of the evidence.
A. True
B. False |
|
Definition
|
|
Term
Which of the following should you do when creating a storage volume to hold an EnCase evidence file that will be created with EnCase for DOS or LinEn? (Choose all that apply.)
A. Format the volume with the FAT file system.
B. Give the volume a unique label to identify it.
C. Wipe the volume before formatting to conform to best practices, and avoid claims of crosscontamination.
D. Create a directory to contain the evidence file.
E. Format the volume with the NTFS file system.
F. All of the above. |
|
Definition
A. Format the volume with the FAT file system.
B. Give the volume a unique label to identify it.
C. Wipe the volume before formatting to conform to best practices, and avoid claims of crosscontamination.
D. Create a directory to contain the evidence file.
|
|
|
Term
In Linux, what describes hdb2? (Choose all that apply.)
A. Refers to the primary master
B. Refers to the primary slave
C. Refers to hard drive number 2
D. Refers to the second partition
E. Refers to the secondary master |
|
Definition
B. Refers to the primary slave
D. Refers to the second partition
|
|
|
Term
When acquiring USB flash memory, you should write-protect it by doing what?
A. Engaging the write-protect switch, if equipped
B. Modifying the registry in Windows XP SP2 (or higher) to make USB read-only
C. Using ENBD/ENBCD USB DOS drivers and having EnCase for DOS “lock” the Flash media
D. Using LinEn in Linux with automount of file system disabled
E. Using FastBloc SE to write-block USB, FireWire, SCSI drives
F. All of the above |
|
Definition
|
|
Term
Which type or types of cables can be used in a network cable acquisition?
A. Standard network patch cable
B. CAT-6 network cable
C. Network crossover cable
D. Standard network patch cable used with a crossover adaptor |
|
Definition
C. Network crossover cable
D. Standard network patch cable used with a crossover adaptor |
|
|
Term
Should Zip/Jaz disks be acquired with EnCase in DOS or Windows?
A. DOS
B. Windows |
|
Definition
|
|
Term
When using LinEn, the level of support for USB, FireWire, and SCSI devices is determined by what?
A. The drivers built into LinEn
B. The drivers provided with the ENBCD
C. The distribution of Linux being used
D. A and B
E. None of the above |
|
Definition
C. The distribution of Linux being used |
|
|
Term
How should CDs be acquired using EnCase?
A. DOS
B. Windows |
|
Definition
|
|
Term
Select all that are true about EE and FIM.
A. They can acquire or preview a system live without shutting it down.
B. They can capture live system-state volatile data using the Snapshot feature.
C. With EE, the SAFE is on a separate PC, administered by the keymaster.
D. With FIM, the SAFE is on the examiner’s PC and the keymaster and the examiner are the same person.
E. FIM can be licensed to private individuals. |
|
Definition
A. They can acquire or preview a system live without shutting it down.
B. They can capture live system-state volatile data using the Snapshot feature.
C. With EE, the SAFE is on a separate PC, administered by the keymaster.
D. With FIM, the SAFE is on the examiner’s PC and the keymaster and the examiner are the same person. |
|
|
Term
How does an EnCase boot disk differ from a DOS 6.22 disk?
A. EnCase boot disk adds the EnCase executable, EN.EXE.
B. EnCase boot disk switches all calls from C: to A:.
C. Both A and B.
D. None of the above. |
|
Definition
|
|
Term
The EnCase evidence file is best described as follows:
A. A mirror image of the source device written to a hard drive
B. A sector-by-sector image of the source device written to corresponding sectors of a secondary hard drive
C. A bitstream image of a source device written to the corresponding sectors of a secondary hard drive
D. A bitstream image of a source device written to a file or several file segments |
|
Definition
D. A bitstream image of a source device written to a file or several file segments |
|
|
Term
How does EnCase verify the contents of an evidence file?
A. EnCase writes an MD5 hash value for every 32 sectors copied.
B. EnCase writes an MD5 value for every 64 sectors copied.
C. EnCase writes a CRC value for every 32 sectors copied.
D. EnCase writes a CRC value for every 64 sectors copied. |
|
Definition
D. EnCase writes a CRC value for every 64 sectors copied. |
|
|
Term
What is the smallest file size that an EnCase evidence file can be saved as?
A. 64 sectors
B. 512 sectors
C. 1 MB
D. 2 MB
E. 640 MB |
|
Definition
|
|
Term
What is the largest file segment size that an EnCase evidence file can be saved as?
A. 640 MB
B. 1 GB
C. 2 GB
D. No maximum limit |
|
Definition
|
|
Term
How does EnCase verify that the evidence file contains an exact copy of the source device?
A. By comparing the MD5 hash value of the source device to the MD5 hash value of the data stored in the evidence file
B. By comparing the CRC value of the source device to the CRC of the data stored in the evidence file
C. By comparing the MD5 hash value of the source device to the MD5 hash value of the entire evidence file
D. By comparing the CRC value of the source device to the CRC value of the entire evidence file |
|
Definition
A. By comparing the MD5 hash value of the source device to the MD5 hash value of the data stored in the evidence file |
|
|
Term
How does EnCase verify that the case information—such as case number, evidence number, notes, and so on—in an evidence file has not been damaged or altered after the evidence file has been written?
A. The case file writes a CRC value for the case information and verifies it when the case is opened.
B. EnCase does not verify the case information because it can be changed at any time.
C. EnCase writes a CRC value for the case information and verifies the CRC value when the evidence is added to a case.
D. EnCase writes an MD5 value of the case information and verifies the MD5 value when the evidence is added to a case. |
|
Definition
C. EnCase writes a CRC value for the case information and verifies the CRC value when the evidence is added to a case. |
|
|
Term
For an EnCase evidence file to successfully pass the file verification process, which of the following must be true?
A. The MD5 hash value must verify.
B. The CRC values and the MD5 hash value both must verify.
C. Either the CRC or MD5 hash values must verify.
D. The CRC values must verify. |
|
Definition
B. The CRC values and the MD5 hash value both must verify. |
|
|
Term
The MD5 hash algorithm produces a _____ value.
A. 32-bit
B. 64-bit
C. 128-bit
D. 256-bit |
|
Definition
|
|
Term
The MD5 hash algorithm is ___ hexadecimal characters in length.
A. 16
B. 32
C. 64
D. 128 |
|
Definition
|
|
Term
If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later altered?
A. EnCase will detect the error when that area of the evidence file is accessed by the user.
B. EnCase will detect the error if the evidence file is manually reverified.
C. EnCase will allow the examiner to continue to access the rest of the evidence file that has not been changed.
D. All of the above. |
|
Definition
|
|
Term
Which of the following aspects of the EnCase evidence file can be changed during a reacquire of the evidence file?
A. Investigator’s name
B. Evidence number
C. Notes
D. Evidence file size
E. All of the above |
|
Definition
|
|
Term
An evidence file was archived onto five CD-ROMs with the third file segment on disc 3. Can the contents of the third file segment be verified by itself while still on the CD-ROM?
A. No. All evidence file segments must be put back together.
B. Yes. Any evidence file segment can be verified independently by comparing the CRC values. |
|
Definition
B. Yes. Any evidence file segment can be verified independently by comparing the CRC values. |
|
|
Term
Will EnCase allow a user to write data into an acquired evidence file?
