EnCase EnCe Flashcards

Computer file
Terms Definitions
When an EnCase user double-clicks on a file within EnCase what determines the action that will result? A. The settings in the case file. B. The settings in the FileTypes.ini file. C. The setting in the evidence file.
B. The settings in the FileTypes.ini file
Search results are found in which of the following files?
 
Select all that apply.
 
A. The evidence file
B. The configuration Searches.ini file
C. The case file
C. The case file
If cluster #3552 entry in the FAT table contains a value of ?? this would mean:
 
A. The cluster is unallocated
B. The cluster is the end of a file
C. The cluster is allocated
D. The cluster is marked bad
A. The cluster is unallocated
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. [email protected][a-z]+.com
 
A. [email protected] zealand.com
B. [email protected]
C. [email protected]
D. [email protected]
You are an investigator and have encountered a computer that is running at the home of a suspect. The computer does not appear to be a part of a network. The operating system is Windows XP Home. No programs are visibly running. You should:
 
A. Pull th
A. Pull the plug from the back of the computer.
A physical file size is:
 
A. The total size in sectors of an allocated file.
B. The total size of all the clusters used by the file measured in bytes.
C. The total size in bytes of a logical file.
D. The total size of the file including the ram sla
B. The total size of all the clusters used by the file
In Unicode, one printed character is composed of ____ bytes of data.
 
A. 8
B. 4
C. 2
D. 1
C. 2
If cluster number 10 in the FAT contains the number 55, this means:
 
A. That cluster 10 is used and the file continues in cluster number 55.
B. That the file starts in cluster number 55 and continues to cluster number 10.
C. That there is a cross-li
A. That cluster 10 is used and the file continues in cluster number 55.
How are the results of a signature analysis examined?
 
A. By sorting on the category column in the Table view. By sorting on the category column in the Table view.
 
B. By sorting on the signature column in the Table view. By sorting on the signatu
B. By sorting on the signature column in the Table view. By sorting on the signature column in the Table view.
The acronym ASCII stands for:
 
A. American Standard Communication Information Index B. American Standard Code for Information Interchange C. Accepted Standard Code for Information Interchange D. Accepted Standard Communication Information Index
B. American Standard Code for Information Interchange
The default export folder remains the same for all cases.
 
A. True
B. False
B. False
The EnCase default export folder is:
 
A. A case-specific setting that cannot be changed.
B. A case-specific setting that can be changed.
C. A global setting that can be changed.
D. A global setting that cannot be changed.
B. A case-specific setting that can be changed.
Hash libraries are commonly used to:
 
A. Compare a file header to a file extension.
B. Identify files that are already known to the user.
C. Compare one hash set with another hash set.
D. Verify the evidence file.
B. Identify files that are already known to the user.
Which is the proper formula for determining the size in bytes of a hard drive that uses cylinders (C), heads (H), and sectors (S) geometry?
 
A. C X H + S
B. C X H X S + 512
C. C X H X S X 512
D. C X H X S
C. C X H X S X 512
Within EnCase, clicking on Save on the toolbar affects what file(s)?
 
A. All of the above
B. The evidence files
C. The open case file
D. The configuration .ini files
C. The open case file
EnCase uses the _________________ to conduct a signature analysis.
 
A. Both a and b
B. file signature table
C. hash library
D. file Viewers
B. file signature table
EnCase is able to read and examine which of the following file systems?
 
A. NTFS
B. EXT3
C. FAT
D. HFS
A. NTFS
B. EXT3
C. FAT
D. HFS
ROM is an acronym for:
 
A. Read Open Memory
B. Random Open Memory
C. Read Only Memory
D. Relative Open Memory
C. Read Only Memory
If a floppy diskette is in the ?drive, the computer will always boot to that drive before any other device. If a floppy diskette is in the ??drive, the computer will always boot to that drive before any other device.
 
A. False
B. True
B. True
A standard Windows 98 boot disk is acceptable for booting a suspect drive.
 
A. True
B. False
A. True
Search terms are case sensitive by default.
 
A. False
B. True
B. True
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Jan 1st , 2?0?00
 
A. Jan 1st , 1900
B. Jan 1st , 2100
C. Jan 1st , 2001
D. Jan 1st , 2000
D. Jan 1st , 2000
An evidence file can be moved to another directory without changing the file verification.
 
A. False
B. True
B. True
Pressing the power button on a computer that is running could have which of the following results?
 
A. The computer will instantly shut off.
B. The computer will go into stand-by mode.
C. Nothing will happen.
D. All of the above could happen. E. Th
D. All of the above could happen.
How does EnCase verify that the evidence file contains an exact copy of the suspect hard drive? How does EnCase verify that the evidence file contains an exact copy of the suspect's hard drive?
 
A. By means of a CRC value of the suspect hard drive com
B. By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of the data stored in the evidence file. By means of an MD5 hash of the suspect? Hard drive compared to an MD5 hash of the data stored in the evidence file.
By default, EnCase will display the data from the end of a logical file, to the end of the cluster, in what color:
 
A. Red
B. Red on black
C. Black on red
D. Black
A. Red
A SCSI drive is pinned as a master when it is:
 
A. The only drive on the computer.
B. The primary of two drives connected to one cable.
C. Whenever another drive is on the same cable and is pinned as a slave.
D. A SCSI drive is not pinned as a mast
D. A SCSI drive is not pinned as a master.
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. [^a-z]Tom[^a-z]
 
A. Tomato
B. om? ? RP
C. Toms
D. Stomp
B. om? ? RP
This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search:
 
A. Will not find it unlessile slack is checked on the s
B. Will find it because EnCase performs a logical
An evidence file was archived onto five CD-Rom disks with the third file segment on disk number three. Can the contents of the third file segment be verified by itself while still on the CD?
 
A. No. Archived files are compressed and cannot be verified
C. Yes. Any segment of an evidence file can be verified through re-computing and comparing the CRCs, even if it is on a CD.
You are a computer forensic examiner tasked with determining what evidence is on a seized computer. On what part of the computer system will you find data of evidentiary value?
 
A. Microprocessor or CPU
B. USB controller
C. Hard drive
D. PCI expans
C. Hard drive
You are a computer forensic examiner explaining how computers store and access the data you recovered as evidence during your examination. The evidence was a log file and was recovered as an artifact of user activity on the ____________, which was stored
B. operating system, file system, partition
You are a computer forensic examiner investigating a seized computer. You recovered a document containing potential evidence. EnCase reports the file system on the forensic image of the hard drive is FAT (File Allocation Table). What information about the
C. Starting cluster of the file D. Fragmentation of the file
You are a computer forensic examiner investigating media on a seized computer. You recovered a document containing potential evidence. EnCase reports the file system on the forensic image of the hard drive is NTFS (New Technology File System). What inform
A. Name of the file
B. Date and time stamps of the file
C. Starting cluster of the file
D. Fragmentation of the file
E. Ownership of the file
You are preparing to lead a team to serve a search warrant on a business suspected of committing large-scale consumer fraud. Ideally, you would you assign which tasks to search team members? (Choose all that apply.)
 
A. Photographer
B. Search and sei
A. Photographer
B. Search and seizure specialists
C. Recorder
D. Digital evidence search and seizure specialists
You are a computer forensic examiner at a scene and have determined you will seize a Linux server, which according to your source of information contains the database records for the company under investigation for fraud. What is the best practice for “
A. Photograph the screen and note any running programs or messages, and so on, and use the normal shutdown procedure.
You are a computer forensic examiner at a scene and are authorized to seize only media that can be determined to have evidence related to the investigation. What options do you have to determine whether evidence is present before seizure and a full forens
B. Use an EnCase boot floppy or CD to boot the machine into Linux, and use LinEn to preview the hard drive through a crossover cable with EnCase for Windows.
 
C. Remove the subject hard drive from the machine, and preview the hard drive in EnCase for Windows with a hardware write blocker such as FastBloc.
 
D. Use an EnCase boot floppy or CD to boot the machine into DOS, and use EnCase for DOS to preview the hard drive through a crossover cable with EnCase for Windows.
You are a computer forensic examiner at a scene and have determined you will need to image a hard drive in a workstation while on-site. What are your options for creating a forensically sound image of the hard drive? (Choose all that apply.)
 
A. Use a
B. Use a forensically sound Linux boot CD to boot the machine into Linux, and use LinEn to image the subject hard drive to a second hard drive attached to the machine.
 
C. Remove the subject hard drive from the machine, and image the hard drive in EnCase for Windows with a hardware write blocker such as FastBloc.
 
D. Use an EnCase boot floppy or CD to boot the machine into DOS, and use EnCase for DOS to image the hard drive through a crossover cable with EnCase for Windows.
You are a computer forensic examiner and have imaged a hard drive on site. Before you leave the scene, you want to ensure the image completely verifies as an exact forensic duplicate of the original. To verify the EnCase evidence file containing the image
D. Load the EnCase evidence files into EnCase for Windows, allow the verification process to finish, and then check the results for complete verification.
You are a computer forensic examiner and need to verify the integrity of an EnCase evidence file. To completely verify the file’s integrity, which of the following must be true?
 
