You are on page 1of 68

Printable Flash Cards

Page 1 of 68

Term 1

Definition 1

Term 2

Definition 2

When an EnCase user double-clicks on a file within EnCase what determines the action that will result? A. B. The settings in the The settings in the case file. FileTypes.ini file B. The settings in the FileTypes.ini file. C. The setting in the evidence file.
Term 3 Definition 3

Search results are found in which of the following files? Select all that apply. C. The case file A. The evidence file B. The configuration Searches.ini file C. The case file
Term 4 Definition 4

If cluster #3552 entry in the FAT table contains a value of ?? this would mean:

A. The cluster is unallocated A. The cluster is unallocated B. The cluster is the end of a A. Bob@New zealand.com file B. Bob@My-Email.com C. The cluster is allocated C. Bob@America.com D. The cluster is marked bad D. Bob@a-z.com
Term 5 Definition 5 Term 6

The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Bob@[a-z]+.com

C. Bob@America.com

Definition 6

You are an investigator and have encountered a computer that is running at the home of a suspect. The computer does not appear to A. Pull the plug from the be a part of a network. The back of the computer. operating system is Windows XP Home. No programs are visibly running. You should:

A physical file size is: A. The total size in sectors of an allocated file. B. The total size of all the B. The total size of all the clusters used by the file clusters used by the file measured in bytes. C. The total size in bytes of a logical file. D. The total size of the file including the ram slack in

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 2 of 68

Term 7

Definition 7

Term 8

Definition 8

In Unicode, one printed character is composed of ____ bytes of data. A. 8 B. 4 C. 2 D. 1


Term 9

If cluster number 10 in the FAT contains the number 55, this means: C. 2 A. That cluster 10 is used A. That cluster 10 is used and the file continues in and the file continues in cluster number 55. cluster number 55. B. That the file starts in cluster number 55 and continues to cluster number 10.
Definition 9 Term 10 Definition 10

How are the results of a signature analysis examined? A. By sorting on the category column in the Table view. By sorting on the category column in the Table view. B. By sorting on the
Term 11 Definition 11

The acronym ASCII stands for: B. By sorting on the signature column in the Table view. By sorting on the signature column in the Table view. A. American Standard Communication Information B. American Standard Code Index B. American Standard for Information Interchange Code for Information Interchange C. Accepted Standard Code for Information Interchange D. Accepted Standard
Term 12 Definition 12

The EnCase default export folder is: The default export folder remains the same for all cases. A. True B. False A. A case-specific setting that cannot be changed. B. A case-specific setting that can be changed. C. A global setting that can be changed. D. A global setting that cannot be changed.

B. False

B. A case-specific setting that can be changed.

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 3 of 68

Term 13

Definition 13

Term 14

Definition 14

Hash libraries are commonly used to: A. Compare a file header to a file extension. B. Identify files that are B. Identify files that are already known to the user. already known to the user. C. Compare one hash set with another hash set. D. Verify the evidence file.
Term 15 Definition 15

Which is the proper formula for determining the size in bytes of a hard drive that uses cylinders (C), heads (H), and sectors (S) geometry? A. C X H + S B. C X H X S + 512 C. C X H X S X 512 D. C X H X S
Term 16

C. C X H X S X 512

Definition 16

Within EnCase, clicking on Save on the toolbar affects what file(s)? A. All of the above B. The evidence files C. The open case file D. The configuration .ini files
Term 17

EnCase uses the _________________ to conduct a signature analysis. C. The open case file A. Both a and b B. file signature table C. hash library D. file Viewers
Definition 17 Term 18 Definition 18

B. file signature table

EnCase is able to read and examine which of the following file systems? A. NTFS B. EXT3 C. FAT D. HFS

ROM is an acronym for: A. NTFS B. EXT3 C. FAT D. HFS A. Read Open Memory B. Random Open Memory C. Read Only Memory D. Relative Open Memory C. Read Only Memory

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 4 of 68

Term 19

Definition 19

Term 20

Definition 20

If a floppy diskette is in the ? drive, the computer will always boot to that drive before any other device. If a floppy diskette is in the ?? B. True drive, the computer will always boot to that drive before any other device. A. False B. True
Term 21 Definition 21

A standard Windows 98 boot disk is acceptable for booting a suspect drive. A. True B. False

A. True

Term 22

Definition 22

Search terms are case sensitive by default. B. True A. False B. True

The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Jan 1st , 2?0?00 A. Jan 1st , 1900 B. Jan 1st , 2100 C. Jan 1st , 2001 D. Jan 1st , 2000

D. Jan 1st , 2000

Term 23

Definition 23

Term 24

Definition 24

An evidence file can be moved to another directory without changing the file verification. A. False B. True

Pressing the power button on a computer that is running could have which of the following results? B. True D. All of the above could A. The computer will happen. instantly shut off. B. The computer will go into stand-by mode. C. Nothing will happen. D. All of the above could

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 5 of 68

Term 25

Definition 25

Term 26

Definition 26

How does EnCase verify that the evidence file contains an exact copy of the suspect hard drive? How does EnCase verify that the evidence file contains an exact copy of the suspect's hard drive?

B. By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of the data stored in the evidence file. By means of an MD5 hash of the suspect? Hard drive compared to an MD5 hash of the data stored in the A. By means of a CRC value evidence file. of the suspect hard drive
Term 27 Definition 27

By default, EnCase will display the data from the end of a logical file, to the end of the cluster, in what color: A. Red B. Red on black C. Black on red D. Black
Term 28

A. Red

Definition 28

A SCSI drive is pinned as a master when it is:

The following GREP expression was typed in exactly as shown. Choose A. The only drive on the the answer(s) that would computer. D. A SCSI drive is not pinned result. [^a-z]Tom[^a-z] B. The primary of two drives as a master. connected to one cable. A. Tomato C. Whenever another drive is B. om? ? RP on the same cable and is C. Toms pinned as a slave. D. Stomp D. A SCSI drive is not pinned
Term 29 Definition 29 Term 30

B. om? ? RP

Definition 30

This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and B. Will find it because ends in cluster 15 (the word EnCase performs a logical is fragmented), the search: A. Will not find it unlessile slack is checked on the search dialog box.

An evidence file was archived onto five CD-Rom disks with the third file segment on disk number three. Can the contents of the third file segment be verified by itself while still on the CD? A. No. Archived files are compressed and cannot be

C. Yes. Any segment of an evidence file can be verified through re-computing and comparing the CRCs, even if it is on a CD.

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 6 of 68

Term 31

Definition 31

Term 32

Definition 32

You are a computer forensic examiner tasked with determining what evidence is on a seized computer. On what part of the computer system will you find data of C. Hard drive evidentiary value? A. Microprocessor or CPU B. USB controller C. Hard drive
Term 33 Definition 33

You are a computer forensic examiner explaining how computers store and access the data you recovered as evidence during your B. operating system, file examination. The evidence system, partition was a log file and was recovered as an artifact of user activity on the ____________, which was stored on the
Term 34 Definition 34

You are a computer forensic examiner investigating a seized computer. You recovered a document containing potential C. Starting cluster of the file evidence. EnCase reports D. Fragmentation of the file the file system on the forensic image of the hard drive is FAT (File Allocation Table). What information about the document file can
Term 35 Definition 35

You are a computer forensic examiner investigating media on a seized computer. You recovered a document containing potential evidence. EnCase reports the file system on the forensic image of the hard drive is NTFS (New Technology File System). What information about the
Term 36

A. Name of the file B. Date and time stamps of the file C. Starting cluster of the file D. Fragmentation of the file E. Ownership of the file

Definition 36

You are preparing to lead a team to serve a search warrant on a business suspected of committing large-scale consumer fraud. Ideally, you would you assign which tasks to search team members? (Choose all that apply.) A. Photographer

A. Photographer B. Search and seizure specialists C. Recorder D. Digital evidence search and seizure specialists

You are a computer forensic examiner at a scene and have determined you will seize a Linux server, which according to your source of information contains the database records for the company under investigation for fraud. What is the best practice for taking down the server for

A. Photograph the screen and note any running programs or messages, and so on, and use the normal shutdown procedure.

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 7 of 68

Term 37

Definition 37

Term 38

Definition 38

You are a computer forensic examiner at a scene and are authorized to seize only media that can be determined to have evidence related to the investigation. What options do you have to determine whether evidence is present before seizure and a full forensic examination? (Choose all
Term 39

B. Use an EnCase boot floppy or CD to boot the machine into Linux, and use LinEn to preview the hard drive through a crossover cable with EnCase for Windows.