A. Yes, when adding notes or comments to bookmarks.
B. Yes, when adding search results.
C. A and B.
D. No, data cannot be added to the evidence file after the acquisition is made. |
|
Definition
D. No, data cannot be added to the evidence file after the acquisition is made. |
|
|
Term
All investigators using EnCase should run tests on the evidence file acquisition and verification process to do which of the following?
A. To further the investigator’s understanding of the evidence file
B. To give more weight to the investigator’s testimony in court
C. To verify that all hardware and software is functioning properly
D. All of the above |
|
Definition
|
|
Term
When a noncompressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence file will remain the same for both files.
A. True
B. False |
|
Definition
|
|
Term
Search hit results and bookmarks are stored in the evidence file.
A. True
B. False |
|
Definition
|
|
Term
The EnCase evidence file’s logical file name can be changed without affecting the verification of the acquired evidence.
A. True
B. False |
|
Definition
|
|
Term
An evidence file can be moved to another directory without changing the file verification.
A. True
B. False |
|
Definition
|
|
Term
What happens when EnCase attempts to reopen a case once the evidence file has been moved?
A. EnCase reports that the file’s integrity has been compromised and renders the file useless.
B. EnCase reports a different hash value for the evidence file.
C. EnCase prompts for the location of the evidence file.
D. EnCase opens the case, excluding the moved evidence file. |
|
Definition
C. EnCase prompts for the location of the evidence file. |
|
|
Term
During reacquisition, you can change which of the following? (Choose all that apply.)
A. Block size and error granularity
B. Add or remove a password
C. Investigator’s name
D. Compression
E. File segment size |
|
Definition
A. Block size and error granularity
B. Add or remove a password
D. Compression
E. File segment size |
|
|
Term
In the EnCase Windows environment, must an examiner first create a new case before adding a device to examine?
A. Yes
B. No |
|
Definition
|
|
Term
Proper file management and organization require that which of the following should be created prior to acquiring evidence?
A. Evidence, Export, Temp, and Index folders
B. Unique naming conventions for folders belonging to the same case
C. All subfolders saved under one folder with the same unique name
D. All of the above |
|
Definition
|
|
Term
The EnCase methodology dictates that the lab drive used to store EnCase evidence files must have which of the following prior to acquiring an image?
A. FAT 32 partition
B. NTFS partition
C. Clean format
D. Previously wiped and sterile partition |
|
Definition
D. Previously wiped and sterile partition |
|
|
Term
When creating a new case, the Case Options dialog box prompts for which of the following?
A. Name or (case name)
B. Examiner name
C. Default export folder
D. Temporary folder
E. All of the above |
|
Definition
|
|
Term
What determines the action that will result when a user double-clicks a file within EnCase?
A. The settings in the TEXTSTYLES.INI file
B. The settings in the FILETYPES.INI file
C. The settings in the FILESIGNATURES.INI file
D. The settings in the VIEWERS.INI file |
|
Definition
B. The settings in the FILETYPES.INI file |
|
|
Term
In the EnCase environment, the term external viewers is best described as which of the following?
A. Internal programs that are copied out of an evidence file
B. External programs loaded in the evidence file to open specific file types
C. External programs that are associated with EnCase to open specific file types
D. External viewers used to open a file that has been copied out of an evidence file |
|
Definition
C. External programs that are associated with EnCase to open specific file types |
|
|
Term
Where is the list of external viewers kept within EnCase?
A. The settings in the TEXTSTYLES.INI file
B. The settings in the FILETYPES.INI file
C. The settings in the FILESIGNATURES.INI file
D. The settings in the VIEWERS.INI file |
|
Definition
D. The settings in the VIEWERS.INI file |
|
|
Term
When the copy/unerase feature is used, EnCase saves the selected file(s) to which folder?
A. Evidence
B. Export
C. Temp
D. None of the above |
|
Definition
|
|
Term
Can the Export folder be moved once it is saved within a case?
A. Yes
B. No |
|
Definition
|
|
Term
Files that have been sent to external viewers are copied to which folder?
A. Evidence
B. Export
C. Temp
D. None of the above |
|
Definition
|
|
Term
The Temp folder of a case cannot be changed once the case has been saved.
A. True
B. False |
|
Definition
|
|
Term
Files stored in the Temp folder are removed once EnCase is properly closed.
A. True
B. False |
|
Definition
|
|
Term
How do you access the setting to adjust how often a backup file (.cbak) is saved?
A. Select Tools _ Options _ Case Options
B. Select View _ Options _ Case Options
C. Select Tools _ Options _ Global
D. Select View _ Options _ Global |
|
Definition
C. Select Tools _ Options _ Global |
|
|
Term
What is the maximum number of columns that can be sorted simultaneously in the Table view tab?
A. Two
B. Three
C. Five
D. 28 (maximum number of tabs) |
|
Definition
|
|
Term
How would a user reverse-sort on a column in the Table view?
A. Hold down the Ctrl key, and double-click the selected column header.
B. Right-click the selected column, select Sort, and select either Sort Ascending or Sort Descending.
C. Both A and B. |
|
Definition
|
|
Term
How can you hide a column in the Table view?
A. Place the cursor on the selected column, and press Ctrl+H.
B. Right-click on the selected column, select Column, and select Hide.
C. Right-click on the selected column, select Show Columns, and uncheck the desired fields to be hidden.
D. All of the above. |
|
Definition
|
|
Term
What does the Gallery view tab use to determine graphics files?
A. Header or file signature
B. File extension
C. File name
D. File size |
|
Definition
|
|
Term
Will the EnCase Gallery view display a .jpeg file if its file extension was renamed to .txt?
A. No, because EnCase will treat it as a text file.
B. Yes, because the Gallery view looks at a file’s header information and not the file extension.
C. Yes, but only if a signature analysis is performed to correct the “File Category” to “Picture” based on its file header information.
D. Yes, but only after a hash analysis is performed to determine the file’s true identity. |
|
Definition
C. Yes, but only if a signature analysis is performed to correct the “File Category” to “Picture” based on its file header information. |
|
|
Term
How would a user change the default colors and text fonts within EnCase?
A. The user cannot change the default colors and fonts settings.
B. The user can change the default colors and fonts settings by right-clicking the selected items and scrolling down to Change Colors and Fonts.
C. The user can change the default colors and fonts settings by clicking the View tab on the menu bar and selecting the Colors tab or Fonts tab.
D. The user can change default colors and fonts settings by clicking the Tools tab on the menu bar, selecting Options, and selecting the Colors tab or Fonts tab. |
|
Definition
D. The user can change default colors and fonts settings by clicking the Tools tab on the menu bar, selecting Options, and selecting the Colors tab or Fonts tab. |
|
|
Term
An EnCase user will always know the exact location of the selected data in the evidence file by looking at which of the following?
A. Data bar
B. Dixon box
C. Disk view
D. Hex view |
|
Definition
|
|
Term
Computers use a numbering system with only two digits, 0 and 1. This system is referred to as which of the following?