A. The MD5 hash value must verify.
B. The CRC values and the MD5 hash
B. The CRC values and the MD5 hash value both must verify.
You are a computer forensic examiner and need to determine what files are contained within a folder called Business documents. What EnCase pane will you use to view the names of the files in the folder?
 
A. Tree pane
B. Table pane
C. View pane
D. F
B. Table pane
You are a computer forensic examiner and need to view the contents of a file contained within a folder called Business documents. What EnCase pane will you use to view the contents of the file?
 
A. Tree pane
B. Table pane
C. View pane
D. Filter pan
C. View pane
You are a computer forensic examiner and are viewing a file in an EnCase evidence file. With your cursor, you have selected one character in the file. What binary term is used for the amount of data that represents a single character?
 


 

A. A b
C. A byte
You are a computer forensic examiner and need to search for the name of a suspect in an EnCase evidence file. You enter the name of the suspect into the EnCase keyword interface as John Doe. What search hits will be found with this search term wit
A. John Doe
C. john doe
You are a computer forensic examiner and need to determine whether any Microsoft Office documents have been renamed with image extensions to obscure their presence. What EnCase process would you use to find such files?
 
A. File signature analysis
A. File signature analysis
You are a computer forensic examiner and want to reduce the number of files required for examination by identifying and filtering out known good or system files. What EnCase process would you use to identify such files?
 
 
A. File signature analysis
D. File hash analysis
You are a computer forensic examiner and want to determine whether a user has opened or double-clicked a file. What folder would you look in for an operating system artifact for this user activity?
 
A. Temp
B. Recent
C. Cookies
D. Desktop
B. Recent
You are a computer forensic examiner and want to determine when a user deleted a file contained in a Windows XP Recycle Bin. In what file is the date and time information about the file deletion contained?
 
A. index.dat
B. Link file
C. INFO2
D. del
C. INFO2
You are a computer forensic examiner and want to determine how many times a program was executed. Where would you find information?
 
A. Temp folder
B. Registry
C. Recycle Bin
D. Program Files
B. Registry
You are a computer forensic examiner and want to examine any email sent and received by the user of the computer system under investigation. What email formats are supported by EnCase?
 
(Choose all that apply.)
 
A. Outlook
B. Outlook Express
C.
A. Outlook
B. Outlook Express
C. America Online
D. Hotmail
E. Yahoo!
F. Mozilla Thunderbird
What is the definition of a CPU?
 
A. The physical computer case that contains all its internal components
B. The computer’s internal hard drive
C. A part of the computer whose function is to perform data processing
D. A part of the computer
C. A part of the computer whose function is to perform data processing
What is the BIOS?
 
A. BIOS stands for Basic Input Output System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer’s hardware and its operating system.
 
B. BIOS stands
A. BIOS stands for Basic Input Output System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer’s hardware and its operating system.
Is the information stored on a computer’s ROM chip lost during a proper shutdown?
 
A. Yes
B. No
B. No
Is the information contained on a computer’s RAM chip accessible after a proper shutdown?


A. Yes
B. No
 
B. No
Can information stored in the BIOS ever change?
 
A. Yes
B. No
A. Yes
What is the purpose or function of a computer’s ROM chip?
 
A. Long-term or permanent storage of information and instructions
B. Temporary storage area to run applications
C. Permanent storage area for programs and files
D. A portable storage devi
A. Long-term or permanent storage of information and instructions
Information contained in RAM memory (system’s main memory), which is located on the
motherboard, is _________.
 
A. volatile
B. nonvolatile
A. volatile
What is the maximum number of drive letters assigned to hard drive(s) partitions on a system?
 
A. 4
B. 16
C. 24
D. Infinity
C. 24
 
 
 

 

 


 

 

 

 

 

 

 

 

 

 




The smallest area on a drive that data can be written to is a _______, while the smallest area on a drive that a file can be written to is a ________.
 
A. bit
B. sector and cluster
The size of a physical hard drive can be determined by which of the following?
 
A. The cylinder × head × sector
B. The cylinder × head × sector × 512 bytes
C. The total LBA sectors ×512 bytes
D. Adding the total size of partitions
E. Both B
E. Both B and C
The electrical pathway used to transport data from one computer component to another is called what?
 
A. Bus
B. RAM
C. CMOS

D. BIOS

 


 
A. Bus
What is the main component of a computer to which essential internal devices such as CPU, memory chips, and other chipsets are attached?
 
A. BIOS
B. Motherboard
C. Expansion card
D. Processor
B. Motherboard
IDE, SCSI, and SATA are different types of interfaces describing what device?
 
A. RAM chips
B. Flash memory
C. CPUs
D. Hard drives
D. Hard drives
What do the terms master, slave, and Cable Select refer to?
 
A. External SCSI devices
B. Cable types for external hardware
C. Jumper settings for internal hardware such as IDE hard drives and CD drives
D. Jumper settings for internal expansion card
C. Jumper settings for internal hardware such as IDE hard drives and CD drives
What can you assume about a hard drive that is pinned as CS?
 
A. It’s an IDE drive.
B. It’s a SATA drive.
C. It’s a SCSI drive.
D. All of the above.
A. It’s an IDE drive.
What is found at Cylinder 0, Head 0, Sector 1 on a hard drive?
 
A. Master boot record
B. Master file table
C. Volume boot record
D. Volume boot sector
A. Master boot record
What is the first sector on a volume called?
 
A. File allocation table
B. Volume boot record or sector
C. Master boot record
D. Volume boot device
B. Volume boot record or sector
Which of the following is incorrect?
 
A. The MBR is typically written when the drive is partitioned with FDISK or DISKPART.
 
B. A file system is a system or method of storing and retrieving data on a computer system that allows for a hierarchy of
D. The partition table is contained within the MBR and consists of a total of 16 bytes, which describes up to four partitions using 4 bytes each to do so.
FAT is defined as which of the following?
 
A. A table consisting of master boot record and logical partitions
B. A table created during the format that the operating system reads to locate data on a drive
C. A table consisting of file names and file
B. A table created during the format that the operating system reads to locate data on a drive
How does a corrupted sector located in the data area of a hard drive affect the corresponding cluster number on a FAT table?
 
A. It does not affect the corresponding cluster number on a FAT table; therefore, the rest of the sectors associated with the
D. It does affect the FAT table. The corresponding cluster number is marked as bad, and the entire cluster is prevented from being written to.
Which of the following describes a partition table?
 
A. It is located at cylinder 0, head 0, sector 1.
B. Is located in the master boot record.
C. It keeps track of the partitions on a hard drive.
D. All of the above.
D. All of the above.
Which selection keeps track of a fragmented file in a FAT file system?
 
A. File allocation table
B. Directory structure
C. Volume boot record
D. Master file table
A. File allocation table
If the FAT table lists cluster number 2749 with a value of 0, what does this mean about this specific cluster?
 
A. It is blank and contains no data.
B. It is marked as bad and cannot be written to.
C. It is allocated to a file.
D. It is unallocated
D. It is unallocated and is available to store data.
Which of the following is true about a volume boot record?
 
A. It is always located at the first sector of its logical partition.
B. It immediately follows the master boot record.
C. It contains BIOS parameter block and volume boot code.
D. A and C
D. A and C.
The NTFS file system does which of the following?
 
A. Supports long file names
B. Compresses individual files and directories
C. Supports large file sizes in excess of 4GB
D. All of the above
D. All of the above
How many clusters can a FAT32 file system manage?
 
A. 2 × 32 = 64 clusters
B. 232 = 4,294,967,296 clusters
C. 2 × 28 = 56 clusters
D. 228 = 268,435,456 clusters
D. 228 = 268,435,456 clusters
The FAT tracks the ________ while the directory entry tracks the ________.
 
A. file name and file size
B. file’s starting cluster and file’s last cluster (EOF)
C. file’s last cluster (EOF) and file’s starting cluster
D. file size and file f
C. file’s last cluster (EOF) and file’s starting cluster
How many copies of the FAT does each FAT32 volume maintain in its default configuration?
 
A. One
B. Two
C. Three
D. Four
B. Two
A file’s logical size is displayed as?
 
A. The number of sectors needed that the logical file contains
B. The number of clusters that the logical file contains
C. The number of bytes that the logical file contains
D. The number of bits that the l
C. The number of bytes that the logical file contains
A file’s physical size is?
 
A. Always greater than the file’s logical size
 
B. The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster
 
C. Both A and B
 
D. None of th
B. The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster
A directory entry in a FAT file system has a logical size of which of the following?
 
A. 0 bytes
B. 8 bytes
C. 16 bytes
D. One sector
A. 0 bytes
Each directory entry in a FAT file system is ____ bytes in length.
 
A. 0
B. 8
C. 16
D. 32
D. 32
By default, what color does EnCase use to display directory entries within a directory structure?
 
A. Black
B. Red
C. Gray
D. Yellow
B. Red
What is the area between the end of a file’s logical size and the file’s physical size called?
 
A. Unused disk area
B. Unallocated clusters
C. Unallocated sectors
D. Slack space
D. Slack space
What three things occur when a file is created in a FAT32 file system?
 
A. Directory entry for the file is created, the FAT assigns the necessary clusters to the file, and the file’s data is filled in to the assigned clusters.
 