You are a computer forensic examiner at a scene and have determined you will need to image a hard drive in a workstation while onsite. What are your options for creating a forensically sound image of the hard C. Remove the subject hard drive? (Choose all that drive from the machine, and apply.) preview the hard drive in
Definition 39 Term 40

B. Use a forensically sound Linux boot CD to boot the machine into Linux, and use LinEn to image the subject hard drive to a second hard drive attached to the machine. C. Remove the subject hard drive from the machine, and image the hard drive in
Definition 40

You are a computer forensic examiner and have imaged a hard drive on site. Before you leave the scene, you want to ensure the image completely verifies as an exact forensic duplicate of the original. To verify the EnCase evidence file containing the image, you should do which of the
Term 41

D. Load the EnCase evidence files into EnCase for Windows, allow the verification process to finish, and then check the results for complete verification.

You are a computer forensic examiner and need to verify the integrity of an EnCase evidence file. To completely B. The CRC values and the verify the files integrity, which of the following must MD5 hash value both must verify. be true? A. The MD5 hash value must verify. B. The CRC values and the
Term 42 Definition 42

Definition 41

You are a computer forensic examiner and need to determine what files are contained within a folder called Business documents. What EnCase pane will you B. Table pane use to view the names of the files in the folder? A. Tree pane B. Table pane

You are a computer forensic examiner and need to view the contents of a file contained within a folder called Business documents. What EnCase pane will you C. View pane use to view the contents of the file? A. Tree pane B. Table pane

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 8 of 68

Term 43

Definition 43

Term 44

Definition 44

You are a computer forensic examiner and are viewing a file in an EnCase evidence file. With your cursor, you have selected one character in the file. What binary term C. A byte is used for the amount of data that represents a single character?
Term 45 Definition 45

You are a computer forensic examiner and need to search for the name of a suspect in an EnCase evidence file. You enter the name of the A. John Doe suspect into the EnCase C. john doe keyword interface as John Doe. What search hits will be found with this search term with the default settings? (Choose all that apply.)
Term 46 Definition 46

You are a computer forensic examiner and need to determine whether any Microsoft Office documents have been renamed with image extensions to obscure A. File signature analysis their presence. What EnCase process would you use to find such files? A. File signature analysis B. Recover Folders feature Term 47 You are a computer forensic examiner and want to determine whether a user has opened or doubleclicked a file. What folder B. Recent would you look in for an operating system artifact for this user activity? A. Temp B. Recent
Definition 47

You are a computer forensic examiner and want to reduce the number of files required for examination by identifying and filtering out known good or system files. D. File hash analysis What EnCase process would you use to identify such files? A. File signature analysis
Term 48 Definition 48

You are a computer forensic examiner and want to determine when a user deleted a file contained in a Windows XP Recycle Bin. In what file is the date and time C. INFO2 information about the file deletion contained? A. index.dat B. Link file

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 9 of 68

Term 49

Definition 49

Term 50

Definition 50

You are a computer forensic examiner and want to determine how many times a program was executed. Where would you find B. Registry information? A. Temp folder B. Registry C. Recycle Bin D. Program Files
Term 51 Definition 51

You are a computer forensic examiner and want to examine any email sent and received by the user of the computer system under investigation. What email formats are supported by EnCase? (Choose all that apply.)
Term 52

A. Outlook B. Outlook Express C. America Online D. Hotmail E. Yahoo! F. Mozilla Thunderbird

Definition 52

What is the definition of a CPU?

What is the BIOS? A. BIOS stands for Basic Input Output System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computers hardware and its operating system.
Definition 54

A. BIOS stands for Basic A. The physical computer Input Output System and is C. A part of the computer case that contains all its a combination of low-level whose function is to perform software and drivers that internal components data processing B. The computers internal function as the interface, hard drive intermediary, or layer C. A part of the computer between a computers whose function is to perform hardware and its operating data processing system.
Term 53 Definition 53 Term 54

Is the information stored on a computers ROM chip lost during a proper shutdown? A. Yes B. No

B. No

Is the information contained on a computers RAM chip accessible after a proper shutdown? B. No A. Yes B. No

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 10 of 68

Term 55

Definition 55

Term 56

Definition 56

Can information stored in the BIOS ever change? A. Yes A. Yes B. No

What is the purpose or function of a computers ROM chip? A. Long-term or permanent storage of information and instructions B. Temporary storage area to run applications C. Permanent storage area for programs and files
Definition 57 Term 58

A. Long-term or permanent storage of information and instructions

Term 57

Definition 58

Information contained in RAM memory (systems main memory), which is located on the motherboard, is _________. A. volatile B. nonvolatile
Term 59

What is the maximum number of drive letters assigned to hard drive(s) partitions on a system? A. volatile A. 4 B. 16 C. 24 D. Infinity
Definition 59 Term 60 Definition 60

C. 24

The size of a physical hard drive can be determined by which of the following? B. sector and cluster A. The cylinder head sector B. The cylinder head sector 512 bytes C. The total LBA sectors 512 bytes D. Adding the total size of E. Both B and C

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 11 of 68

Term 61

Definition 61

Term 62

Definition 62

The electrical pathway used to transport data from one computer component to another is called what? A. Bus B. RAM C. CMOS D. BIOS
Term 63 Definition 63 Term 64

A. Bus

Definition 64

What is the main component of a computer to which essential internal devices such as CPU, memory chips, and other chipsets are B. Motherboard attached? A. BIOS B. Motherboard C. Expansion card D. Processor
Term 65 Definition 65

IDE, SCSI, and SATA are different types of interfaces describing what device? A. RAM chips B. Flash memory C. CPUs D. Hard drives
Term 66

D. Hard drives

Definition 66

What do the terms master, slave, and Cable Select refer to? A. External SCSI devices B. Cable types for external hardware C. Jumper settings for internal hardware such as IDE hard drives and CD drives C. Jumper settings for internal hardware such as IDE hard drives and CD drives

What can you assume about a hard drive that is pinned as CS? A. Its an IDE drive. B. Its a SATA drive. C. Its a SCSI drive. D. All of the above. A. Its an IDE drive.

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 12 of 68

Term 67

Definition 67

Term 68

Definition 68

What is found at Cylinder 0, Head 0, Sector 1 on a hard drive? A. Master boot record B. Master file table C. Volume boot record D. Volume boot sector
Term 69

What is the first sector on a volume called? A. Master boot record A. File allocation table B. Volume boot record or sector C. Master boot record D. Volume boot device
Term 70

B. Volume boot record or sector

Definition 69

Definition 70

Which of the following is incorrect? A. The MBR is typically written when the drive is partitioned with FDISK or DISKPART. B. A file system is a system or method of storing and retrieving data on a
Term 71

FAT is defined as which of the following? D. The partition table is contained within the MBR and consists of a total of 16 bytes, which describes up to four partitions using 4 bytes each to do so. A. A table consisting of master boot record and logical partitions B. A table created during the format that the operating system reads to locate data on a drive C. A table consisting of file
Term 72

B. A table created during the format that the operating system reads to locate data on a drive

Definition 71

Definition 72

How does a corrupted sector located in the data area of a hard drive affect the D. It does affect the FAT table. corresponding cluster number on The corresponding cluster a FAT table? number is marked as bad, and the entire cluster is prevented A. It does not affect the from being written to. corresponding cluster number on a FAT table; therefore, the rest of the sectors associated with

Which of the following describes a partition table? A. It is located at cylinder 0, head 0, sector 1. B. Is located in the master boot record. C. It keeps track of the partitions on a hard drive. D. All of the above.