A. Hexadecimal
B. ASCII
C. Binary
D. FAT |
|
Definition
|
|
Term
A bit can have a binary value of which of the following?
A. 0 or 1
B. 0–9
C. 0–9 and A–F
D. On or Off |
|
Definition
|
|
Term
A byte consists of ___ bits.
A. 2
B. 4
C. 8
D. 16 |
|
Definition
|
|
Term
If 1 bit can have two unique possibilities, 2 bits can have four unique possibilities, and 3 bits can have eight unique possibilities. This is known as the power of 2. How many unique possibilities are there in 8 bits (28)?
A. 16
B. 64
C. 128
D. 256 |
|
Definition
|
|
Term
When the letter A is represented as 41h, it is displayed in which of the following?
A. Hexadecimal
B. ASCII
C. Binary
D. Decimal |
|
Definition
|
|
Term
What is the decimal integer value for the binary code 0000-1001?
A. 7
B. 9
C. 11
D. 1001 |
|
Definition
|
|
Term
Select all of the following that depict a Dword value.
A. 0000 0001
B. 0001
C. FF 00 10 AF
D. 0000 0000 0000 0000 0000 0000 0000 0001 |
|
Definition
C. FF 00 10 AF
D. 0000 0000 0000 0000 0000 0000 0000 0001 |
|
|
Term
How many characters can be addressed by the 7-bit ASCII character table? 16-bit Unicode?
A. 64 and 256
B. 128 and 256
C. 64 and 65,536
D. 128 and 65,536 |
|
Definition
|
|
Term
Where does EnCase (Version 5 or 6) store keywords?
A. Within each specific case file (.case and .cbak)
B. In the KEYWORDS.INI file
C. Both A and B
D. None of the above |
|
Definition
|
|
Term
When performing a keyword search in Windows, EnCase searches which of the following?
A. The logical files
B. The physical disk in unallocated clusters and other unused disk areas
C. Both A and B
D. None of the above |
|
Definition
|
|
Term
By default, search terms are case sensitive.
A. True
B. False |
|
Definition
|
|
Term
By selecting the Unicode box, EnCase searches for both ASCII and Unicode formats.
A. True
B. False |
|
Definition
|
|
Term
With regard to a search using EnCase in the Windows environment, can EnCase find a word or phrase that is fragmented or spans in noncontiguous clusters?
A. No, because the letters are located in noncontiguous clusters.
B. No, EnCase performs a physical search only.
C. No, unless the File Slack option is deselected in the dialog box before the search.
D. Yes, EnCase performs both physical and logical searches. |
|
Definition
D. Yes, EnCase performs both physical and logical searches. |
|
|
Term
Which of the following would be a search hit for the His keyword?
A. this
B. His
C. history
D. Bill_Chisholm@gmail.com
E. All of the above |
|
Definition
|
|
Term
Which of the following would be a search hit for the following GREP expression? [^a-z]Liz[^a-z]
A. Elizabeth
B. Lizzy
C. Liz1
D. None of the above |
|
Definition
|
|
Term
Which of the following would be a search hit for the following GREP expression?
[\x00-\x07]\x00\x00\x00…
A. 00 00 00 01 A0 EE F1
B. 06 00 00 00 A0 EE F1
C. 0A 00 00 00 A0 EE F1
D. 08 00 00 00 A0 EE F1 |
|
Definition
|
|
Term
Which of the following would be a search hit for the following GREP expression?
Jan 1st, 2?0?06
A. Jan 1st, 2006
B. Jan 1st, 06
C. Both A and B
D. None of the above |
|
Definition
|
|
Term
Which of the following will not be a search hit for the following GREP expression?
[^#]123[ \-]45[ \-]6789[^#]
A. A1234567890
B. A123 45-6789
C. A123-45-6789
D. A123 45 6789 |
|
Definition
|
|
Term
A sweep or highlight of a specific range of text is referred to as which of the following?
A. File group bookmark
B. Folder information bookmark
C. Highlighted data bookmark
D. Notable file bookmark
E. Notes bookmark |
|
Definition
C. Highlighted data bookmark |
|
|
Term
Which of the following is not correct regarding building and querying indexes?
A. To search an index, click the Search button on the toolbar.
B. Search hits will appear in the Docs tab and in the Transcript tab.
C. The Hits tab appears in the Filters pane and is used to navigate among search hits.
D. The indexing tool is an EnScript.
E. Conditions are used to query an index. |
|
Definition
A. To search an index, click the Search button on the toolbar. |
|
|
Term
When running a signature analysis, EnCase will do which of the following?
A. Compare a file’s header to its hash value.
B. Compare a file’s header to its file signature.
C. Compare a file’s hash value to its file extension.
D. Compare a file’s header to its file extension. |
|
Definition
D. Compare a file’s header to its file extension. |
|
|
Term
A file header is which of the following?
A. A unique set of characters at the beginning of a file that identifies the file type
B. A unique set of characters following the file name that identifies the file type
C. A 128-bit value that is unique to a specific file based on its data
D. Synonymous with file extension |
|
Definition
A. A unique set of characters at the beginning of a file that identifies the file type |
|
|
Term
The Windows operating system uses a file name’s _______ to associate files with the proper applications.
A. signature
B. MD5 hash value
C. extension
D. metadata |
|
Definition
|
|
Term
Unix (including Linux) operating systems use a file’s _______ to associate file types to specific applications.
A. metadata
B. header
C. extension
D. hash value |
|
Definition
|
|
Term
The Mac OS X operating system uses which of the following file information to associate a file to a specific application?
A. The “user defined” setting
B. File name extension
C. Metadata (creator code)
D. All of the above |
|
Definition
|
|
Term
Information regarding a file’s header information and extension is saved by EnCase in the _________ file.
A. FileSignatures.ini
B. FileExtensions.ini
C. FileInformation.ini
D. FileHeader.ini |
|
Definition
|
|
Term
When a file’s signature is unknown and a valid file extension exists, EnCase will display the following result after a signature analysis is performed:
A. Alias (Signature Mismatch)
B. !Bad Signature
C. Unknown
D. Match |
|
Definition
|
|
Term
When a file’s signature is known and the file extension does not match, EnCase will display the following result after a signature analysis is performed:
A. Alias (Signature Mismatch)
B. !Bad Signature
C. Unknown
D. Match |
|
Definition
A. Alias (Signature Mismatch) |
|
|
Term
When a file’s signature is known and the file extension matches, EnCase will display the following result after a signature analysis is performed:
A. Alias (Signature Mismatch)
B. !Bad Signature
C. Unknown
D. Match |
|
Definition
|
|
Term
When a file’s signature and extension are not recognized, EnCase will display the following result after a signature analysis is performed:
A. Alias (Signature Mismatch)
B. !Bad Signature
C. Unknown
D. Match |
|
Definition
|
|
Term
Can a file with a unique header share multiple file extensions?
A. Yes
B. No |
|
Definition
|
|
Term
A user can manually add new file headers and extensions by doing which of the following?
A. Manually inputting the data in the FileSignatures.ini file
B. Right-clicking the file and choosing Add File Signature
C. Choosing File Signatures view, right-clicking, and selecting New in the appropriate folder
D. Adding a new file header and extension and then choosing Create Hash Set |
|
Definition
C. Choosing File Signatures view, right-clicking, and selecting New in the appropriate folder |
|
|
Term
Select the correct answer that completes the following statement: An MD5 hash ___________.