B. The file name
A. Directory entry for the file is created, the FAT assigns the necessary clusters to the file, and the file’s data is filled in to the assigned clusters.
How does EnCase recover a deleted file?
 
A. It reads the deleted file name in the FAT and searches for the file by its starting cluster number and logical size.
 
B. It reads the deleted file name in the directory entry and searches for the corresp
C. It obtains the deleted file’s starting cluster number and size from the directory entry to obtain the data’s starting location and number of clusters required.
What does EnCase do when a deleted file’s starting cluster number is assigned to another file?
 
A. EnCase reads the entire existing data as belonging to the deleted file.
 
B. EnCase only reads the amount of data from the existing file that is as
C. EnCase marks the deleted file as being overwritten.
What information does a file’s directory entry in a FAT file system store about itself?
 
A. File name
B. Date/time
C. File extension
D. Starting cluster (extent)
E. All of the above
E. All of the above
What is the first consideration when responding to a scene?
 
A. Your safety
B. The safety of others
C. The preservation of evidence
D. Documentation
A. Your safety
What are some variables regarding a facility that you should consider prior to responding to a scene?
 
A. What type of structure is it?
B. How large is the structure?
C. What are the hours of operation?
D. Is there a helpful person present to aid i
E. All of the above.
What are some variables regarding items to be seized that you should consider prior to
responding to a scene?
 
A. Location(s) of computers
B. Type of operating system
C. Workstations or mainframes
D. System-critical or auxiliary machine
E. All of
E. All of the above
Generally speaking, if you encounter a desktop computer running Windows XP, how should you take down the machine?
 
A. Shut down using Windows XP.
B. Shut down by pulling the power cord from the outlet.
C. Shut down by pulling the plug from the compu
C. Shut down by pulling the plug from the computer box.
Generally speaking, if you encounter a computer running Windows 2000 Server, how should you take down the machine?
 
A. Shut down using its operating system.
B. Shut down by pulling the power cord from the outlet.
C. Shut down by pulling the plug fro
A. Shut down using its operating system.
Generally speaking, if you encounter a Unix/Linux machine, how should you take down the machine?
 
A. Shut down using its operating system.
B. Shut down by pulling the power cord from the outlet.
C. Shut down by pulling the plug from the computer box
A. Shut down using its operating system.
When unplugging a desktop computer, from where is it best to pull the plug?
 
A. The back of the computer
B. The wall outlet
C. A or B
A. The back of the computer
What is the best method to shut down a notebook computer?
 
A. Unplug from the back of the computer.
B. Unplug from the wall.
C. Remove the battery.
D. Both A and C.
D. Both A and C.
Generally speaking, if you encounter a Macintosh computer, how should you take down the machine?
 
A. Shut down using the operating system.
B. Shut down by pulling the power cord from the outlet.
C. Shut down by pulling the plug from the computer box
C. Shut down by pulling the plug from the computer box.
Which selection displays the incorrect method for shutting down a computer?
 
A. DOS: Pull the plug.
B. Windows 2000: Pull the plug.
C. Windows XP: Pull the plug.
D. Linux: Pull the plug.
D. Linux: Pull the plug.
When shutting down a computer, what information is typically lost?
 
A. Data in RAM memory
B. Running processes
C. Current network connections
D. Current logged-in users
E. All of the above
E. All of the above
Which of the following is not acceptable for “bagging” a computer workstation?
 
A. Large paper bag.
B. Brown wrapping paper.
C. Plastic garbage bag.
D. Large antistatic plastic bag.
E. All of the above are acceptable for bagging a workstation.
C. Plastic garbage bag.
EnCE
Encase Certified Examiner
SCSI
Small Computer Systems Interface
IDE
Integrated Drive Electronics
SATA
Serial Advanced Technology Attachment
RAID
Redundant Array of Inexpensive Disks
DVD
Digital Versatile Disc
USB
Universal serial bus
IEEE
Institute of Electrical and Electronics Engineers
IEEE 1394
Firewire
ISA
Industry Standard Architecture
MCA
IBM Micro Channel Architecture
EISA
Extended Industry Standard Architecture
PCI
Peripheral Component Interconnect
AGP
Accelerated Graphics Port
PCMCIA
Personal Computer Memory Card International Association
PCI
Peripheral Component Interconnect
CMOS
Complementary Metal-Oxide Semiconductor
EFI
Extensible Firmware Interface
POST
Power On Self-Test
MBR
Master Boot Record
VBR
Volume Boot Record
FAT
File Allocation Table (12, 16 or 32)
MFT
Master File Table
POST
Power On Self-Test
0000 0001
 
Read only
Bit Flag Values for Attribute Field at Byte Offset 11
0000 0010
Hidden File
0000 0100
System File
0000 1000
Volume label
0000 1111
Long File Name
0001 0000
Directory
0010 0000
Archive
In which circumstance is pulling the plug to shut down a computer system considered the best practice?
 
A. When the OS is Linux/Unix
B. When the OS is Windows 2000 and known to be running a large business database
application
C. When the OS is Wind
E. None of the above
How is the chain of custody maintained?
 
A. By bagging evidence and sealing it to protect it from contamination or tampering
 
B. By documenting what, when, where, how, and by whom evidence was seized
 
C. By documenting in a log the circumstanc
E. All of the above
It is always safe to pull the plug on a Windows 2000 Professional operating system.
 
A. True
B. False
B. False
On a production Linux/Unix server, you must generally be which user to shut down the system?
 
A. sysadmin
B. administrator
C. root
D. system
C. root
When would it be acceptable to navigate through a live system?
 
A. To observe the operating system to determine the proper shutdown process
 
B. To document currently opened files (if Enterprise/FIM edition is not available)
 
C. To observe an e
E. All of the above
A console prompt that displayed backslashes (\) as part of its display would most likely be which of the following?
 
A. Red Hat Linux operating system
B. Unix operating system
C. Linux or Unix operating system logged in as root
D. MS-DOS
D. MS-DOS
When called to a large office complex with numerous networked machines, is it always a good idea to request the assistance of the network administrator.
 
A. True
B. False
B. False
Subsequent to a search warrant where evidence is seized, what items should be left behind?
 
A. Copy of the affidavit
B. Copy of the search warrant
C. List of items seized
D. A and B
E. B and C
E. B and C
SAFE
Secure Authentication for EnCase
HPA
Host Protected Area



 
DCO
Device Configuration Overlay
MD5
Message-Digest algorithm 5.
The odds of any two files having the same MD5 are 1 in 2128, which is, more graphically, 1 in 340,282,366,920,938,000,000,000,000,000,000,000,000.
CRC
cyclic redundancy check (CRC) or polynomial code checksum
When acquiring a hard drive in the DOS mode, what would be the cause of EnCase not detecting partition information?
 
A. The drive has been FDisked and the partition(s) removed.
B. The partition(s) are not recognized by DOS.
C. Both A and B.
D. None
C. Both A and B.
A standard DOS 6.22 boot disk does not make calls to the C: volume of a hard drive when the diskette is booted.
 
A. True
B. False
B. False
As a good forensic practice, why would it be a good idea to wipe a forensic drive before reusing it?
 
A. Chain-of-custody
B. Cross-contamination
C. Different file and operating systems
D. Chain of evidence
E. No need to wipe
B. Cross-contamination
If the number of sectors reported by EnCase does not match the number reported by the manufacturer for the drive, what should you do?
 
A. Suspect HPA
B. Suspect DCO
C. Boot with EnCase for DOS and switch to Direct ATA access
D. Boot with LinEn in L
E. All of the above
What system files are changed or in any way modified by EnCase when creating an EnCase boot disk?
 
A. IO.SYS
B. COMMAND.COM
C. DRVSPACE.BIN
D. All of the above
E. None of the above
D. All of the above
Reacquiring an image and adding compression will change the MD5 value of the acquisition hash.
 
A. True
B. False
B. False
When reacquiring an image, you can change the name of the evidence.
 
A. True
B. False
B. False
Which of the following should you do when creating a storage volume to hold an EnCase evidence file that will be created with EnCase for DOS or LinEn? (Choose all that apply.)
 
A. Format the volume with the FAT file system.
B. Give the volume a uniqu
A. Format the volume with the FAT file system.
B. Give the volume a unique label to identify it.
C. Wipe the volume before formatting to conform to best practices, and avoid claims of crosscontamination.
D. Create a directory to contain the evidence file.
In Linux, what describes hdb2? (Choose all that apply.)
 
A. Refers to the primary master
B. Refers to the primary slave
C. Refers to hard drive number 2
D. Refers to the second partition
E. Refers to the secondary master
B. Refers to the primary slave
D. Refers to the second partition
 
When acquiring USB flash memory, you should write-protect it by doing what?
 
A. Engaging the write-protect switch, if equipped
 
B. Modifying the registry in Windows XP SP2 (or higher) to make USB read-only
 
C. Using ENBD/ENBCD USB DOS drivers
F. All of the above
Which type or types of cables can be used in a network cable acquisition?
 
A. Standard network patch cable
B. CAT-6 network cable
C. Network crossover cable
D. Standard network patch cable used with a crossover adaptor
C. Network crossover cable
D. Standard network patch cable used with a crossover adaptor
Should Zip/Jaz disks be acquired with EnCase in DOS or Windows?
 