D. All of the above.

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 13 of 68

Term 73

Definition 73

Term 74

Definition 74

Which selection keeps track of a fragmented file in a FAT file system? A. File allocation table B. Directory structure C. Volume boot record D. Master file table
Term 75

If the FAT table lists cluster number 2749 with a value of 0, what does this mean about this specific cluster? A. File allocation table A. It is blank and contains no data. B. It is marked as bad and cannot be written to. C. It is allocated to a file. D. It is unallocated and is
Term 76

D. It is unallocated and is available to store data.

Definition 75

Definition 76

Which of the following is true about a volume boot record? A. It is always located at the D. A and C. first sector of its logical partition. B. It immediately follows the master boot record. C. It contains BIOS parameter block and volume
Term 77 Definition 77

The NTFS file system does which of the following? A. Supports long file names B. Compresses individual files and directories C. Supports large file sizes in excess of 4GB D. All of the above
Term 78

D. All of the above

Definition 78

How many clusters can a FAT32 file system manage? A. 2 32 = 64 clusters D. 228 = 268,435,456 clusters B. 232 = 4,294,967,296 clusters C. 2 28 = 56 clusters D. 228 = 268,435,456 clusters

The FAT tracks the ________ while the directory entry tracks the ________. A. file name and file size B. files starting cluster and files last cluster (EOF) C. files last cluster (EOF) and files starting cluster D. file size and file fragmentation C. files last cluster (EOF) and files starting cluster

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 14 of 68

Term 79

Definition 79

Term 80

Definition 80

How many copies of the FAT does each FAT32 volume maintain in its default configuration? B. Two A. One B. Two C. Three D. Four
Term 81 Definition 81

A files logical size is displayed as? A. The number of sectors needed that the logical file contains B. The number of clusters that the logical file contains C. The number of bytes that the logical file contains D. The number of bits that
Term 82

C. The number of bytes that the logical file contains

Definition 82

A files physical size is? A. Always greater than the files logical size B. The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster
Term 83

B. The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster

A directory entry in a FAT file system has a logical size of which of the following? A. 0 bytes B. 8 bytes C. 16 bytes D. One sector
Term 84

A. 0 bytes

Definition 83

Definition 84

Each directory entry in a FAT file system is ____ bytes in length. A. 0 B. 8 C. 16 D. 32 D. 32

By default, what color does EnCase use to display directory entries within a directory structure? B. Red A. Black B. Red C. Gray D. Yellow

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 15 of 68

Term 85

Definition 85

Term 86

Definition 86

What is the area between the end of a files logical size and the files physical size called? D. Slack space A. Unused disk area B. Unallocated clusters C. Unallocated sectors D. Slack space
Term 87 Definition 87

What three things occur when a file is created in a FAT32 file system?

A. Directory entry for the file is created, the FAT assigns A. Directory entry for the file the necessary clusters to the is created, the FAT assigns file, and the files data is the necessary clusters to the filled in to the assigned file, and the files data is clusters. filled in to the assigned clusters.
Term 88 Definition 88

How does EnCase recover a deleted file? A. It reads the deleted file name in the FAT and searches for the file by its starting cluster number and logical size. B. It reads the deleted file name in the directory entry
Term 89

What does EnCase do when a deleted files starting cluster number is assigned C. It obtains the deleted files starting cluster number to another file? and size from the directory C. EnCase marks the deleted A. EnCase reads the entire entry to obtain the datas file as being overwritten. starting location and number existing data as belonging to the deleted file. of clusters required. B. EnCase only reads the amount of data from the
Definition 89 Term 90 Definition 90

What information does a files directory entry in a FAT file system store about itself? A. File name B. Date/time C. File extension D. Starting cluster (extent) E. All of the above E. All of the above

What is the first consideration when responding to a scene? A. Your safety B. The safety of others C. The preservation of evidence D. Documentation A. Your safety

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 16 of 68

Term 91

Definition 91

Term 92

Definition 92

What are some variables regarding a facility that you should consider prior to responding to a scene? A. What type of structure is it? B. How large is the structure? C. What are the hours of operation?
Term 93

What are some variables regarding items to be seized that you should consider prior to responding to a scene? E. All of the above. A. Location(s) of computers B. Type of operating system C. Workstations or mainframes D. System-critical or
Definition 93 Term 94 Definition 94

E. All of the above

Generally speaking, if you encounter a desktop computer running Windows XP, how should you take down the machine? A. Shut down using Windows XP. B. Shut down by pulling the power cord from the outlet. C. Shut down by pulling the
Term 95

Generally speaking, if you encounter a computer running Windows 2000 Server, how should you take C. Shut down by pulling the down the machine? A. Shut down using its plug from the computer box. operating system. A. Shut down using its operating system. B. Shut down by pulling the power cord from the outlet. C. Shut down by pulling the
Definition 95 Term 96 Definition 96

Generally speaking, if you encounter a Unix/Linux machine, how should you take down the machine? A. Shut down using its A. Shut down using its operating system. operating system. B. Shut down by pulling the power cord from the outlet. C. Shut down by pulling the plug from the computer box.

When unplugging a desktop computer, from where is it best to pull the plug? A. The back of the computer A. The back of the computer B. The wall outlet C. A or B

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 17 of 68

Term 97

Definition 97

Term 98

Definition 98

What is the best method to shut down a notebook computer? A. Unplug from the back of the computer. B. Unplug from the wall. C. Remove the battery. D. Both A and C.
Term 99

Generally speaking, if you encounter a Macintosh computer, how should you take down the machine? D. Both A and C. C. Shut down by pulling the A. Shut down using the plug from the computer box. operating system. B. Shut down by pulling the power cord from the outlet. C. Shut down by pulling the plug from the computer box.
Term 100 Definition 100

Definition 99

Which selection displays the incorrect method for shutting down a computer? A. DOS: Pull the plug. B. Windows 2000: Pull the plug. C. Windows XP: Pull the plug. D. Linux: Pull the plug.
Term 101

When shutting down a computer, what information is typically lost? D. Linux: Pull the plug. A. Data in RAM memory B. Running processes C. Current network connections D. Current logged-in users E. All of the above
Term 102

E. All of the above

Definition 101

Definition 102

Which of the following is not acceptable for bagging a computer workstation? A. Large paper bag. B. Brown wrapping paper. C. Plastic garbage bag. D. Large antistatic plastic bag. E. All of the above are acceptable for bagging a C. Plastic garbage bag. EnCE Encase Certified Examiner

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 18 of 68

Term 103

Definition 103

Term 104

Definition 104

SCSI

Small Computer Systems Interface

IDE

Integrated Drive Electronics

Term 105

Definition 105

Term 106

Definition 106

SATA

Serial Advanced Technology RAID Attachment

Redundant Array of Inexpensive Disks

Term 107

Definition 107

Term 108

Definition 108

DVD

Digital Versatile Disc

USB

Universal serial bus

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 19 of 68

Term 109

Definition 109

Term 110

Definition 110

IEEE

Institute of Electrical and Electronics Engineers

IEEE 1394

Firewire

Term 111

Definition 111

Term 112

Definition 112

ISA

Industry Standard Architecture

MCA

IBM Micro Channel Architecture

Term 113

Definition 113

Term 114

Definition 114

EISA

Extended Industry Standard PCI Architecture

Peripheral Component Interconnect

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 20 of 68

Term 115

Definition 115

Term 116

Definition 116

AGP

Accelerated Graphics Port

PCMCIA

Personal Computer Memory Card International Association

Term 117

Definition 117

Term 118

Definition 118

PCI

Peripheral Component Interconnect

CMOS

Complementary Metal-Oxide Semiconductor

Term 119

Definition 119

Term 120

Definition 120

EFI

Extensible Firmware Interface

POST

Power On Self-Test

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 21 of 68

Term 121

Definition 121

Term 122

Definition 122

MBR

Master Boot Record

VBR

Volume Boot Record

Term 123

Definition 123

Term 124

Definition 124

FAT

File Allocation Table (12, 16 or 32)