A. is a 128-bit value
B. has odds of one in 2128 that two dissimilar files will share the same value
C. is not determined by the file name
D. All of the above |
|
Definition
|
|
Term
EnCase can create a hash value for the following:
A. Physical devices
B. Logical volumes
C. Files or groups of files
D. All of the above |
|
Definition
|
|
Term
What portion of an evidence file does EnCase analyze during the verification process to yield an MD5 hash value?
A. Data area
B. Entire evidence file
C. Case information
D. None of the above |
|
Definition
|
|
Term
Will changing a file’s name affect the file’s MD5 hash value?
A. Yes
B. No |
|
Definition
|
|
Term
Usually a hash value found in a hash set named Windows XP Home Edition would be reported in the Hash Category column as which of the following?
A. Known
B. Notable
C. Evidentiary
D. Nonevidentiary |
|
Definition
|
|
Term
With regard to hash categories, evidentiary files or files of interest are categorized as which of the following?
A. Known
B. Notable
C. Evidentiary
D. Nonevidentiary |
|
Definition
|
|
Term
An MD5 hash of a specific media generated by EnCase will yield the same hash value as an independent third-party MD5 hashing utility.
A. True
B. False |
|
Definition
|
|
Term
A hash _______ is comprised of hash _______, which is comprised of hash _______.
A. set(s), library(ies), value(s)
B. value(s), sets(s), library(ies)
C. library(ies), set(s), value(s)
D. set(s), values(s), library(ies) |
|
Definition
C. library(ies), set(s), value(s) |
|
|
Term
An operating system artifact can be defined as which of the following?
A. Information specific to a user’s preference
B. Information about the computer’s general settings
C. Information stored about a user’s activities on the computer
D. Information used to simplify a user’s experience
E. All of the above |
|
Definition
|
|
Term
A FAT file system stores date and time stamps in _______, whereas the NTFS file system stores date and time stamps in _______.
A. DOS directory and local time
B. Zulu time and GMT
C. Local time and GMT
D. SYSTEM.DAT and NTUSER.DAT |
|
Definition
|
|
Term
Where does Windows store the time zone offset?
A. BIOS
B. Registry
C. INFO2 file
D. DOS directory or MFT |
|
Definition
|
|
Term
The date and time of when a file was sent to the Recycle Bin can be found where?
A. INFO2 file
B. Original file name’s last access date
C. DOS directory or MFT
D. $I index file |
|
Definition
|
|
Term
When a text file is sent a pre–Windows Vista Recycle Bin, Windows changes the short file name of the deleted file to DC0.txt in the Recycle Bin. Select the best choice that explains the deleted file name.
A. D=DOS, C=character, 0=index number, file extension remains the same
B. D=DOS, C=drive letter, 0=index number, file extension remains the same
C. D=deleted, C=character, 0=index number, file extension remains the same
D. D=deleted, C=drive letter, 0=index number, file extension remains the same |
|
Definition
D. D=deleted, C=drive letter, 0=index number, file extension remains the same |
|
|
Term
When a document is opened, a link file bearing the document’s file name is created in the ____folder.
A. Shortcut
B. Recent
C. Temp
D. History |
|
Definition
|
|
Term
Link files are shortcuts or pointers to actual items. These actual items can be what?
A. Programs
B. Documents
C. Folders
D. Devices
E. All of the above |
|
Definition
|
|
Term
In NTFS, information unique to a specific user is stored in the ______ file.
A. USER.DAT
B. NTUSER.DAT
C. SYSTEM.DAT
D. None of the above |
|
Definition
|
|
Term
In Windows XP or Windows Vista, by default, how many recently opened documents are displayed in the My Recent Documents or Recent Items folder?
A. 4
B. 12
C. 15
D. Unlimited |
|
Definition
|
|
Term
Most of a user’s desktop items on a Windows XP operating system would be located in the _________ directory.
A. C:\WINDOWS\Desktop
B. C:\WinNT\Desktop
C. C:\WINDOWS\system32\config\Desktop
D. C:\Documents and Settings\%User%\Desktop |
|
Definition
D. C:\Documents and Settings\%User%\Desktop |
|
|
Term
Because this file will hold the contents of RAM when the machine is powered off, the ______ file will be the size of the system RAM and will be in the root directory.
A. hiberfil.sys
B. WIN386.SWP
C. PAGEFILE.SYS
D. NTUSER.DAT |
|
Definition
|
|
Term
Where can you find evidence of web-based email such as from MSN Hotmail or Google Gmail on a Windows XP system?
A. In Temporary Internet Files under Local Settings in the user’s profile
B. In Unallocated Clusters
C. In the pagefile.sys folder
D. In the hiberfil.sys folder
E. All of the above |
|
Definition
|
|
Term
File names with the .url extension that direct web browsers to a specific website are located in which folder?
A. Favorites folder
B. Cookies folder
C. Send To folder
D. History folder |
|
Definition
|
|
Term
Data about Internet cookies such as URL names, date and time stamps, and pointers to the actual location of the cookie is stored in:
A. INFO2 file
B. index.dat file
C. EMF file
D. pagefile.sys file |
|
Definition
|
|
Term
On a Windows 98 machine, which folder is the swap or page file contained in?
A. WIN386.SWP
B. pagefile.sys
C. swapfile.sys
D. page.swp |
|
Definition
|
|
Term
When you are examining evidence that has been sent to a printer, which file contains an image of the actual print job?
A. The Enhanced Metafile (EMF)
B. The shadow file
C. The spool file
D. The RAW file |
|
Definition
|
|
Term
The two modes for printing in Windows are ______ and _______.
A. Spooled and Shadowed
B. Spooled and Direct
C. Spooled and EM
D. EMF and RAW |
|
Definition
|
|
Term
Although the Windows operating system removed the EMF file upon a successful print job, the examiner may still recover the file as a result of a search on its unique header information in areas such as Unallocated Clusters or swap file.
A. True
B. False |
|
Definition
|
|
Term
The index.dat files are system files that store information about other files. They track date and time stamps, file locations, and name changes. Select the folder that does not contain an index.dat file.
A. Cookies
B. History
C. Recycle Bin
D. Temporary Internet Files |
|
Definition
|
|
Term
The Temporary Internet Files directory contains which of the following?
A. Web page files that are cached or saved for possible later reuse
B. An index.dat file that serves as a database for the management of the cached files
C. Web mail artifacts
D. All of the above |
|
Definition
|
|
Term
How many sector(s) on a hard drive are reserved for the master boot record (MBR)?
A. 1
B. 4
C. 16
D. 62
E. 63 |
|
Definition
|
|
Term
The very first sector of a formatted hard drive that contains an operating system is referred to as which of the following?
A. Absolute sector 0
B. Boot sector
C. Containing the master boot record (MBR)
D. All of the above |
|
Definition
|
|
Term
How many logical partitions does the partition table in the master boot record allow for a physical drive?