A. DOS
B. Windows
A. DOS
When using LinEn, the level of support for USB, FireWire, and SCSI devices is determined by what?
 
A. The drivers built into LinEn
B. The drivers provided with the ENBCD
C. The distribution of Linux being used
D. A and B
E. None of the above
C. The distribution of Linux being used
How should CDs be acquired using EnCase?
 
A. DOS
B. Windows
B. Windows
Select all that are true about EE and FIM.
 
A. They can acquire or preview a system live without shutting it down.
 
B. They can capture live system-state volatile data using the Snapshot feature.
 
C. With EE, the SAFE is on a separate PC, admi
A. They can acquire or preview a system live without shutting it down.
B. They can capture live system-state volatile data using the Snapshot feature.
C. With EE, the SAFE is on a separate PC, administered by the keymaster.
D. With FIM, the SAFE is on the examiner’s PC and the keymaster and the examiner are the same person.
How does an EnCase boot disk differ from a DOS 6.22 disk?
 
A. EnCase boot disk adds the EnCase executable, EN.EXE.
B. EnCase boot disk switches all calls from C: to A:.
C. Both A and B.
D. None of the above.
C. Both A and B.
The EnCase evidence file is best described as follows:
 
A. A mirror image of the source device written to a hard drive
B. A sector-by-sector image of the source device written to corresponding sectors of a secondary hard drive
C. A bitstream image o
D. A bitstream image of a source device written to a file or several file segments
How does EnCase verify the contents of an evidence file?
 
A. EnCase writes an MD5 hash value for every 32 sectors copied.
B. EnCase writes an MD5 value for every 64 sectors copied.
C. EnCase writes a CRC value for every 32 sectors copied.
D. EnCase
D. EnCase writes a CRC value for every 64 sectors copied.
What is the smallest file size that an EnCase evidence file can be saved as?
 
A. 64 sectors
B. 512 sectors
C. 1 MB
D. 2 MB
E. 640 MB
C. 1 MB
What is the largest file segment size that an EnCase evidence file can be saved as?
 
A. 640 MB
B. 1 GB
C. 2 GB
D. No maximum limit
C. 2 GB
How does EnCase verify that the evidence file contains an exact copy of the source device?
 
A. By comparing the MD5 hash value of the source device to the MD5 hash value of the data stored in the evidence file
B. By comparing the CRC value of the sou
A. By comparing the MD5 hash value of the source device to the MD5 hash value of the data stored in the evidence file
How does EnCase verify that the case information—such as case number, evidence number, notes, and so on—in an evidence file has not been damaged or altered after the evidence file has been written?
 
A. The case file writes a CRC value for the case
C. EnCase writes a CRC value for the case information and verifies the CRC value when the evidence is added to a case.
For an EnCase evidence file to successfully pass the file verification process, which of the following must be true?
 
A. The MD5 hash value must verify.
B. The CRC values and the MD5 hash value both must verify.
C. Either the CRC or MD5 hash values
B. The CRC values and the MD5 hash value both must verify.
The MD5 hash algorithm produces a _____ value.
 
A. 32-bit
B. 64-bit
C. 128-bit
D. 256-bit
C. 128-bit
The MD5 hash algorithm is ___ hexadecimal characters in length.
 
A. 16
B. 32
C. 64
D. 128
B. 32
If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later altered?
 
A. EnCase will detect the error when that area of the evidence file is accessed by the user.
 
B. EnCase
D. All of the above.
Which of the following aspects of the EnCase evidence file can be changed during a reacquire of the evidence file?
 
A. Investigator’s name
B. Evidence number
C. Notes
D. Evidence file size
E. All of the above
D. Evidence file size
An evidence file was archived onto five CD-ROMs with the third file segment on disc 3. Can the contents of the third file segment be verified by itself while still on the CD-ROM?
 
A. No. All evidence file segments must be put back together.
B. Yes. A
B. Yes. Any evidence file segment can be verified independently by comparing the CRC values.
Will EnCase allow a user to write data into an acquired evidence file?
 
A. Yes, when adding notes or comments to bookmarks.
B. Yes, when adding search results.
C. A and B.
D. No, data cannot be added to the evidence file after the acquisition is ma
D. No, data cannot be added to the evidence file after the acquisition is made.
All investigators using EnCase should run tests on the evidence file acquisition and verification process to do which of the following?
 
A. To further the investigator’s understanding of the evidence file
B. To give more weight to the investigator
D. All of the above
When a noncompressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence file will remain the same for both files.
 
A. True
B. False
A. True
Search hit results and bookmarks are stored in the evidence file.
 
A. True
B. False
B. False
The EnCase evidence file’s logical file name can be changed without affecting the verification of the acquired evidence.
 
A. True
B. False
A. True
An evidence file can be moved to another directory without changing the file verification.
 
A. True
B. False
B. False
What happens when EnCase attempts to reopen a case once the evidence file has been moved?
 
A. EnCase reports that the file’s integrity has been compromised and renders the file useless.
B. EnCase reports a different hash value for the evidence file
C. EnCase prompts for the location of the evidence file.
During reacquisition, you can change which of the following? (Choose all that apply.)
 
A. Block size and error granularity
B. Add or remove a password
C. Investigator’s name
D. Compression
E. File segment size
A. Block size and error granularity
B. Add or remove a password
D. Compression
E. File segment size
In the EnCase Windows environment, must an examiner first create a new case before adding a device to examine?
 
A. Yes
B. No
A. Yes
Proper file management and organization require that which of the following should be created prior to acquiring evidence?
 
A. Evidence, Export, Temp, and Index folders
B. Unique naming conventions for folders belonging to the same case
C. All subfo
D. All of the above
The EnCase methodology dictates that the lab drive used to store EnCase evidence files must have which of the following prior to acquiring an image?
 
A. FAT 32 partition
B. NTFS partition
C. Clean format
D. Previously wiped and sterile partition
D. Previously wiped and sterile partition
When creating a new case, the Case Options dialog box prompts for which of the following?
 
A. Name or (case name)
B. Examiner name
C. Default export folder
D. Temporary folder
E. All of the above
E. All of the above
What determines the action that will result when a user double-clicks a file within EnCase?
 
A. The settings in the TEXTSTYLES.INI file
B. The settings in the FILETYPES.INI file
C. The settings in the FILESIGNATURES.INI file
D. The settings in the
B. The settings in the FILETYPES.INI file
In the EnCase environment, the term external viewers is best described as which of the following?
 
A. Internal programs that are copied out of an evidence file
 
B. External programs loaded in the evidence file to open specific file types
 
C. E
C. External programs that are associated with EnCase to open specific file types
Where is the list of external viewers kept within EnCase?
 
A. The settings in the TEXTSTYLES.INI file
B. The settings in the FILETYPES.INI file
C. The settings in the FILESIGNATURES.INI file
D. The settings in the VIEWERS.INI file
D. The settings in the VIEWERS.INI file
When the copy/unerase feature is used, EnCase saves the selected file(s) to which folder?
 
A. Evidence
B. Export
C. Temp
D. None of the above
B. Export
Can the Export folder be moved once it is saved within a case?
 
A. Yes
B. No
A. Yes
Files that have been sent to external viewers are copied to which folder?
 
A. Evidence
B. Export
C. Temp
D. None of the above
C. Temp
The Temp folder of a case cannot be changed once the case has been saved.
 
A. True
B. False
B. False
Files stored in the Temp folder are removed once EnCase is properly closed.
 
A. True
B. False
A. True
How do you access the setting to adjust how often a backup file (.cbak) is saved?
 
A. Select Tools _ Options _ Case Options
B. Select View _ Options _ Case Options
C. Select Tools _ Options _ Global
D. Select View _ Options _ Global
C. Select Tools _ Options _ Global
What is the maximum number of columns that can be sorted simultaneously in the Table view tab?
 
A. Two
B. Three
C. Five
D. 28 (maximum number of tabs)
C. Five
How would a user reverse-sort on a column in the Table view?
 
A. Hold down the Ctrl key, and double-click the selected column header.
B. Right-click the selected column, select Sort, and select either Sort Ascending or Sort Descending.
C. Both A and
C. Both A and B.
How can you hide a column in the Table view?
 
A. Place the cursor on the selected column, and press Ctrl+H.
B. Right-click on the selected column, select Column, and select Hide.
C. Right-click on the selected column, select Show Columns, and unchec
D. All of the above.
What does the Gallery view tab use to determine graphics files?
 
A. Header or file signature
B. File extension
C. File name
D. File size
B. File extension
Will the EnCase Gallery view display a .jpeg file if its file extension was renamed to .txt?
 
A. No, because EnCase will treat it as a text file.
B. Yes, because the Gallery view looks at a file’s header information and not the file extension.
C.
C. Yes, but only if a signature analysis is performed to correct the “File Category” to “Picture” based on its file header information.
How would a user change the default colors and text fonts within EnCase?
 
A. The user cannot change the default colors and fonts settings.
B. The user can change the default colors and fonts settings by right-clicking the selected items and scrolling
D. The user can change default colors and fonts settings by clicking the Tools tab on the menu bar, selecting Options, and selecting the Colors tab or Fonts tab.
An EnCase user will always know the exact location of the selected data in the evidence file by looking at which of the following?
 