MFT

Master File Table

Term 125

Definition 125

Term 126

Definition 126

POST

Power On Self-Test

0000 0001

Read only Bit Flag Values for Attribute Field at Byte Offset 11

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 22 of 68

Term 127

Definition 127

Term 128

Definition 128

0000 0010

Hidden File

0000 0100

System File

Term 129

Definition 129

Term 130

Definition 130

0000 1000

Volume label

0000 1111

Long File Name

Term 131

Definition 131

Term 132

Definition 132

0001 0000

Directory

0010 0000

Archive

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 23 of 68

Term 133

Definition 133

Term 134

Definition 134

In which circumstance is pulling the plug to shut down a computer system considered the best practice? E. None of the above A. When the OS is Linux/Unix B. When the OS is Windows 2000 and known to be running a large business
Term 135 Definition 135

How is the chain of custody maintained? A. By bagging evidence and sealing it to protect it from contamination or tampering E. All of the above B. By documenting what, when, where, how, and by whom evidence was seized
Term 136 Definition 136

It is always safe to pull the plug on a Windows 2000 Professional operating system. A. True B. False

On a production Linux/Unix server, you must generally be which user to shut down the system? B. False A. sysadmin B. administrator C. root D. system C. root

Term 137

Definition 137

Term 138

Definition 138

When would it be acceptable to navigate through a live system? A. To observe the operating system to determine the proper shutdown process B. To document currently opened files (if Enterprise/FIM edition is not E. All of the above

A console prompt that displayed backslashes (\) as part of its display would most likely be which of the following? D. MS-DOS A. Red Hat Linux operating system B. Unix operating system C. Linux or Unix operating system logged in as root

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 24 of 68

Term 139

Definition 139

Term 140

Definition 140

When called to a large office complex with numerous networked machines, is it always a good idea to request the assistance of the B. False network administrator. A. True B. False
Term 141 Definition 141

Subsequent to a search warrant where evidence is seized, what items should be left behind? A. Copy of the affidavit B. Copy of the search warrant C. List of items seized D. A and B E. B and C
Term 142

E. B and C

Definition 142

SAFE

Secure Authentication for EnCase

HPA

Host Protected Area

Term 143

Definition 143

Term 144

Definition 144

Message-Digest algorithm 5. DCO Device Configuration Overlay MD5

The odds of any two files having the same M in 2128, which is, more graphically, 1 in 340,282,366,920,938,000,000,000,000,000,00

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 25 of 68

Term 145

Definition 145

Term 146

Definition 146

CRC

cyclic redundancy check (CRC) or polynomial code checksum

When acquiring a hard drive in the DOS mode, what would be the cause of EnCase not detecting partition information? C. Both A and B. A. The drive has been FDisked and the partition(s) removed. B. The partition(s) are not recognized by DOS.
Term 148 Definition 148

Term 147

Definition 147

A standard DOS 6.22 boot disk does not make calls to the C: volume of a hard drive when the diskette is booted. B. False A. True B. False

As a good forensic practice, why would it be a good idea to wipe a forensic drive before reusing it? A. Chain-of-custody B. Cross-contamination C. Different file and operating systems D. Chain of evidence E. No need to wipe
Definition 149 Term 150

B. Cross-contamination

Term 149

Definition 150

If the number of sectors reported by EnCase does not match the number reported by the manufacturer for the drive, what should you do? A. Suspect HPA B. Suspect DCO C. Boot with EnCase for DOS and switch to Direct

What system files are changed or in any way modified by EnCase when creating an EnCase boot disk? E. All of the above A. IO.SYS B. COMMAND.COM C. DRVSPACE.BIN D. All of the above E. None of the above D. All of the above

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 26 of 68

Term 151

Definition 151

Term 152

Definition 152

Reacquiring an image and adding compression will change the MD5 value of the acquisition hash. B. False A. True B. False

When reacquiring an image, you can change the name of the evidence. A. True B. False

B. False

Term 153

Definition 153

Term 154

Definition 154

Which of the following should you do when creating a storage volume to hold an EnCase evidence file that will be created with EnCase for DOS or LinEn? (Choose all that apply.)

A. Format the volume with the FAT file system. B. Give the volume a unique label to identify it. C. Wipe the volume before formatting to conform to best practices, and avoid claims of A. Format the volume with crosscontamination. the FAT file system. D. Create a directory to B. Give the volume a unique contain the evidence file.
Term 155 Definition 155

In Linux, what describes hdb2? (Choose all that apply.) A. Refers to the primary master B. Refers to the primary slave C. Refers to hard drive number 2 D. Refers to the second
Term 156

B. Refers to the primary slave D. Refers to the second partition

Definition 156

When acquiring USB flash memory, you should writeprotect it by doing what? A. Engaging the writeprotect switch, if equipped B. Modifying the registry in Windows XP SP2 (or higher) to make USB read-only F. All of the above

Which type or types of cables can be used in a network cable acquisition? C. Network crossover cable A. Standard network patch D. Standard network patch cable cable used with a crossover B. CAT-6 network cable adaptor C. Network crossover cable D. Standard network patch cable used with a crossover adaptor

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 27 of 68

Term 157

Definition 157

Term 158

Definition 158

Should Zip/Jaz disks be acquired with EnCase in DOS or Windows? A. DOS B. Windows

When using LinEn, the level of support for USB, FireWire, and SCSI devices is determined by what? A. DOS C. The distribution of Linux A. The drivers built into being used LinEn B. The drivers provided with the ENBCD C. The distribution of Linux being used
Definition 159 Term 160 Definition 160

Term 159

How should CDs be acquired using EnCase? B. Windows A. DOS B. Windows

Select all that are true about A. They can acquire or EE and FIM. preview a system live without shutting it down. A. They can acquire or B. They can capture live preview a system live system-state volatile data without shutting it down. using the Snapshot feature. C. With EE, the SAFE is on a B. They can capture live separate PC, administered system-state volatile data by the keymaster. using the Snapshot feature. D. With FIM, the SAFE is on the examiners PC and the
Term 162 Definition 162

Term 161

Definition 161

How does an EnCase boot disk differ from a DOS 6.22 disk? A. EnCase boot disk adds the EnCase executable, EN.EXE. B. EnCase boot disk switches all calls from C: to A:. C. Both A and B. C. Both A and B.

The EnCase evidence file is best described as follows: A. A mirror image of the source device written to a hard drive B. A sector-by-sector image of the source device written to corresponding sectors of a secondary hard drive C. A bitstream image of a D. A bitstream image of a source device written to a file or several file segments

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 28 of 68

Term 163

Definition 163

Term 164

Definition 164

How does EnCase verify the contents of an evidence file? A. EnCase writes an MD5 hash value for every 32 sectors copied. B. EnCase writes an MD5 value for every 64 sectors copied. C. EnCase writes a CRC value for every 32 sectors
Term 165

What is the smallest file size that an EnCase evidence file can be saved as? D. EnCase writes a CRC value for every 64 sectors copied. A. 64 sectors B. 512 sectors C. 1 MB D. 2 MB E. 640 MB
Term 166

C. 1 MB

Definition 165

Definition 166

What is the largest file segment size that an EnCase evidence file can be saved as? C. 2 GB A. 640 MB B. 1 GB C. 2 GB D. No maximum limit
Term 167 Definition 167

How does EnCase verify that the evidence file contains an exact copy of the source A. By comparing the MD5 device? hash value of the source device to the MD5 hash A. By comparing the MD5 value of the data stored in hash value of the source the evidence file device to the MD5 hash value of the data stored in the evidence file B. By comparing the CRC
Term 168 Definition 168

How does EnCase verify that the case informationsuch as case number, evidence number, notes, and so on in an evidence file has not been damaged or altered after the evidence file has been written?