A. 1
B. 2
C. 4
D. 24 |
|
Definition
|
|
Term
The very first sector of a partition is referred to as which of the following?
A. Master boot record
B. Physical sector 0
C. Active primary partition
D. Volume boot record |
|
Definition
|
|
Term
If a hard drive has been fdisked, EnCase can still recover the deleted partition(s), if you point to the _________, right-click, and select Add Partition.
A. master boot record
B. volume boot record
C. partition table
D. unallocated space |
|
Definition
|
|
Term
In an NTFS partition, where is the backup copy of the volume boot record (VBR) stored?
A. In the partition table
B. Immediately after the VBR
C. The last sector of the partition
D. An NTFS partition does not store a backup of the VBR. |
|
Definition
C. The last sector of the partition |
|
|
Term
EnCase can mount a compound file, which can then be viewed in a hierarchical format. Select an example of a compound file.
A. Registry file (that is, .dat)
B. Email file (that is, .edb, nsf, pst, dbx)
C. Compressed file (that is, .zip)
D. Thumbs.db
E. All of the above |
|
Definition
|
|
Term
Windows XP contains two master keys in its registry. They are KEY_LOCAL_MACHINE and which of the following?
A. HKEY_USERS
B. HKEY_CLASSES_ROOT
C. HKEY_CURRENT_USER
D. HKEY_CURRENT_CONFIG |
|
Definition
|
|
Term
In Windows 2000/XP, information about a specific user’s preference is stored in the NTUSER.DAT file. This compound file can be found where?
A. C:\
B. C:\WINDOWS\
C. C:\Documents and Settings\username
D. C:\Documents and Settings\All Users\Application Data |
|
Definition
C. C:\Documents and Settings\username |
|
|
Term
In an NTFS file system, the date and time stamps recorded in the registry are stored where?
A. Local time based on the BIOS settings
B. GMT and converted based on the system’s time zone settings |
|
Definition
B. GMT and converted based on the system’s time zone settings |
|
|
Term
EnScript is a proprietary programming language and application programming interface (API) developed by Guidance Software, designed to function properly only within the EnCase environment.
A. True
B. False |
|
Definition
|
|
Term
Since EnScript is a proprietary programming language developed by Guidance Software, EnScripts can be created by and obtained only from Guidance Software.
A. True
B. False |
|
Definition
|
|
Term
Filters are a type of EnScript that “filters” a case for certain file properties such as file types, dates, and hash categories. Like EnScripts, filters can also be changed or created by a user.
A. True
B. False |
|
Definition
|
|
Term
Select the type of email that EnCase 6 is not capable of recovering.
A. Microsoft Outlook and Outlook Express
B. AOL
C. Netscape, MSN Hotmail, and Yahoo! Mail
D. Lotus Notes and Microsoft Exchange Server
E. None of the above |
|
Definition
|
|
Term
Which method is used to view the contents of a compound file that contains emails such as a PST file in EnCase 6?
A. Right-click, and select View File Structure.
B. Run search, and in the Search menu select the types of email to recover.
C. Both A and B.
D. None of the above. |
|
Definition
|
|
Term
EnCase 6 cannot process web-based email such as MSN Hotmail or Yahoo! Mail because the information can be found only on the mail servers.
A. True
B. False |
|
Definition
|
|
Term
The EnCase Decryption Suite (EDS) will not decrypt Microsoft’s Encrypting File System (EFS) on the ___________ operating system.
A. Windows 2000 Professional and Server
B. Windows XP Professional
C. Windows 2003 Server
D. Windows XP Home Edition |
|
Definition
D. Windows XP Home Edition |
|
|
Term
At which levels can the VFS module mount objects in the Windows environment?
A. The case level
B. The disk or device level
C. The volume level
D. The folder level
E. All of the above |
|
Definition
|
|
Term
The Physical Disk Emulator (PDE) module is similar to the Virtual File System (VFS); the module can mount a piece of media that is accessible in the Windows environment. Select the type(s) of media that the Physical Disk Emulator cannot mount.
A. Cases
B. Folders
C. Volumes
D. Physical disks
E. Both A and B |
|
Definition
|
|
Term
The Physical Disk Emulator (PDE) module is similar to the Virtual File System (VFS); the module can mount a piece of media that is accessible in the Windows environment. Select the type(s) of media that the Physical Disk Emulator cannot mount.
A. Cases
B. Folders
C. Volumes
D. Physical disks
E. Both A and B |
|
Definition
|
|
Term
The Virtual File System (VFS) module mounts data as _______, while the Physical Disk Emulator (PDE) module mounts data as _______.
A. network share, emulated disk
B. emulated disk, network share
C. virtual drive, physical drive
D. virtual file, physical disk |
|
Definition
A. network share, emulated disk |
|
|
Term
The end of a logical file to the end of the cluster that the file ends is called:
A. Unallocated space
B. Allocated space
C. Available space
D. Slack
|
|
Definition
|
|
Term
The boot partitioin table found at the beginning of a hard drive is located in what sector?
A. Volume boot record
B. Master boot record
C. Master file table
D. Volume boot sector |
|
Definition
|
|
Term
What information in a FAT file system directory entry refers to the location of a file on a hard drive?
A. The file size
B. The file attributes
C. The starting cluster
D. The fragmentation settings |
|
Definition
|
|
Term
A logical file would be best described as:
A. The data from the beginning of the starting cluster to the length of the file.
B. The data taken from the starting cluster to the end that occupied by the file.
C. A file including any RAM and disk slack.
D. A file including only RAM slack. |
|
Definition
A. The data from the beginning of the starting cluster to the length of the file. |
|
|
Term
A case file can contain __ hard drive images?
A. 1
B. 5
C. 10
D. Any number of |
|
Definition
|
|
Term
Calls to the C:\ volume of the hard drive are not made by DOS when a computer is booted with standard DOS 6.22 boot disk.
A. True
B. False |
|
Definition
|
|
Term
Select the appropriate name for the hightlighted area of the binary numbers.
0000 0000 0000 0000
0000 0000 0000 0000
0000 0000 0000 0000
A. Word
B. Nibble
C. Bit
D. Dword
E. Byte |
|
Definition
|
|
Term
If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later changed?
A. EnCase will detect the error when that area of the evidence files is accessed by the user.
B. EnCase detect the error if the evidence file is manually re-verified.
C. EnCase will allow the examiner to continue to access the rest of the evidence file that has not been changed.
D. All of the above. |
|
Definition
|
|
Term
The BIOS chip on an IBM clone computer is most commonly located on:
A. The motherboard
B. The controller card
C. The microprocessor
D. The RAM chip |
|
Definition
|
|
Term
Consider the following path in the FAT file system: C:\My Documents\My Pictures\Bikes. Where does the directory bikes receive its name?
A. From the My Pictures directory
B. From itself
C. From the root directory c:\
D. From the My Documents directory |
|
Definition
A. From the My Pictures directory |
|
|
Term
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. 800[) \-]+555-1212.
A. 800.555.1212
B. 8005551212
C. 800-555-1212
D. (800) 555-1212 |
|
Definition
|
|
Term
How does EnCase verify that the case information (Case Number, Evidence Number, Investigator Name, etc) in an evidence file has not been damaged or changed, after the evidence file has been written?