A. Data bar
B. Dixon box
C. Disk view
D. Hex view
A. Data bar
Computers use a numbering system with only two digits, 0 and 1. This system is referred to as which of the following?
 
A. Hexadecimal
B. ASCII
C. Binary
D. FAT
C. Binary
A bit can have a binary value of which of the following?
 
A. 0 or 1
B. 0–9
C. 0–9 and A–F
D. On or Off
A. 0 or 1
A byte consists of ___ bits.
 
A. 2
B. 4
C. 8
D. 16
C. 8
If 1 bit can have two unique possibilities, 2 bits can have four unique possibilities, and 3 bits can have eight unique possibilities. This is known as the power of 2. How many unique possibilities are there in 8 bits (28)?
 
A. 16
B. 64
C. 128
D. 2
D. 256
When the letter A is represented as 41h, it is displayed in which of the following?
 
A. Hexadecimal
B. ASCII
C. Binary
D. Decimal
A. Hexadecimal
What is the decimal integer value for the binary code 0000-1001?
 
A. 7
B. 9
C. 11
D. 1001
B. 9
Select all of the following that depict a Dword value.
 
A. 0000 0001
B. 0001
C. FF 00 10 AF
D. 0000 0000 0000 0000 0000 0000 0000 0001
C. FF 00 10 AF
D. 0000 0000 0000 0000 0000 0000 0000 0001
How many characters can be addressed by the 7-bit ASCII character table? 16-bit Unicode?
 
A. 64 and 256
B. 128 and 256
C. 64 and 65,536
D. 128 and 65,536
D. 128 and 65,536
Where does EnCase (Version 5 or 6) store keywords?
 
A. Within each specific case file (.case and .cbak)
B. In the KEYWORDS.INI file
C. Both A and B
D. None of the above
C. Both A and B
When performing a keyword search in Windows, EnCase searches which of the following?
 
A. The logical files
B. The physical disk in unallocated clusters and other unused disk areas
C. Both A and B
D. None of the above
C. Both A and B
By default, search terms are case sensitive.
 
A. True
B. False
B. False
By selecting the Unicode box, EnCase searches for both ASCII and Unicode formats.
 
A. True
B. False
A. True
With regard to a search using EnCase in the Windows environment, can EnCase find a word or phrase that is fragmented or spans in noncontiguous clusters?
 
A. No, because the letters are located in noncontiguous clusters.
 
B. No, EnCase performs a p
D. Yes, EnCase performs both physical and logical searches.
Which of the following would be a search hit for the His keyword?
 
A. this
B. His
C. history
D. [email protected]
E. All of the above
E. All of the above
Which of the following would be a search hit for the following GREP expression?   [^a-z]Liz[^a-z]
 
A. Elizabeth
B. Lizzy
C. Liz1
D. None of the above
C. Liz1
Which of the following would be a search hit for the following GREP expression?
 
[\x00-\x07]\x00\x00\x00…
 
A. 00 00 00 01 A0 EE F1
B. 06 00 00 00 A0 EE F1
C. 0A 00 00 00 A0 EE F1
D. 08 00 00 00 A0 EE F1
B. 06 00 00 00 A0 EE F1
Which of the following would be a search hit for the following GREP expression?
 
Jan 1st, 2?0?06
 
A. Jan 1st, 2006
B. Jan 1st, 06
C. Both A and B
D. None of the above
C. Both A and B
Which of the following will not be a search hit for the following GREP expression?
 
[^#]123[ \-]45[ \-]6789[^#]
 
A. A1234567890
B. A123 45-6789
C. A123-45-6789
D. A123 45 6789
A. A1234567890
A sweep or highlight of a specific range of text is referred to as which of the following?
 
A. File group bookmark
B. Folder information bookmark
C. Highlighted data bookmark
D. Notable file bookmark
E. Notes bookmark
C. Highlighted data bookmark
Which of the following is not correct regarding building and querying indexes?
 
A. To search an index, click the Search button on the toolbar.
B. Search hits will appear in the Docs tab and in the Transcript tab.
C. The Hits tab appears in the Filte
A. To search an index, click the Search button on the toolbar.
When running a signature analysis, EnCase will do which of the following?
 
A. Compare a file’s header to its hash value.
B. Compare a file’s header to its file signature.
C. Compare a file’s hash value to its file extension.
D. Compare a file
D. Compare a file’s header to its file extension.
A file header is which of the following?
 
A. A unique set of characters at the beginning of a file that identifies the file type
 
B. A unique set of characters following the file name that identifies the file type
 
C. A 128-bit value that is u
A. A unique set of characters at the beginning of a file that identifies the file type
The Windows operating system uses a file name’s _______ to associate files with the proper applications.
 
A. signature
B. MD5 hash value
C. extension
D. metadata
C. extension
Unix (including Linux) operating systems use a file’s _______ to associate file types to specific applications.
 
A. metadata
B. header
C. extension
D. hash value
B. header
The Mac OS X operating system uses which of the following file information to associate a file to a specific application?
 
A. The “user defined” setting
B. File name extension
C. Metadata (creator code)
D. All of the above
D. All of the above
Information regarding a file’s header information and extension is saved by EnCase in the _________ file.
 
A. FileSignatures.ini
B. FileExtensions.ini
C. FileInformation.ini
D. FileHeader.ini
A. FileSignatures.ini
When a file’s signature is unknown and a valid file extension exists, EnCase will display the following result after a signature analysis is performed:
 
A. Alias (Signature Mismatch)
B. !Bad Signature
C. Unknown
D. Match
B. !Bad Signature
When a file’s signature is known and the file extension does not match, EnCase will display the following result after a signature analysis is performed:
 
A. Alias (Signature Mismatch)
B. !Bad Signature
C. Unknown
D. Match
A. Alias (Signature Mismatch)
When a file’s signature is known and the file extension matches, EnCase will display the following result after a signature analysis is performed:
 
A. Alias (Signature Mismatch)
B. !Bad Signature
C. Unknown
D. Match
D. Match
When a file’s signature and extension are not recognized, EnCase will display the following result after a signature analysis is performed:
 
A. Alias (Signature Mismatch)
B. !Bad Signature
C. Unknown
D. Match
C. Unknown
Can a file with a unique header share multiple file extensions?
 
A. Yes
B. No
A. Yes
A user can manually add new file headers and extensions by doing which of the following?
 
A. Manually inputting the data in the FileSignatures.ini file
B. Right-clicking the file and choosing Add File Signature
C. Choosing File Signatures view, righ
C. Choosing File Signatures view, right-clicking, and selecting New in the appropriate folder
Select the correct answer that completes the following statement: An MD5 hash ___________.
 
A. is a 128-bit value
B. has odds of one in 2128 that two dissimilar files will share the same value
C. is not determined by the file name
D. All of the abo
D. All of the above
EnCase can create a hash value for the following:
 
A. Physical devices
B. Logical volumes
C. Files or groups of files
D. All of the above
D. All of the above
What portion of an evidence file does EnCase analyze during the verification process to yield an MD5 hash value?
 
A. Data area
B. Entire evidence file
C. Case information
D. None of the above
A. Data area
Will changing a file’s name affect the file’s MD5 hash value?
 
A. Yes
B. No
B. No
Usually a hash value found in a hash set named Windows XP Home Edition would be reported in the Hash Category column as which of the following?
 
A. Known
B. Notable
C. Evidentiary
D. Nonevidentiary
A. Known
With regard to hash categories, evidentiary files or files of interest are categorized as which of the following?
 
A. Known
B. Notable
C. Evidentiary
D. Nonevidentiary
B. Notable
An MD5 hash of a specific media generated by EnCase will yield the same hash value as an independent third-party MD5 hashing utility.
 
A. True
B. False
A. True
A hash _______ is comprised of hash _______, which is comprised of hash _______.
 
A. set(s), library(ies), value(s)
B. value(s), sets(s), library(ies)
C. library(ies), set(s), value(s)
D. set(s), values(s), library(ies)
C. library(ies), set(s), value(s)
An operating system artifact can be defined as which of the following?
 
A. Information specific to a user’s preference
B. Information about the computer’s general settings
C. Information stored about a user’s activities on the computer
D. Inf
E. All of the above
A FAT file system stores date and time stamps in _______, whereas the NTFS file system stores date and time stamps in _______.
 
A. DOS directory and local time
B. Zulu time and GMT
C. Local time and GMT
D. SYSTEM.DAT and NTUSER.DAT
C. Local time and GMT
Where does Windows store the time zone offset?
 
A. BIOS
B. Registry
C. INFO2 file
D. DOS directory or MFT
B. Registry
The date and time of when a file was sent to the Recycle Bin can be found where?
 
A. INFO2 file
B. Original file name’s last access date
C. DOS directory or MFT
D. $I index file
D. $I index file
When a text file is sent a pre–Windows Vista Recycle Bin, Windows changes the short file name of the deleted file to DC0.txt in the Recycle Bin. Select the best choice that explains the deleted file name.
 
A. D=DOS, C=character, 0=index number, file
D. D=deleted, C=drive letter, 0=index number, file extension remains the same
When a document is opened, a link file bearing the document’s file name is created in the ____folder.
 