C. EnCase writes a CRC value for the case B. The CRC values and the information and verifies the MD5 hash value both must CRC value when the A. The MD5 hash value must verify. evidence is added to a case. verify. B. The CRC values and the A. The case file writes a CRC MD5 hash value both must value for the case verify.

For an EnCase evidence file to successfully pass the file verification process, which of the following must be true?

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 29 of 68

Term 169

Definition 169

Term 170

Definition 170

The MD5 hash algorithm produces a _____ value. A. 32-bit B. 64-bit C. 128-bit D. 256-bit C. 128-bit

The MD5 hash algorithm is ___ hexadecimal characters in length. A. 16 B. 32 C. 64 D. 128


Definition 171 Term 172

B. 32

Term 171

Definition 172

If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later altered? A. EnCase will detect the error when that area of the evidence file is accessed by the user.
Term 173

Which of the following aspects of the EnCase evidence file can be changed during a reacquire of the evidence file? D. All of the above. A. Investigators name B. Evidence number C. Notes D. Evidence file size E. All of the above
Definition 173 Term 174 Definition 174

D. Evidence file size

An evidence file was archived onto five CD-ROMs with the third file segment on disc 3. Can the contents of the third file segment be verified by itself while still on the CD-ROM? A. No. All evidence file segments must be put back together.

Will EnCase allow a user to write data into an acquired evidence file? B. Yes. Any evidence file D. No, data cannot be added A. Yes, when adding notes segment can be verified or comments to bookmarks. to the evidence file after the independently by comparing B. Yes, when adding search acquisition is made. the CRC values. results. C. A and B. D. No, data cannot be added to the evidence file after the

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 30 of 68

Term 175

Definition 175

Term 176

Definition 176

All investigators using EnCase should run tests on the evidence file acquisition and verification process to do which of the following? D. All of the above A. To further the investigators understanding of the evidence file B. To give more weight to the investigators testimony
Term 177 Definition 177

When a noncompressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence A. True file will remain the same for both files. A. True B. False
Term 178 Definition 178

Search hit results and bookmarks are stored in the evidence file. A. True B. False

B. False

The EnCase evidence files logical file name can be changed without affecting the verification of the acquired evidence. A. True B. False

A. True

Term 179

Definition 179

Term 180

Definition 180

An evidence file can be moved to another directory without changing the file verification. A. True B. False

What happens when EnCase attempts to reopen a case once the evidence file has been moved? B. False C. EnCase prompts for the A. EnCase reports that the location of the evidence file. files integrity has been compromised and renders the file useless. B. EnCase reports a different hash value for the evidence

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 31 of 68

Term 181

Definition 181

Term 182

Definition 182

During reacquisition, you can change which of the following? (Choose all that apply.) A. Block size and error granularity B. Add or remove a password C. Investigators name D. Compression
Term 183

A. Block size and error granularity B. Add or remove a password D. Compression E. File segment size

In the EnCase Windows environment, must an examiner first create a new case before adding a device A. Yes to examine? A. Yes B. No
Term 184 Definition 184

Definition 183

Proper file management and organization require that which of the following should be created prior to acquiring evidence? D. All of the above A. Evidence, Export, Temp, and Index folders B. Unique naming conventions for folders belonging to the same case
Term 185 Definition 185

The EnCase methodology dictates that the lab drive used to store EnCase evidence files must have which of the following prior to acquiring an image? A. FAT 32 partition B. NTFS partition C. Clean format D. Previously wiped and
Term 186

D. Previously wiped and sterile partition

Definition 186

When creating a new case, the Case Options dialog box prompts for which of the following? A. Name or (case name) B. Examiner name C. Default export folder D. Temporary folder E. All of the above E. All of the above

What determines the action that will result when a user double-clicks a file within EnCase? A. The settings in the TEXTSTYLES.INI file B. The settings in the FILETYPES.INI file C. The settings in the FILESIGNATURES.INI file B. The settings in the FILETYPES.INI file

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 32 of 68

Term 187

Definition 187

Term 188

Definition 188

In the EnCase environment, the term external viewers is best described as which of the following? C. External programs that A. Internal programs that are are associated with EnCase to open specific file types copied out of an evidence file B. External programs loaded in the evidence file to open
Term 189 Definition 189

Where is the list of external viewers kept within EnCase? A. The settings in the TEXTSTYLES.INI file B. The settings in the FILETYPES.INI file C. The settings in the FILESIGNATURES.INI file D. The settings in the VIEWERS.INI file
Term 190

D. The settings in the VIEWERS.INI file

Definition 190

When the copy/unerase feature is used, EnCase saves the selected file(s) to which folder? B. Export A. Evidence B. Export C. Temp D. None of the above
Term 191 Definition 191

Can the Export folder be moved once it is saved within a case? A. Yes B. No

A. Yes

Term 192

Definition 192

Files that have been sent to external viewers are copied to which folder? A. Evidence B. Export C. Temp D. None of the above C. Temp

The Temp folder of a case cannot be changed once the case has been saved. A. True B. False

B. False

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 33 of 68

Term 193

Definition 193

Term 194

Definition 194

Files stored in the Temp folder are removed once EnCase is properly closed. A. True B. False

How do you access the setting to adjust how often a backup file (.cbak) is saved? A. True A. Select Tools _ Options _ Case Options B. Select View _ Options _ Case Options C. Select Tools _ Options _ Global D. Select View _ Options _
Definition 195 Term 196

C. Select Tools _ Options _ Global

Term 195

Definition 196

What is the maximum number of columns that can be sorted simultaneously in the Table view tab? A. Two B. Three C. Five D. 28 (maximum number of tabs)
Term 197

How would a user reversesort on a column in the Table view? C. Five A. Hold down the Ctrl key, C. Both A and B. and double-click the selected column header. B. Right-click the selected column, select Sort, and select either Sort Ascending or Sort Descending.
Definition 197 Term 198 Definition 198

How can you hide a column in the Table view? A. Place the cursor on the selected column, and press Ctrl+H. B. Right-click on the selected column, select Column, and select Hide. C. Right-click on the selected column, select

What does the Gallery view tab use to determine graphics files? D. All of the above. A. Header or file signature B. File extension C. File name D. File size B. File extension

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 34 of 68

Term 199

Definition 199

Term 200

Definition 200

Will the EnCase Gallery view display a .jpeg file if its file extension was renamed C. Yes, but only if a to .txt? signature analysis is performed to correct the A. No, because EnCase will File Category to Picture treat it as a text file. based on its file header B. Yes, because the Gallery information. view looks at a files header information and not the file extension.
Term 201 Definition 201

How would a user change the default colors and text fonts within EnCase? A. The user cannot change the default colors and fonts settings. B. The user can change the default colors and fonts settings by right-clicking the selected items and scrolling
Term 202

D. The user can change default colors and fonts settings by clicking the Tools tab on the menu bar, selecting Options, and selecting the Colors tab or Fonts tab.