A. The .case file writes a CRC value for the case information and verifies it when the case is opened.
B. EnCase does not verify the case information and case information can be changed.
C. Encase writes a CRC value of the case information and verifies the CRC value when the evidenece is.
D. EnCase writes an MD5 hash value for the entire evidence file, which includes the case information, and verifies the MD5 hash when the evidence is added to a case.
|
|
Definition
C. Encase writes a CRC value of the case information and verifies the CRC value when the evidenece is. |
|
|
Term
Which of the following statements is more accurate?
A. The Recycle Bin increases the chance of locating the existence of a file on a computer.
B. The Recycle Bin reduces the chance of locating the existence of a file computer.
|
|
Definition
A. The Recycle Bin increases the chance of locating the existence of a file on a computer. |
|
|
Term
The first sector on a volume is called the:
A. Volume boot device
B. Master boot record
C. Master file table
D. Volume boot sector or record |
|
Definition
D. Volume boot sector or record |
|
|
Term
When an EnCase user double-clicks on a file within EnCase what determines the action that will result?
A. The settings in the case file.
B. The setting in the evidence file.
C. The settings in the FileTypes.ini file.
D. Both a and b. |
|
Definition
C. The settings in the FileTypes.ini file. |
|
|
Term
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Bob@[a-z]+.com
A. Bob@America.com
B. Bob@New zealand.com
C. Bob@a-z.com
D. Bob@My-Email.com |
|
Definition
|
|
Term
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. [^a-z]Tom[a-z]
A. Stomp
B. Tomato
C. Tom
D. Toms |
|
Definition
|
|
Term
The following GREP expressioin was typed in exactly as shown. Choose the answer(s) that would result. [\x00-\x05]\x00\x00\x00?[\x00-\x05]\x00\x00\x00
A. 00 00 00 01 FF FF BA
B. FF 00 00 00 FF BA
C. 04 00 00 FF FF BA
D. 04 06 00 00 00 FF FF BA |
|
Definition
|
|
Term
This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search:
A. Will not find it because the letters of the keyword are not contiguous.
B. Will not find it unless File slack is checked on the search dialog box.
C. Will find it because EnCase performs a logical search.
D. Will not find it because EnCase performs a physical search only. |
|
Definition
C. Will find it because EnCase performs a logical search. |
|
|
Term
When a file is deleted in the FAT file system, what happens to the FAT?
A. It is deleted as well.
B. Nothing.
C. The FAT entries for that file are marked as allocated.
D. The FAT entries for that file are marked as available. |
|
Definition
D. The FAT entries for that file are marked as available. |
|
|
Term
In DOS and Windows, how many bytes are in one FAT directory entry?
A. 8
B. 16
C. 32
D. 64
E. Variable |
|
Definition
|
|
Term
When a non-compressed evidence file is reacquired with compression, the aquistion and verification hash value for the evidence will remain the same for both files.
A. True
B. False |
|
Definition
|
|
Term
An EnCase evidence file of a hard drive _____ be restored to another hard drive of equal or greater size.
A. Can
B. Cannot |
|
Definition
|
|
Term
Upon starting a new case, what two directories should be defined? |
|
Definition
Default EXPORT and TEMP directories. |
|
|
Term
All lab media should be forensically sterile. What does this mean? |
|
Definition
The media should be: - WIPED of all data - VERIFIED to be absent of all data - Freshly partitioned and formatted |
|
|
Term
All lab media should maintain a unique __________, and a unique __________ to receive evidence files. |
|
Definition
- VOLUME LABEL - DIRECTORY |
|
|
Term
What happens when an examiner double-clicks on a file of a file type known by EnCase? |
|
Definition
The data is copied to the case defined TEMP directory, and the associated viewer is then called to display the file data. |
|
|
Term
What happens to the data files that are copied by EnCase to the case defined TEMP directory? |
|
Definition
When Encase is PROPERLY shut down, EnCase will DELETE the files from the temp folder. |
|
|
Term
What is the evidence file? |
|
Definition
It is a BIT STREAM image of the source media written to a file(s). |
|
|
Term
Evidence files can be segmented between a range of _____ and _____. |
|
Definition
Min 1 Mb - Max 2000 Mb.
(The default size of an evidence file is 640 Mb.) |
|
|
Term
You can add data to an existing evidence file. (TRUE / FALSE) |
|
Definition
FALSE
The contents of an evidence file CANNOT be changed, altered, or modified. |
|
|
Term
What does the FIRST block of the evidence file contain? |
|
Definition
It contains the CASE INFORMATION, which is validated by an attached CRC. |
|
|
Term
How is the evidence file verified? |
|
Definition
- CRC (32bit) every 64 Sectors - MD5 (128bit) computed during the source media acquisition and placed at the end of the evidence file.
ALL CRC's and the MD5 MUST validate and verify. |
|
|
Term
If any changes occur to the evidence file (file corruption, etc...), what happens? |
|
Definition
The CRC for the affected block(s) will NO LONGER VERIFY, and EnCase will display an ERROR when any data in that block(s) are accessed. |
|
|
Term
Can individual segments of an evidence file be verified? (YES / NO) |
|
Definition
YES
In Encase go to <Tools> - <Verify Single Evidence File> |
|
|
Term
What three (3) aspects of an evidence file can be changed without impacting the evidence file verification? |
|
Definition
1. Add / Remove PASSWORD protection 2. Change file COMPRESSION 3. Change the file SEGMENT SIZE |
|
|
Term
|
Definition
It is a TEXT file containing:
- Pointers to evidence file(s) - Results of searches and analysis (File Signature / Hashes) - Bookmarks - Investigator's Notes |
|
|
Term
What is the MAXIMUM number of evidence files that can be added to a single case file? |
|
Definition
There is NO limit. (ie. 8 HDDs, 200 FDDs, and 24 CDRs) |
|
|
Term
What is the file extension for a Encase version 4.x case file? ...for the back-up case file? |
|
Definition
CASE for Encase v4.x (prior versions was .CAS)
A backup file is created every 10 minutes by default with an extension of .CBK. |
|
|
Term
Evidence files can be RENAMED and MOVED without changing their Verification and Validity?
A. TRUE
B. FALSE |
|
Definition
A. True
The applied filename of the evidence file can be changed, and/or moved to another location; however, Encase will prompt you to locate the renamed evidence file, if it is changed/moved after it has been added to a case. |
|
|
Term
In the EnCase Environment, what are configuration files and how are they used? |
|
Definition
.INI files that store global changes and settings to the Encase Environment. The global environment dictates information/tools available for ALL cases. |
|
|
Term
Name the five (6) default configuration files and briefly describe what they are used for... |
|
Definition
FileSignatures.INI - dictates what will happen when a user double-clicks on a specific file.
FileTypes.INI - external viewers are associated with file extensions.
Keywords.INI - stores global keyword lists used during searches.
Filters.INI - available filters used by Encase.
Viewers.INI - all external viewers and their execution path with necessary parameters.