A. Shortcut
B. Recent
C. Temp
D. History
B. Recent
Link files are shortcuts or pointers to actual items. These actual items can be what?
 
A. Programs
B. Documents
C. Folders
D. Devices
E. All of the above
E. All of the above
In NTFS, information unique to a specific user is stored in the ______ file.
 
A. USER.DAT
B. NTUSER.DAT
C. SYSTEM.DAT
D. None of the above
B. NTUSER.DAT
In Windows XP or Windows Vista, by default, how many recently opened documents are displayed in the My Recent Documents or Recent Items folder?
 
A. 4
B. 12
C. 15
D. Unlimited
C. 15
Most of a user’s desktop items on a Windows XP operating system would be located in the _________ directory.
 
A. C:\WINDOWS\Desktop
B. C:\WinNT\Desktop
C. C:\WINDOWS\system32\config\Desktop
D. C:\Documents and Settings\%User%\Desktop
D. C:\Documents and Settings\%User%\Desktop
Because this file will hold the contents of RAM when the machine is powered off, the ______ file will be the size of the system RAM and will be in the root directory.
 
A. hiberfil.sys
B. WIN386.SWP
C. PAGEFILE.SYS
D. NTUSER.DAT
A. hiberfil.sys
Where can you find evidence of web-based email such as from MSN Hotmail or Google Gmail on a Windows XP system?
 
A. In Temporary Internet Files under Local Settings in the user’s profile
B. In Unallocated Clusters
C. In the pagefile.sys folder
D.
E. All of the above
File names with the .url extension that direct web browsers to a specific website are located in which folder?
 
A. Favorites folder
B. Cookies folder
C. Send To folder
D. History folder
A. Favorites folder
Data about Internet cookies such as URL names, date and time stamps, and pointers to the actual location of the cookie is stored in:
 
A. INFO2 file
B. index.dat file
C. EMF file
D. pagefile.sys file
B. index.dat file
On a Windows 98 machine, which folder is the swap or page file contained in?
 
A. WIN386.SWP
B. pagefile.sys
C. swapfile.sys
D. page.swp
A. WIN386.SWP
When you are examining evidence that has been sent to a printer, which file contains an image of the actual print job?
 
A. The Enhanced Metafile (EMF)
B. The shadow file
C. The spool file
D. The RAW file
C. The spool file
The two modes for printing in Windows are ______ and _______.
 
A. Spooled and Shadowed
B. Spooled and Direct
C. Spooled and EM
D. EMF and RAW
D. EMF and RAW
Although the Windows operating system removed the EMF file upon a successful print job, the examiner may still recover the file as a result of a search on its unique header information in areas such as Unallocated Clusters or swap file.
 
A. True
B. F
A. True
The index.dat files are system files that store information about other files. They track date and time stamps, file locations, and name changes. Select the folder that does not contain an index.dat file.
 
A. Cookies
B. History
C. Recycle Bin
D. Te
C. Recycle Bin
The Temporary Internet Files directory contains which of the following?
 
A. Web page files that are cached or saved for possible later reuse
B. An index.dat file that serves as a database for the management of the cached files
C. Web mail artifacts
D. All of the above
How many sector(s) on a hard drive are reserved for the master boot record (MBR)?
 
A. 1
B. 4
C. 16
D. 62
E. 63
E. 63
The very first sector of a formatted hard drive that contains an operating system is referred to as which of the following?
 
A. Absolute sector 0
B. Boot sector
C. Containing the master boot record (MBR)
D. All of the above
D. All of the above
How many logical partitions does the partition table in the master boot record allow for a physical drive?
 
A. 1
B. 2
C. 4
D. 24
C. 4
The very first sector of a partition is referred to as which of the following?
 
A. Master boot record
B. Physical sector 0
C. Active primary partition
D. Volume boot record
D. Volume boot record
If a hard drive has been fdisked, EnCase can still recover the deleted partition(s), if you point to the _________, right-click, and select Add Partition.
 
A. master boot record
B. volume boot record
C. partition table
D. unallocated space
B. volume boot record
In an NTFS partition, where is the backup copy of the volume boot record (VBR) stored?
 
A. In the partition table
B. Immediately after the VBR
C. The last sector of the partition
D. An NTFS partition does not store a backup of the VBR.
C. The last sector of the partition
EnCase can mount a compound file, which can then be viewed in a hierarchical format. Select an example of a compound file.
 
A. Registry file (that is, .dat)
B. Email file (that is, .edb, nsf, pst, dbx)
C. Compressed file (that is, .zip)
D. Thumbs.d
E. All of the above
Windows XP contains two master keys in its registry. They are KEY_LOCAL_MACHINE and which of the following?
 
A. HKEY_USERS
B. HKEY_CLASSES_ROOT
C. HKEY_CURRENT_USER
D. HKEY_CURRENT_CONFIG
A. HKEY_USERS
In Windows 2000/XP, information about a specific user’s preference is stored in the NTUSER.DAT file. This compound file can be found where?
 
A. C:\
B. C:\WINDOWS\
C. C:\Documents and Settings\username
D. C:\Documents and Settings\All Users\Applic
C. C:\Documents and Settings\username
In an NTFS file system, the date and time stamps recorded in the registry are stored where?
 
A. Local time based on the BIOS settings
B. GMT and converted based on the system’s time zone settings
B. GMT and converted based on the system’s time zone settings
EnScript is a proprietary programming language and application programming interface (API) developed by Guidance Software, designed to function properly only within the EnCase environment.
 
A. True
B. False
A. True
Since EnScript is a proprietary programming language developed by Guidance Software, EnScripts can be created by and obtained only from Guidance Software.
 
A. True
B. False
B. False
Filters are a type of EnScript that “filters” a case for certain file properties such as file types, dates, and hash categories. Like EnScripts, filters can also be changed or created by a user.
 
A. True
B. False
A. True
Select the type of email that EnCase 6 is not capable of recovering.
 
A. Microsoft Outlook and Outlook Express
B. AOL
C. Netscape, MSN Hotmail, and Yahoo! Mail
D. Lotus Notes and Microsoft Exchange Server
E. None of the above
E. None of the above
Which method is used to view the contents of a compound file that contains emails such as a PST file in EnCase 6?
 
A. Right-click, and select View File Structure.
B. Run search, and in the Search menu select the types of email to recover.
C. Both A
C. Both A and B.
EnCase 6 cannot process web-based email such as MSN Hotmail or Yahoo! Mail because the information can be found only on the mail servers.
 
A. True
B. False
B. False
The EnCase Decryption Suite (EDS) will not decrypt Microsoft’s Encrypting File System (EFS) on the ___________ operating system.
 
A. Windows 2000 Professional and Server
B. Windows XP Professional
C. Windows 2003 Server
D. Windows XP Home Edition
D. Windows XP Home Edition
At which levels can the VFS module mount objects in the Windows environment?
 
A. The case level
B. The disk or device level
C. The volume level
D. The folder level
E. All of the above
E. All of the above
The Physical Disk Emulator (PDE) module is similar to the Virtual File System (VFS); the module can mount a piece of media that is accessible in the Windows environment. Select the type(s) of media that the Physical Disk Emulator cannot mount.
 
A. Cas
E. Both A and B
The Physical Disk Emulator (PDE) module is similar to the Virtual File System (VFS); the module can mount a piece of media that is accessible in the Windows environment. Select the type(s) of media that the Physical Disk Emulator cannot mount.
 
A. Cas
E. Both A and B
The Virtual File System (VFS) module mounts data as _______, while the Physical Disk Emulator (PDE) module mounts data as _______.
 
A. network share, emulated disk
B. emulated disk, network share
C. virtual drive, physical drive
D. virtual file, ph
A. network share, emulated disk
The end of a logical file to the end of the cluster that the file ends is called:
 
A. Unallocated space
B. Allocated space
C. Available space
D. Slack
 
 
D. Slack
The boot partitioin table found at the beginning of a hard drive is located in what sector?
 
A. Volume boot record
B. Master boot record
C. Master file table
D. Volume boot sector
B. Master boot record
What information in a FAT file system directory entry refers to the location of a file on a hard drive?
 
A. The file size
B. The file attributes
C. The starting cluster
D. The fragmentation settings
C. The starting cluster
A logical file would be best described as:
 
A. The data from the beginning of the starting cluster to the length of the file.
 
B. The data taken from the starting cluster to the end that occupied by the file.
 
C. A file including any RAM and d
A. The data from the beginning of the starting cluster to the length of the file.
A case file can contain __ hard drive images?
 
A. 1
 
B. 5
 
C. 10
 
D. Any number of
D. Any number of
Calls to the C:\ volume of the hard drive are not made by DOS when a computer is booted with standard DOS 6.22 boot disk.
 
A. True
B. False
B. False
Select the appropriate name for the hightlighted area of the binary numbers.
 
                      0000 0000 0000 0000
                      0000 0000 0000 0000
                      0
E. Byte
If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later changed?
 
A. EnCase will detect the error when that area of the evidence files is accessed by the user.
 
B. EnCas
D. All of the above.
The BIOS chip on an IBM clone computer is most commonly located on:
 
A. The motherboard
B. The controller card
C. The microprocessor
D. The RAM chip
A. The motherboard
Consider the following path in the FAT file system: C:\My Documents\My Pictures\Bikes. Where does the directory bikes receive its name?
 