Definition 202

An EnCase user will always know the exact location of the selected data in the evidence file by looking at which of the following? A. Data bar B. Dixon box C. Disk view D. Hex view
Term 203

A. Data bar

Computers use a numbering system with only two digits, 0 and 1. This system is referred to as which of the following? A. Hexadecimal B. ASCII C. Binary D. FAT

C. Binary

Definition 203

Term 204

Definition 204

A bit can have a binary value of which of the following? A. 0 or 1 B. 09 C. 09 and AF D. On or Off A. 0 or 1

A byte consists of ___ bits. A. 2 B. 4 C. 8 D. 16 C. 8

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 35 of 68

Term 205

Definition 205

Term 206

Definition 206

If 1 bit can have two unique possibilities, 2 bits can have four unique possibilities, and 3 bits can have eight unique possibilities. This is D. 256 known as the power of 2. How many unique possibilities are there in 8 bits (28)? A. 16
Term 207 Definition 207

When the letter A is represented as 41h, it is displayed in which of the following? A. Hexadecimal A. Hexadecimal B. ASCII C. Binary D. Decimal
Term 208 Definition 208

What is the decimal integer value for the binary code 0000-1001? A. 7 B. 9 C. 11 D. 1001
Term 209

Select all of the following that depict a Dword value. B. 9 C. FF 00 10 AF A. 0000 0001 D. 0000 0000 0000 0000 0000 B. 0001 0000 0000 0001 C. FF 00 10 AF D. 0000 0000 0000 0000 0000 0000 0000 0001
Definition 209 Term 210 Definition 210

How many characters can be addressed by the 7-bit ASCII character table? 16-bit Unicode? D. 128 and 65,536 A. 64 and 256 B. 128 and 256 C. 64 and 65,536 D. 128 and 65,536

Where does EnCase (Version 5 or 6) store keywords? A. Within each specific case C. Both A and B file (.case and .cbak) B. In the KEYWORDS.INI file C. Both A and B D. None of the above

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 36 of 68

Term 211

Definition 211

Term 212

Definition 212

When performing a keyword search in Windows, EnCase searches which of the following? A. The logical files B. The physical disk in unallocated clusters and other unused disk areas C. Both A and B D. None of the above
Term 213

By default, search terms are case sensitive. C. Both A and B A. True B. False B. False

Definition 213

Term 214

Definition 214

By selecting the Unicode box, EnCase searches for both ASCII and Unicode formats. A. True B. False

A. True

With regard to a search using EnCase in the Windows environment, can EnCase find a word or phrase that is fragmented or D. Yes, EnCase performs both physical and logical spans in noncontiguous searches. clusters? A. No, because the letters are located in noncontiguous clusters.

Term 215

Definition 215

Term 216

Definition 216

Which of the following would be a search hit for the His keyword? A. this B. His C. history D. Bill_Chisholm@gmail.com E. All of the above E. All of the above

Which of the following would be a search hit for the following GREP expression? [^a-z]Liz[^a-z] C. Liz1 A. Elizabeth B. Lizzy C. Liz1 D. None of the above

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 37 of 68

Term 217

Definition 217

Term 218

Definition 218

Which of the following would be a search hit for the following GREP expression? [\x00-\x07]\x00\x00\x00 A. 00 00 00 01 A0 EE F1 B. 06 00 00 00 A0 EE F1 C. 0A 00 00 00 A0 EE F1 D. 08 00 00 00 A0 EE F1
Term 219 Definition 219

Which of the following would be a search hit for the following GREP expression? B. 06 00 00 00 A0 EE F1 Jan 1st, 2?0?06 A. Jan 1st, 2006 B. Jan 1st, 06 C. Both A and B D. None of the above
Term 220 Definition 220

C. Both A and B

Which of the following will not be a search hit for the following GREP expression? [^#]123[ \-]45[ \-]6789[^#] A. A1234567890 B. A123 45-6789 C. A123-45-6789 D. A123 45 6789
Term 221 Definition 221

A sweep or highlight of a specific range of text is referred to as which of the following? A. A1234567890 A. File group bookmark B. Folder information bookmark C. Highlighted data bookmark D. Notable file bookmark
Term 222

C. Highlighted data bookmark

Definition 222

Which of the following is not correct regarding building and querying indexes? A. To search an index, click the Search button on the toolbar. B. Search hits will appear in the Docs tab and in the Transcript tab. C. The Hits tab appears in A. To search an index, click the Search button on the toolbar.

When running a signature analysis, EnCase will do which of the following? A. Compare a files header to D. Compare a files header to its hash value. its file extension. B. Compare a files header to its file signature. C. Compare a files hash value to its file extension. D. Compare a files header to

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 38 of 68

Term 223

Definition 223

Term 224

Definition 224

A file header is which of the following?

A. A unique set of A. A unique set of characters at the beginning characters at the beginning of a file that identifies the file of a file that identifies the file A. signature type type B. MD5 hash value C. extension B. A unique set of D. metadata characters following the file name that identifies the file
Term 225 Definition 225 Term 226

The Windows operating system uses a file names _______ to associate files with the proper applications. C. extension

Definition 226

Unix (including Linux) operating systems use a files _______ to associate file types to specific applications. A. metadata B. header C. extension D. hash value
Term 227

The Mac OS X operating system uses which of the following file information to associate a file to a specific application? B. header A. The user defined setting B. File name extension C. Metadata (creator code) D. All of the above
Definition 227 Term 228 Definition 228

D. All of the above

Information regarding a files header information and extension is saved by EnCase in the _________ file. A. FileSignatures.ini B. FileExtensions.ini C. FileInformation.ini D. FileHeader.ini

A. FileSignatures.ini

When a files signature is unknown and a valid file extension exists, EnCase will display the following result after a signature analysis is performed: A. Alias (Signature Mismatch) B. !Bad Signature C. Unknown

B. !Bad Signature

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 39 of 68

Term 229

Definition 229

Term 230

Definition 230

When a files signature is known and the file extension does not match, EnCase will display the following result after a signature analysis is A. Alias (Signature performed: Mismatch) A. Alias (Signature Mismatch) B. !Bad Signature C. Unknown
Term 231 Definition 231

When a files signature is known and the file extension matches, EnCase will display the following result after a signature analysis is D. Match performed: A. Alias (Signature Mismatch) B. !Bad Signature C. Unknown
Term 232 Definition 232

When a files signature and extension are not recognized, EnCase will display the following result after a signature analysis is performed: A. Alias (Signature Mismatch) B. !Bad Signature C. Unknown
Term 233

C. Unknown

Can a file with a unique header share multiple file extensions? A. Yes B. No

A. Yes

Definition 233

Term 234

Definition 234

A user can manually add new file headers and extensions by doing which of the following? A. Manually inputting the data in the FileSignatures.ini file B. Right-clicking the file and choosing Add File Signature C. Choosing File Signatures

Select the correct answer that completes the following statement: An MD5 hash C. Choosing File Signatures ___________. view, right-clicking, and D. All of the above A. is a 128-bit value selecting New in the B. has odds of one in 2128 appropriate folder that two dissimilar files will share the same value C. is not determined by the file name

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 40 of 68

Term 235

Definition 235

Term 236

Definition 236

EnCase can create a hash value for the following: A. Physical devices B. Logical volumes C. Files or groups of files D. All of the above D. All of the above

What portion of an evidence file does EnCase analyze during the verification process to yield an MD5 hash value? A. Data area B. Entire evidence file C. Case information D. None of the above

A. Data area

Term 237

Definition 237

Term 238

Definition 238

Will changing a files name affect the files MD5 hash value? A. Yes B. No

B. No

Usually a hash value found in a hash set named Windows XP Home Edition would be reported in the Hash Category column as which of the following? A. Known B. Notable C. Evidentiary D. Nonevidentiary

A. Known

Term 239

Definition 239

Term 240

Definition 240

With regard to hash categories, evidentiary files or files of interest are categorized as which of the following? A. Known B. Notable C. Evidentiary D. Nonevidentiary

B. Notable

An MD5 hash of a specific media generated by EnCase will yield the same hash value as an independent third-party MD5 hashing A. True utility. A. True B. False

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 41 of 68

Term 241

Definition 241

Term 242

Definition 242

A hash _______ is comprised of hash _______, which is comprised of hash _______. A. set(s), library(ies), value (s) B. value(s), sets(s), library (ies) C. library(ies), set(s), value (s)
Term 243