TextStyles.INI - Used to configure display width and font in the bottom pane of the EnCase window. |
|
|
Term
Searches within the EnCase Windows environment are both __________ and __________. |
|
Definition
|
|
Term
|
Definition
Unicode uses TWO (2) bytes for each character, allowing the representation of 65,536 characters. |
|
|
Term
During a search for a keyword, selecting the UNICODE option will cause Encase to search for the keyword in both ASCII and UNICODE.
A. TRUE
B. FALSE |
|
Definition
|
|
Term
How is the GREP symbol " ? " used during a search? |
|
Definition
? Means "or not" - joh?n will yield both JON and JOHN. |
|
|
Term
How is the GREP symbol " \x " used during a search? |
|
Definition
\x Indicates that the following value is to be treated as a hexadecimal value. (\xFF\xD8\xFF...) |
|
|
Term
How is the GREP symbol " * " used during a search? |
|
Definition
* States to repeat the preceding character or set any number of times, including zero times. |
|
|
Term
How is the GREP symbol " + " used during a search? |
|
Definition
+ States to repeat the preceding chracter or set any number of times, but at least once. |
|
|
Term
How is the GREP symbol " ^ " used during a search? |
|
Definition
^ States "not" - [^a-z] = NO alpha characters from a to z. |
|
|
Term
How is the GREP symbol " - " used during a search? |
|
Definition
- Denotes a range or characters, as in [1-9] or [a-z]. |
|
|
Term
How is the GREP symbols " [ ] " used during a search? |
|
Definition
[ ] Square brackets form a set. The included values within the set have to match a single character. [1-9] will match any single numeric value from 1 to 9. |
|
|
Term
Default settings for the EnCase BOOT DISK search do NOT include case sensitivity, GREP or UNICODE.
A. True
B. False |
|
Definition
|
|
Term
Searches in unallocated space are (Physical / Logical) only. (Choose one) |
|
Definition
Searches in unallocated space are PHYSICAL only, as no logical definitions exist in this area. |
|
|
Term
In the EnCase Windows environment, searches will find keywords in non-contiguous clusters in unallocated space.
A. TRUE
B. FALSE |
|
Definition
B. False
No searching tool will find keywords in non-contiguous clusters in unallocated space. |
|
|
Term
Within the EnCase Environment, what does the File Signatures function do? |
|
Definition
It simply compares the displayed file extension with the file's header/signature. |
|
|
Term
The File Signature table in EnCase CANNOT be changed.
A. TRUE
B. FALSE |
|
Definition
B. FALSE.
The File Signature table CAN be edited and/or added to by accessing the table, and choosing [right-click]-New. |
|
|
Term
After adding a device to your case, you immediately go to the Gallery View tab, as this will display all supported image files, even if they maintain extensions inconsisent with image files.
A. TRUE
B. FALSE |
|
Definition
B. FALSE
The Gallery View will NOT display image files with incorrect extensions until the File Signature Analysis function has been run. |
|
|
Term
After running the File Signature Analysis function, a file shows " !Bad Signature " as the result. What does this mean? |
|
Definition
!Bad Signature - The extension is in the File Signature table, but the header is incorrect and the header is not in the File Signatures table.
BAD -> [header].[ext] <-GOOD |
|
|
Term
After running the File Signature Analysis function, a file shows " *[Alias] " as the result. What does this mean? |
|
Definition
*[Alias] - The header is in the table and the extension is incorrect. this indicates a file with a renamed extension.
GOOD -> [header].[ext] <- BAD |
|
|
Term
After running the File Signature Analysis function, a file shows " MATCH " as the result. What does this mean? |
|
Definition
MATCH - The header matches the extension. If the extension has no header in the File Signatures table then EnCase will return a MATCH as long as the header of the file does not match any header in the File Signatures table.
GOOD -> [header].[ext] <- GOOD |
|
|
Term
Before running the File Signature Analysis function, the Gallery View will display all supported image files, even if they maintain extensions inconsisent with image files.
A. TRUE
B. FALSE |
|
Definition
B. FALSE
The Gallery View will NOT display image files with incorrect extensions until the File Signature Analysis function has been run. |
|
|
Term
After running the File Signature Analysis function, a file shows " UNKNOWN " as the result. What does this mean? |
|
Definition
UNKNOWN - Indicates that neither the header/signature nor the extension is listed in the table. If either the header/signature or the extension is listed in the table, you will NOT obtain a value of UNKNOWN.
UNKNOWN -> [header].[ext] <- UNKNOWN |
|
|
Term
The hash value computed for a given file is based upon the physical file, including the files slack area.
A. TRUE
B. FALSE |
|
Definition
B. FALSE
The hash value is computed on the LOGICAL file only. |
|
|
Term
The hash value for a file will change if it is moved to another Folder/Directory.
A. TRUE
B. FALSE |
|
Definition
B. FALSE
The Folder/Directory that a file resides within has NO bearing on its hash value. |
|
|
Term
What purpose does a Hash Analysis serve for the Examiner? |
|
Definition
Hash Analysis allows the examiner to identify files that are known - either as innocuous files that can be ignord, or as files that are evidentiary in content. |
|
|
Term
A files content can be recreated based on the computed hash value of that file.
A. TRUE
B. FALSE |
|
Definition
B. FALSE
A file CANNOT be created from the files computed hash value. |
|
|
Term
What does ASCII stand for? |
|
Definition
American Standard Code for Information Exchange. |
|
|
Term
The ASCII Table is a _____ - Bit table. |
|
Definition
The ASCII table is a 7-bit table. The resultant 128 values represent alpha/numeric values, common punctuation, etc. |
|
|
Term
What does the "LE" indicator within EnCase indicate? |
|
Definition
It indicates the number of BYTES that been selected / swept / highlighted. |
|
|
Term
Nibble = _____ Byte = _____ Word = _____ DWord = _____ |
|
Definition
Nibble = 4 bits (16 possible values) Byte = 8 bits (256 possible values) Word = 2 bytes (16 bits) DWord = 4 bytes (32 bits) |
|
|
Term
Only one file can occupy a CLUSTER at one time.
A. TRUE
B. FALSE |
|
Definition
A. TRUE
No two files can occupy the same cluster. |
|
|
Term
___________ file size is the amount of actual media space allocated to the file.
Choose One:
A. Physical B. Logical C. Allocated
|
|
Definition
|
|
Term
___________ file size is the actual number of bytes that the file contains.
Choose One:
A. Physical B. Logical C. Allocated
|
|
Definition
|
|
Term
By default, each sector contains ____ data bytes. |
|
Definition
512 data bytes. This size is consistant across different media types. (ZIP Disks, Floppies, HDD, etc...) |
|
|
Term
Each FAT volume maintains how many copies of the FAT? |
|
Definition
It maintains two (2) copies of the FAT - FAT1 and FAT2. |
|
|
Term
The number of clusters that a file system can manage is determined by the available number of _____ employed by the FAT.
Choose One:
A. bytes B. bits C. sectors D. blocks
|
|
Definition
B. BITS.
FAT16 (2/16) - allows 65,536 clusters FAT32 (2/32) - allows 268,435,456 clusters |
|
|
Term
The FAT file systems (FAT12, FAT16, FAT32) group one or more sectors, in powers of 2, into _________.