A. From the My Pictures directory
B. From itself
C. From the root directory c:\
D. From the My Documents direct
A. From the My Pictures directory
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. 800[) \-]+555-1212.
 
A. 800.555.1212
B. 8005551212
C. 800-555-1212
D. (800) 555-1212
D. (800) 555-1212
How does EnCase verify that the case information (Case Number, Evidence Number, Investigator Name, etc) in an evidence file has not been damaged or changed, after the evidence file has been written?
 
A. The .case file writes a CRC value for the case i
C. Encase writes a CRC value of the case information and verifies the CRC value when the evidenece is.
Which of the following statements is more accurate?
 
A. The Recycle Bin increases the chance of locating the existence of a file on a computer.
 
B. The Recycle Bin reduces the chance of locating the existence of a file computer.
 
 
A. The Recycle Bin increases the chance of locating the existence of a file on a computer.
The first sector on a volume is called the:
 
A. Volume boot device
B. Master boot record
C. Master file table
D. Volume boot sector or record
D. Volume boot sector or record
When an EnCase user double-clicks on a file within EnCase what determines the action that will result?
 
A. The settings in the case file.
B. The setting in the evidence file.
C. The settings in the FileTypes.ini file.
D. Both a and b.
C. The settings in the FileTypes.ini file.
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. [email protected][a-z]+.com
 
A. [email protected]
B. [email protected] zealand.com
C. [email protected]
D. [email protected]
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. [^a-z]Tom[a-z]
 
A. Stomp
B. Tomato
C. Tom
D. Toms
C. Tom
The following GREP expressioin was typed in exactly as shown. Choose the answer(s) that would result. [\x00-\x05]\x00\x00\x00?[\x00-\x05]\x00\x00\x00
 
A. 00 00 00 01 FF FF BA
 
B. FF 00 00 00 FF BA
 
C. 04 00 00 FF FF BA
 
D. 04 06 00 00 00 F
C. 04 00 00 FF FF BA
This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search:
 
A. Will not find it because the letters of the keyword
C. Will find it because EnCase performs a logical search.
When a file is deleted in the FAT file system, what happens to the FAT?
 
A. It is deleted as well.
 
B. Nothing.
 
C. The FAT entries for that file are marked as allocated.
 
D. The FAT entries for that file are marked as available.
D. The FAT entries for that file are marked as available.
In DOS and Windows, how many bytes are in one FAT directory entry?
 
A. 8
B. 16
C. 32
D. 64
E. Variable
C. 32
When a non-compressed evidence file is reacquired with compression, the aquistion and verification hash value for the evidence will remain the same for both files.
 
A. True
B. False
A. True
An EnCase evidence file of a hard drive _____ be restored to another hard drive of equal or greater size.
 
A. Can
B. Cannot
A. Can
Upon starting a new case, what two directories should be defined?
Default EXPORT and TEMP directories.
All lab media should be forensically sterile. What does this mean?
The media should be:- WIPED of all data- VERIFIED to be absent of all data- Freshly partitioned and formatted
All lab media should maintain a unique __________, and a unique __________ to receive evidence files.
- VOLUME LABEL- DIRECTORY
What happens when an examiner double-clicks on a file of a file type known by EnCase?
The data is copied to the case defined TEMP directory, and the associated viewer is then called to display the file data.
What happens to the data files that are copied by EnCase to the case defined TEMP directory?
When Encase is PROPERLY shut down, EnCase will DELETE the files from the temp folder.
What is the evidence file?
It is a BIT STREAM image of the source media written to a file(s).
Evidence files can be segmented between a range of _____ and _____.
Min 1 Mb - Max 2000 Mb. (The default size of an evidence file is 640 Mb.)
You can add data to an existing evidence file. (TRUE / FALSE)
FALSEThe contents of an evidence file CANNOT be changed, altered, or modified.
What does the FIRST block of the evidence file contain?
It contains the CASE INFORMATION, which is validated by an attached CRC.
How is the evidence file verified?
- CRC (32bit) every 64 Sectors- MD5 (128bit) computed during the source media acquisition and placed at the end of the evidence file.ALL CRC's and the MD5 MUST validate and verify.
If any changes occur to the evidence file (file corruption, etc...), what happens?
The CRC for the affected block(s) will NO LONGER VERIFY, and EnCase will display an ERROR when any data in that block(s) are accessed.
Can individual segments of an evidence file be verified? (YES / NO)
YESIn Encase go to <Tools> - <Verify Single Evidence File>
What three (3) aspects of an evidence file can be changed without impacting the evidence file verification?
1. Add / Remove PASSWORD protection2. Change file COMPRESSION3. Change the file SEGMENT SIZE
What is the CASE file?
It is a TEXT file containing:- Pointers to evidence file(s)- Results of searches and analysis (File Signature / Hashes)- Bookmarks- Investigator's Notes
What is the MAXIMUM number of evidence files that can be added to a single case file?
There is NO limit. (ie. 8 HDDs, 200 FDDs, and 24 CDRs)
What is the file extension for a Encase version 4.x case file? ...for the back-up case file?
CASE for Encase v4.x(prior versions was .CAS)A backup file is created every 10 minutes by default with an extension of .CBK.
Evidence files can be RENAMED and MOVED without changing their Verification and Validity?
 
A. TRUE
B. FALSE
A. True
 
The applied filename of the evidence file can be changed, and/or moved to another location; however, Encase will prompt you to locate the renamed evidence file, if it is changed/moved after it has been added to a case.
In the EnCase Environment, what are configuration files and how are they used?
.INI files that store global changes and settings to the Encase Environment. The global environment dictates information/tools available for ALL cases.
Name the five (6) default configuration files and briefly describe what they are used for...
FileSignatures.INI - dictates what will happen when a user double-clicks on a specific file.FileTypes.INI - external viewers are associated with file extensions.Keywords.INI - stores global keyword lists used during searches.Filters.INI - available filters used by Encase.Viewers.INI - all external viewers and their execution path with necessary parameters.TextStyles.INI - Used to configure display width and font in the bottom pane of the EnCase window.
Searches within the EnCase Windows environment are both __________ and __________.
- PHYSICAL- LOGICAL
What is UNICODE?
Unicode uses TWO (2) bytes for each character, allowing the representation of 65,536 characters.
During a search for a keyword, selecting the UNICODE option will cause Encase to search for the keyword in both ASCII and UNICODE.
 
A. TRUE
B. FALSE
A. TRUE
How is the GREP symbol " ? " used during a search?
? Means "or not" - joh?n will yield both JON and JOHN.
How is the GREP symbol " \x " used during a search?
\x Indicates that the following value is to be treated as a hexadecimal value. (\xFF\xD8\xFF...)
How is the GREP symbol " * " used during a search?
* States to repeat the preceding character or set any number of times, including zero times.
How is the GREP symbol " + " used during a search?
+ States to repeat the preceding chracter or set any number of times, but at least once.
How is the GREP symbol " ^ " used during a search?
^ States "not" - [^a-z] = NO alpha characters from a to z.
How is the GREP symbol " - " used during a search?
- Denotes a range or characters, as in [1-9] or [a-z].
How is the GREP symbols " [ ] " used during a search?
[ ] Square brackets form a set. The included values within the set have to match a single character. [1-9] will match any single numeric value from 1 to 9.
Default settings for the EnCase BOOT DISK search do NOT include case sensitivity, GREP or UNICODE.
 
A. True
B. False
A. True
Searches in unallocated space are (Physical / Logical) only. (Choose one)
Searches in unallocated space are PHYSICAL only, as no logical definitions exist in this area.
In the EnCase Windows environment, searches will find keywords in non-contiguous clusters in unallocated space.
 
A. TRUE
B. FALSE
B. False
 
No searching tool will find keywords in non-contiguous clusters in unallocated space.
Within the EnCase Environment, what does the File Signatures function do?
It simply compares the displayed file extension with the file's header/signature.
The File Signature table in EnCase CANNOT be changed.
 
A. TRUE
B. FALSE
B. FALSE.The File Signature table CAN be edited and/or added to by accessing the table, and choosing [right-click]-New.
After adding a device to your case, you immediately go to the Gallery View tab, as this will display all supported image files, even if they maintain extensions inconsisent with image files.
 
A. TRUE
B. FALSE
B. FALSEThe Gallery View will NOT display image files with incorrect extensions until the File Signature Analysis function has been run.
After running the File Signature Analysis function, a file shows " !Bad Signature " as the result. What does this mean?
!Bad Signature - The extension is in the File Signature table, but the header is incorrect and the header is not in the File Signatures table.BAD -> [header].[ext] <-GOOD
After running the File Signature Analysis function, a file shows " *[Alias] " as the result. What does this mean?
*[Alias] - The header is in the table and the extension is incorrect. this indicates a file with a renamed extension.
 
GOOD -> [header].[ext] <- BAD
After running the File Signature Analysis function, a file shows " MATCH " as the result. What does this mean?
MATCH - The header matches the extension. If the extension has no header in the File Signatures table then EnCase will return a MATCH as long as the header of the file does not match any header in the File Signatures table.GOOD -> [header].[ext] <- GOOD
Before running the File Signature Analysis function, the Gallery View will display all supported image files, even if they maintain extensions inconsisent with image files.
 