An operating system artifact can be defined as which of the following? C. library(ies), set(s), value (s) A. Information specific to a E. All of the above users preference B. Information about the computers general settings C. Information stored about a users activities on the computer
Term 244 Definition 244

Definition 243

A FAT file system stores date and time stamps in _______, whereas the NTFS file system stores date and time stamps in _______. C. Local time and GMT A. DOS directory and local time B. Zulu time and GMT C. Local time and GMT D. SYSTEM.DAT and
Term 245 Definition 245

Where does Windows store the time zone offset? A. BIOS B. Registry C. INFO2 file D. DOS directory or MFT B. Registry

Term 246

Definition 246

The date and time of when a file was sent to the Recycle Bin can be found where? A. INFO2 file B. Original file names last access date C. DOS directory or MFT D. $I index file D. $I index file

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 42 of 68

Term 247

Definition 247

Term 248

Definition 248

When a text file is sent a preWindows Vista Recycle Bin, Windows changes the short file name of the deleted file to DC0.txt in the Recycle Bin. Select the best choice that explains the deleted file name. A. D=DOS, C=character, 0=index number, file
Term 249

When a document is opened, a link file bearing the documents file name is D. D=deleted, C=drive letter, created in the ____folder. 0=index number, file extension remains the same A. Shortcut B. Recent C. Temp D. History
Definition 249 Term 250

B. Recent

Definition 250

Link files are shortcuts or pointers to actual items. These actual items can be what? A. Programs B. Documents C. Folders D. Devices E. All of the above
Term 251

In NTFS, information unique to a specific user is stored in the ______ file. E. All of the above A. USER.DAT B. NTUSER.DAT C. SYSTEM.DAT D. None of the above
Term 252

B. NTUSER.DAT

Definition 251

Definition 252

In Windows XP or Windows Vista, by default, how many recently opened documents are displayed in the My Recent Documents or Recent Items folder? A. 4 B. 12 C. 15 D. Unlimited

Most of a users desktop items on a Windows XP operating system would be located in the _________ directory. C. 15 A. C:\WINDOWS\Desktop B. C:\WinNT\Desktop C. C:\WINDOWS\system32 \config\Desktop D. C:\Documents and

D. C:\Documents and Settings\%User%\Desktop

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 43 of 68

Term 253

Definition 253

Term 254

Definition 254

Because this file will hold the contents of RAM when the machine is powered off, the ______ file will be the size of the system RAM and will be in the root directory. A. hiberfil.sys B. WIN386.SWP C. PAGEFILE.SYS D. NTUSER.DAT
Term 255

Where can you find evidence of web-based email such as from MSN Hotmail or Google Gmail on a Windows XP system? A. hiberfil.sys A. In Temporary Internet Files under Local Settings in the users profile B. In Unallocated Clusters C. In the pagefile.sys folder
Definition 255 Term 256 Definition 256

E. All of the above

File names with the .url extension that direct web browsers to a specific website are located in which folder? A. Favorites folder B. Cookies folder C. Send To folder D. History folder
Term 257

A. Favorites folder

Data about Internet cookies such as URL names, date and time stamps, and pointers to the actual location of the cookie is stored in: A. INFO2 file B. index.dat file C. EMF file D. pagefile.sys file

B. index.dat file

Definition 257

Term 258

Definition 258

On a Windows 98 machine, which folder is the swap or page file contained in? A. WIN386.SWP B. pagefile.sys C. swapfile.sys D. page.swp A. WIN386.SWP

When you are examining evidence that has been sent to a printer, which file contains an image of the actual print job? C. The spool file A. The Enhanced Metafile (EMF) B. The shadow file C. The spool file D. The RAW file

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 44 of 68

Term 259

Definition 259

Term 260

Definition 260

The two modes for printing in Windows are ______ and _______. A. Spooled and Shadowed B. Spooled and Direct C. Spooled and EM D. EMF and RAW
Term 261

D. EMF and RAW

Although the Windows operating system removed the EMF file upon a successful print job, the examiner may still recover A. True the file as a result of a search on its unique header information in areas such as Unallocated Clusters or swap file.
Term 262 Definition 262

Definition 261

The index.dat files are system files that store information about other files. They track date and time stamps, file locations, and name changes. Select the folder that does not contain an index.dat file. A. Cookies B. History
Term 263

The Temporary Internet Files directory contains which of the following? C. Recycle Bin A. Web page files that are cached or saved for possible D. All of the above later reuse B. An index.dat file that serves as a database for the management of the cached files
Term 264 Definition 264

Definition 263

How many sector(s) on a hard drive are reserved for the master boot record (MBR)? A. 1 B. 4 C. 16 D. 62 E. 63 E. 63

The very first sector of a formatted hard drive that contains an operating system is referred to as which of the following? D. All of the above A. Absolute sector 0 B. Boot sector C. Containing the master boot record (MBR) D. All of the above

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 45 of 68

Term 265

Definition 265

Term 266

Definition 266

How many logical partitions does the partition table in the master boot record allow for a physical drive? C. 4 A. 1 B. 2 C. 4 D. 24
Term 267 Definition 267

The very first sector of a partition is referred to as which of the following? A. Master boot record B. Physical sector 0 C. Active primary partition D. Volume boot record
Term 268

D. Volume boot record

Definition 268

If a hard drive has been fdisked, EnCase can still recover the deleted partition (s), if you point to the _________, right-click, and B. volume boot record select Add Partition. A. master boot record B. volume boot record C. partition table D. unallocated space
Term 269 Definition 269

In an NTFS partition, where is the backup copy of the volume boot record (VBR) stored? C. The last sector of the A. In the partition table partition B. Immediately after the VBR C. The last sector of the partition D. An NTFS partition does not store a backup of the
Term 270 Definition 270

EnCase can mount a compound file, which can then be viewed in a hierarchical format. Select an example of a compound file. A. Registry file (that is, .dat) B. Email file (that is, .edb, nsf, pst, dbx) C. Compressed file (that is,

Windows XP contains two master keys in its registry. They are KEY_LOCAL_MACHINE and which of the following? E. All of the above A. HKEY_USERS B. HKEY_CLASSES_ROOT C. HKEY_CURRENT_USER D. HKEY_CURRENT_CONFIG A. HKEY_USERS

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 46 of 68

Term 271

Definition 271

Term 272

Definition 272

In Windows 2000/XP, information about a specific users preference is stored in the NTUSER.DAT file. This compound file can be found C. C:\Documents and where? Settings\username A. C:\ B. C:\WINDOWS\ C. C:\Documents and Settings\username
Term 273 Definition 273

In an NTFS file system, the date and time stamps recorded in the registry are stored where?

B. GMT and converted based on the systems time zone A. Local time based on the settings BIOS settings B. GMT and converted based on the systems time zone settings
Term 274 Definition 274

EnScript is a proprietary programming language and application programming interface (API) developed by Guidance Software, A. True designed to function properly only within the EnCase environment. A. True B. False
Term 275 Definition 275

Since EnScript is a proprietary programming language developed by Guidance Software, EnScripts can be created by B. False and obtained only from Guidance Software. A. True B. False
Term 276 Definition 276

Filters are a type of EnScript that filters a case for certain file properties such as file types, dates, and hash categories. Like EnScripts, filters can also be A. True changed or created by a user. A. True B. False

Select the type of email that EnCase 6 is not capable of recovering. A. Microsoft Outlook and Outlook Express B. AOL C. Netscape, MSN Hotmail, and Yahoo! Mail D. Lotus Notes and Microsoft Exchange Server E. None of the above

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 47 of 68

Term 277

Definition 277

Term 278

Definition 278

Which method is used to view the contents of a compound file that contains emails such as a PST file in EnCase 6? C. Both A and B. A. Right-click, and select View File Structure. B. Run search, and in the Search menu select the types of email to recover.
Term 279 Definition 279

EnCase 6 cannot process web-based email such as MSN Hotmail or Yahoo! Mail because the information can be found only on the mail B. False servers. A. True B. False
Term 280 Definition 280

The EnCase Decryption Suite (EDS) will not decrypt Microsofts Encrypting File System (EFS) on the ___________ operating system. A. Windows 2000 Professional and Server B. Windows XP Professional C. Windows 2003 Server
Term 281

At which levels can the VFS module mount objects in the Windows environment? D. Windows XP Home Edition A. The case level B. The disk or device level C. The volume level D. The folder level E. All of the above
Term 282

E. All of the above

Definition 281

Definition 282

The Physical Disk Emulator (PDE) module is similar to the Virtual File System (VFS); the module can mount a piece of media that is accessible in the Windows E. Both A and B environment. Select the type (s) of media that the Physical Disk Emulator cannot mount.