Choose One:
A. Blocks B. Clusters C. Groups
|
|
Definition
|
|
Term
The FAT maintains information regarding the status of all the clusters on the volume. What are some of these settings?
|
|
Definition
- Available - End of File - BAD - In Use |
|
|
Term
|
Definition
It is the data from the end of the logical file to end of the physical file. EnCase displays this data in RED text. |
|
|
Term
EnCase displays Slack Space in red text. By default, what other entry is also displayed in red and why? |
|
Definition
Directory entries are also displayed in red. Neither slack nor directories have any logical size. |
|
|
Term
How does EnCase determine if a deleted file has been overwritten? |
|
Definition
If the starting extent (cluster) is in use by another file. |
|
|
Term
Deleting a file has NO effect on the actual data in FAT or NTFS.
A. TRUE
B. FALSE |
|
Definition
|
|
Term
What two (2) actions occur when a file is deleted from a FAT system? |
|
Definition
1. The first character of the directory entry pertianing to the file is changed to E5h.
2. The values within the FAT that pertain to this file is reset to zero (available). |
|
|
Term
What does BIOS stand for? |
|
Definition
BIOS = Basic Input Output System |
|
|
Term
|
Definition
It is responsible for the initial checking of the system components and initial configuration of the system once power is turned on. |
|
|
Term
What does the Examiner access to determine the target system boot sequence and system date/time? |
|
Definition
The systems BIOS (Basic Input/Output System). |
|
|
Term
|
Definition
Random Access Memory - stores data temorarily and is accessible immediately to the Operating System. |
|
|
Term
|
Definition
|
|
Term
What is the first activity taken by a computer system after power is applied? |
|
Definition
POST - Power On Self Test. This includes the testing of identified attached devices on the system bus. |
|
|
Term
When are drive letters assigned by the operating system? |
|
Definition
During the boot process. Note these letters are NOT written to the media. |
|
|
Term
In order for media to be bootable it must maintain a _________________. |
|
Definition
Bootable partition / volume and in the case of HDD's it must also be set to Active. |
|
|
Term
What are some examples of Add-In Cards? |
|
Definition
SCSI Host Card, Video Card, Network Interface Card (NIC), etc... |
|
|
Term
How are most standard IDE Drives configured for the roles of MASTER/SLAVE/CABLE? |
|
Definition
Through the use of Jumper PINs on the physical drive. |
|
|
Term
SCSI drives follow the same methodology as IDE drives of MASTER/SLAVE.
A. TRUE
B. FALSE |
|
Definition
B. FALSE.
SCSI drives are assigned ID numbers, usually by a jumper PIN on the physical drive. |
|
|
Term
What is the formula for determing hard drive capacity (CHS geometry)? |
|
Definition
Clusters x Heads x Sectors x 512 |
|
|
Term
What is contained in the first sector of a standard hard drive? |
|
Definition
The MASTER BOOT RECORD. In the Windows and Linux operating system environment, the partition table is also located here. |
|
|
Term
What is contained in the first sector of each defined partition on a physical hard drive? |
|
Definition
|
|
Term
The partition Master Boot Record (MBR) can maintian how many entries? What is each records length? |
|
Definition
The MBR can maintian four (4) records, each 16 Bytes in length. |
|
|
Term
Using EnCase while doing an on-site triage, what are the four (4) options for previewing a drive? |
|
Definition
1. FastBloc 2. Parallel Cable 3. Network Cable 4. Boot Disk Text Search |
|
|
Term
Why is it important to boot a target system with a Forensic Boot Disk? |
|
Definition
To prevent writes to the target hard drive and the default mounting of a compressed volume. |
|
|
Term
What two files need to be modified on a standard DOS boot disk to make it forensically sound? |
|
Definition
1. IO.SYS 2. COMMAND.COM
Also, the drvspace.bin command must be removed. |
|
|
Term
Run through the basic procedure for a forensic system takedown. |
|
Definition
1. Photograph environment 2. external inspection 3. lable connections 4. internal inspection 5. disconnnect power/data cables from HDD 6. boot with EnCase boot disk 7. access BIOS - note date/time and boot sequence |
|
|
Term
Using the EnCase Boot Disk, you will be able to see ALL file systems, including NT logical partitions, Linux, Unix, and MAC HFS.
A. TRUE
B. FALSE |
|
Definition
B. FALSE
The EnCase boot disk uses DOS, which cannot understand other file systems. You should obtain the physical disk evidence file, and then resolve the file structure using EnCase. |
|
|
Term
Evidence files can be restored to media of equal OR greater size.
A. TRUE
B. FALSE |
|
Definition
|
|
Term
How can you verify that the restore completed properly and that it is an exact match to the original media? |
|
Definition
The MD5 hash value of a properly restored evidence file will match the value maintained within the evidence file. |
|
|
Term
When restoring evidence files of a logical partition, the file system it is being restored to must match the original.
A. TRUE
B. FALSE |
|
Definition
|
|
Term
Where do you commonly see BASE64 encoded files? |
|
Definition
|
|
Term
Where does Windows 2000 and XP store users personal folders? |
|
Definition
"C:\Documents and Settings" |
|
|
Term
|
Definition
.lnk are "shortcut" files created by the windows operating system to files manipulated by the logged in user. They can show dates, times, and full path to the target file. |
|
|
Term
Name some of the more common artifact locations in the Windows 9X operating environment. |
|
Definition
C:\Windows\Recent C:\Windows\Desktop C:\Windows\Send To C:\Windows\Temp |
|
|
Term
In DOS/Windows environments, what is the length of FAT Directory entries? |
|
Definition
|
|
Term
Every printed document from a computer is considered an "Original".
A. TRUE
B. FALSE |
|
Definition
|
|
Term
Compression of evidence files has no bearing on the validity or admissibility fo the data.
A. TRUE
B. FALSE |
|
Definition
A. TRUE.
Courts have ruled that the manner in which data is maintained, while in storage, is not relevant, as long as the data is accurately portrayed when accessed and presented in a printout or other output, readable by sight. |
|
|
Term
What is meant by the legal term "Daubert"? |
|
Definition
It is a legal test employed by US courts to determine if a scientific or technical process is acceptable. |
|
|
Term
What are the three basic questions asked to determine if a process is acceptable under Daubert? |
|
Definition
1. Has the process been tested and subjected to peer review? 2. Does the process/application maintain general acceptance within the related community. 3. Can the findings be duplicated/repeated? |
|
|
Term
If the original evidence must be returned to the owner, can the EnCase Evidence files be considered "Best Evidence"? |
|
Definition
|
|
Term
What type of files are commonly associated with printing in the Windows operating system? |
|
Definition
|
|
Term
If the file system is not support by EnCase, the Examiner cannot use EnCase to do the examination.
A. TRUE
B. FALSE |
|
Definition
B. FALSE.
The examiner can still to text searches, run EnScripts for file headers and footers, etc... |
|
|
Term
You need to do an onsite acquisition of a Windows NT Server, should you Shut Down the system or pull the power plug? |
|
Definition
Gracefully shut down the system. Generally, servers need to be shut down gracefully. Workstations or personal computers should have the power plug pulled. |
|
|
Term
|
Definition
Integrated Drive Electronics. |
|
|