A. TRUE
B. FALSE
B. FALSEThe Gallery View will NOT display image files with incorrect extensions until the File Signature Analysis function has been run.
After running the File Signature Analysis function, a file shows " UNKNOWN " as the result. What does this mean?
UNKNOWN - Indicates that neither the header/signature nor the extension is listed in the table. If either the header/signature or the extension is listed in the table, you will NOT obtain a value of UNKNOWN.UNKNOWN -> [header].[ext] <- UNKNOWN
The hash value computed for a given file is based upon the physical file, including the files slack area.
 
A. TRUE
B. FALSE
B. FALSEThe hash value is computed on the LOGICAL file only.
The hash value for a file will change if it is moved to another Folder/Directory.
 
A. TRUE
B. FALSE
B. FALSEThe Folder/Directory that a file resides within has NO bearing on its hash value.
What purpose does a Hash Analysis serve for the Examiner?
Hash Analysis allows the examiner to identify files that are known - either as innocuous files that can be ignord, or as files that are evidentiary in content.
A files content can be recreated based on the computed hash value of that file.
 
A. TRUE
B. FALSE
B. FALSEA file CANNOT be created from the files computed hash value.
What does ASCII stand for?
American Standard Code for Information Exchange.
The ASCII Table is a _____ - Bit table.
The ASCII table is a 7-bit table. The resultant 128 values represent alpha/numeric values, common punctuation, etc.
What does the "LE" indicator within EnCase indicate?
It indicates the number of BYTES that been selected / swept / highlighted.
Nibble = _____Byte = _____Word = _____DWord = _____
Nibble = 4 bits (16 possible values)Byte = 8 bits (256 possible values)Word = 2 bytes (16 bits)DWord = 4 bytes (32 bits)
Only one file can occupy a CLUSTER at one time.
 
A. TRUE
B. FALSE
A. TRUENo two files can occupy the same cluster.
___________ file size is the amount of actual media space allocated to the file.
 
Choose One:
A. PhysicalB. LogicalC. Allocated
A. PHYSICAL
___________ file size is the actual number of bytes that the file contains.Choose One:
A. PhysicalB. LogicalC. Allocated
B. LOGICAL
By default, each sector contains ____ data bytes.
512 data bytes. This size is consistant across different media types. (ZIP Disks, Floppies, HDD, etc...)
Each FAT volume maintains how many copies of the FAT?
It maintains two (2) copies of the FAT - FAT1 and FAT2.
The number of clusters that a file system can manage is determined by the available number of _____ employed by the FAT.Choose One:
A. bytesB. bitsC. sectorsD. blocks
B. BITS. FAT16 (2/16) - allows 65,536 clustersFAT32 (2/32) - allows 268,435,456 clusters
The FAT file systems (FAT12, FAT16, FAT32) group one or more sectors, in powers of 2, into _________.
Choose One:
A. BlocksB. ClustersC. Groups
B. Clusters
The FAT maintains information regarding the status of all the clusters on the volume. What are some of these settings?
 
 
- Available- End of File- BAD- In Use
What is Slack Space?
It is the data from the end of the logical file to end of the physical file. EnCase displays this data in RED text.
EnCase displays Slack Space in red text. By default, what other entry is also displayed in red and why?
Directory entries are also displayed in red. Neither slack nor directories have any logical size.
How does EnCase determine if a deleted file has been overwritten?
If the starting extent (cluster) is in use by another file.
Deleting a file has NO effect on the actual data in FAT or NTFS.
 
A. TRUE
B. FALSE
 A. TRUE
What two (2) actions occur when a file is deleted from a FAT system?
1. The first character of the directory entry pertianing to the file is changed to E5h.2. The values within the FAT that pertain to this file is reset to zero (available).
What does BIOS stand for?
BIOS = Basic Input Output System
What does the BIOS do?
It is responsible for the initial checking of the system components and initial configuration of the system once power is turned on.
What does the Examiner access to determine the target system boot sequence and system date/time?
The systems BIOS (Basic Input/Output System).
What is RAM?
Random Access Memory - stores data temorarily and is accessible immediately to the Operating System.
What is ROM?
Read Only Memory
What is the first activity taken by a computer system after power is applied?
POST - Power On Self Test. This includes the testing of identified attached devices on the system bus.
When are drive letters assigned by the operating system?
During the boot process. Note these letters are NOT written to the media.
In order for media to be bootable it must maintain a _________________.
Bootable partition / volume and in the case of HDD's it must also be set to Active.
What are some examples of Add-In Cards?
SCSI Host Card, Video Card, Network Interface Card (NIC), etc...
How are most standard IDE Drives configured for the roles of MASTER/SLAVE/CABLE?
Through the use of Jumper PINs on the physical drive.
SCSI drives follow the same methodology as IDE drives of MASTER/SLAVE.
 
A. TRUE
B. FALSE
B. FALSE.SCSI drives are assigned ID numbers, usually by a jumper PIN on the physical drive.
What is the formula for determing hard drive capacity (CHS geometry)?
Clusters x Heads x Sectors x 512
What is contained in the first sector of a standard hard drive?
The MASTER BOOT RECORD. In the Windows and Linux operating system environment, the partition table is also located here.
What is contained in the first sector of each defined partition on a physical hard drive?
VOLUME BOOT RECORD.
The partition Master Boot Record (MBR) can maintian how many entries? What is each records length?
The MBR can maintian four (4) records, each 16 Bytes in length.
Using EnCase while doing an on-site triage, what are the four (4) options for previewing a drive?
1. FastBloc2. Parallel Cable3. Network Cable4. Boot Disk Text Search
Why is it important to boot a target system with a Forensic Boot Disk?
To prevent writes to the target hard drive and the default mounting of a compressed volume.
What two files need to be modified on a standard DOS boot disk to make it forensically sound?
1. IO.SYS2. COMMAND.COMAlso, the drvspace.bin command must be removed.
Run through the basic procedure for a forensic system takedown.
1. Photograph environment2. external inspection3. lable connections4. internal inspection5. disconnnect power/data cables from HDD6. boot with EnCase boot disk7. access BIOS - note date/time and boot sequence
Using the EnCase Boot Disk, you will be able to see ALL file systems, including NT logical partitions, Linux, Unix, and MAC HFS.
 
A. TRUE
B. FALSE
B. FALSEThe EnCase boot disk uses DOS, which cannot understand other file systems. You should obtain the physical disk evidence file, and then resolve the file structure using EnCase.
Evidence files can be restored to media of equal OR greater size.
 
A. TRUE
B. FALSE
A. TRUE
How can you verify that the restore completed properly and that it is an exact match to the original media?
The MD5 hash value of a properly restored evidence file will match the value maintained within the evidence file.
When restoring evidence files of a logical partition, the file system it is being restored to must match the original.
 
A. TRUE
B. FALSE
A. TRUE
Where do you commonly see BASE64 encoded files?
Email Attachments.
Where does Windows 2000 and XP store users personal folders?
"C:\Documents and Settings"
What are .LNK files?
.lnk are "shortcut" files created by the windows operating system to files manipulated by the logged in user. They can show dates, times, and full path to the target file.
Name some of the more common artifact locations in the Windows 9X operating environment.
C:\Windows\RecentC:\Windows\DesktopC:\Windows\Send ToC:\Windows\Temp
In DOS/Windows environments, what is the length of FAT Directory entries?
32 Bytes in Length.
Every printed document from a computer is considered an "Original".
 
A. TRUE
B. FALSE
A. TRUE
Compression of evidence files has no bearing on the validity or admissibility fo the data.
 
A. TRUE
B. FALSE
A. TRUE.Courts have ruled that the manner in which data is maintained, while in storage, is not relevant, as long as the data is accurately portrayed when accessed and presented in a printout or other output, readable by sight.
What is meant by the legal term "Daubert"?
It is a legal test employed by US courts to determine if a scientific or technical process is acceptable.
What are the three basic questions asked to determine if a process is acceptable under Daubert?
1. Has the process been tested and subjected to peer review?2. Does the process/application maintain general acceptance within the related community.3. Can the findings be duplicated/repeated?
If the original evidence must be returned to the owner, can the EnCase Evidence files be considered "Best Evidence"?
Yes.
What type of files are commonly associated with printing in the Windows operating system?
.emf / .spl / .shd
If the file system is not support by EnCase, the Examiner cannot use EnCase to do the examination.
 
A. TRUE
B. FALSE
B. FALSE.The examiner can still to text searches, run EnScripts for file headers and footers, etc...
You need to do an onsite acquisition of a Windows NT Server, should you Shut Down the system or pull the power plug?
Gracefully shut down the system. Generally, servers need to be shut down gracefully. Workstations or personal computers should have the power plug pulled.
What does IDE stand for?
Integrated Drive Electronics.
/ 402
Term:
Definition:
Definition:

Leave a Comment ({[ getComments().length ]})

Comments ({[ getComments().length ]})

{[comment.username]}

{[ comment.comment ]}

View All {[ getComments().length ]} Comments
Ask a homework question - tutors are online