The Physical Disk Emulator (PDE) module is similar to the Virtual File System (VFS); the module can mount a piece of media that is accessible in the Windows E. Both A and B environment. Select the type (s) of media that the Physical Disk Emulator cannot mount.

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 48 of 68

Term 283

Definition 283

Term 284

Definition 284

The Virtual File System (VFS) module mounts data as _______, while the Physical Disk Emulator (PDE) module mounts data as _______. A. network share, emulated disk B. emulated disk, network share
Term 285

The end of a logical file to the end of the cluster that the file ends is called: A. network share, emulated disk A. Unallocated space B. Allocated space C. Available space D. Slack D. Slack

Definition 285

Term 286

Definition 286

The boot partitioin table found at the beginning of a hard drive is located in what sector? B. Master boot record A. Volume boot record B. Master boot record C. Master file table D. Volume boot sector
Term 287 Definition 287

What information in a FAT file system directory entry refers to the location of a file on a hard drive? A. The file size B. The file attributes C. The starting cluster D. The fragmentation settings
Term 288

C. The starting cluster

Definition 288

A logical file would be best described as: A. The data from the beginning of the starting cluster to the length of the file. B. The data taken from the starting cluster to the end that occupied by the file. A. The data from the beginning of the starting cluster to the length of the file.

A case file can contain __ hard drive images? A. 1 B. 5 C. 10 D. Any number of D. Any number of

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 49 of 68

Term 289

Definition 289

Term 290

Definition 290

Calls to the C:\ volume of the hard drive are not made by DOS when a computer is booted with standard DOS B. False 6.22 boot disk. A. True B. False
Term 291 Definition 291

Select the appropriate name for the hightlighted area of the binary numbers. 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 A. Word
Term 292 Definition 292

E. Byte

If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later changed? A. EnCase will detect the error when that area of the evidence files is accessed by the user.
Term 293

The BIOS chip on an IBM clone computer is most commonly located on: D. All of the above. A. The motherboard B. The controller card C. The microprocessor D. The RAM chip
Term 294

A. The motherboard

Definition 293

Definition 294

Consider the following path in the FAT file system: C:\My Documents\My Pictures\Bikes. Where does the directory bikes receive A. From the My Pictures its name? directory A. From the My Pictures directory B. From itself C. From the root directory c:\

The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. 800[) \-]+555-1212. A. 800.555.1212 B. 8005551212 C. 800-555-1212 D. (800) 555-1212

D. (800) 555-1212

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 50 of 68

Term 295

Definition 295

Term 296

Definition 296

How does EnCase verify that the case information (Case Number, Evidence Number, Investigator Name, etc) in an evidence file has not been damaged or changed, after the evidence file has been written? A. The .case file writes a CRC value for the case
Term 297

Which of the following statements is more accurate? C. Encase writes a CRC value of the case information and verifies the CRC value when the evidenece is. A. The Recycle Bin increases the chance of locating the existence of a file on a computer. B. The Recycle Bin reduces the chance of locating the
Definition 297 Term 298 Definition 298

A. The Recycle Bin increases the chance of locating the existence of a file on a computer.

The first sector on a volume is called the: A. Volume boot device B. Master boot record C. Master file table D. Volume boot sector or record
Term 299

When an EnCase user double-clicks on a file within EnCase what determines the action that will result? D. Volume boot sector or record A. The settings in the case file. B. The setting in the evidence file. C. The settings in the FileTypes.ini file.
Term 300

C. The settings in the FileTypes.ini file.

Definition 299

Definition 300

The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Bob@[a-z]+.com A. Bob@America.com B. Bob@New zealand.com C. Bob@a-z.com D. Bob@My-Email.com

A. Bob@America.com

The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. [^a-z]Tom[a-z] A. Stomp B. Tomato C. Tom D. Toms

C. Tom

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 51 of 68

Term 301

Definition 301

Term 302

Definition 302

The following GREP expressioin was typed in exactly as shown. Choose the answer(s) that would result. [\x00-\x05]\x00\x00 \x00?[\x00-\x05]\x00\x00\x00 A. 00 00 00 01 FF FF BA B. FF 00 00 00 FF BA
Term 303 Definition 303 Term 304

C. 04 00 00 FF FF BA

Definition 304

This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search: A. Will not find it because the letters of the keyword are not contiguous.
Term 305

When a file is deleted in the FAT file system, what happens to the FAT? C. Will find it because EnCase performs a logical search. A. It is deleted as well. B. Nothing. C. The FAT entries for that file are marked as allocated.
Definition 305 Term 306 Definition 306

D. The FAT entries for that file are marked as available.

In DOS and Windows, how many bytes are in one FAT directory entry? A. 8 B. 16 C. 32 D. 64 E. Variable C. 32

When a non-compressed evidence file is reacquired with compression, the aquistion and verification hash value for the evidence will remain the same for both files. A. True B. False

A. True

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 52 of 68

Term 307

Definition 307

Term 308

Definition 308

An EnCase evidence file of a hard drive _____ be restored to another hard drive of A. Can equal or greater size. A. Can B. Cannot

Upon starting a new case, what two directories should be defined?

Default EXPORT and TEMP directories.

Term 309

Definition 309

Term 310

Definition 310

All lab media should be forensically sterile. What does this mean?

The media should be: - WIPED of all data - VERIFIED to be absent of all data - Freshly partitioned and formatted

All lab media should maintain a unique __________, and a unique __________ to receive evidence files.

- VOLUME LABEL - DIRECTORY

Term 311

Definition 311

Term 312

Definition 312

What happens when an examiner double-clicks on a file of a file type known by EnCase?

The data is copied to the case defined TEMP directory, and the associated viewer is then called to display the file data.

What happens to the data files that are copied by EnCase to the case defined TEMP directory?

When Encase is PROPERLY shut down, EnCase will DELETE the files from the temp folder.

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 53 of 68

Term 313

Definition 313

Term 314

Definition 314

What is the evidence file?

Min 1 Mb - Max 2000 Mb. It is a BIT STREAM image of Evidence files can be the source media written to segmented between a range (The default size of an a file(s). of _____ and _____. evidence file is 640 Mb.)

Term 315

Definition 315

Term 316

Definition 316

FALSE You can add data to an existing evidence file. (TRUE / FALSE)

It contains the CASE What does the FIRST block INFORMATION, which is The contents of an evidence of the evidence file contain? validated by an attached file CANNOT be changed, CRC. altered, or modified.

Term 317

Definition 317

Term 318

Definition 318

How is the evidence file verified?

- CRC (32bit) every 64 Sectors - MD5 (128bit) computed during the source media If any changes occur to the acquisition and placed at the evidence file (file corruption, end of the evidence file. etc...), what happens? ALL CRC's and the MD5 MUST validate and verify.

The CRC for the affected block(s) will NO LONGER VERIFY, and EnCase will display an ERROR when any data in that block(s) are accessed.

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 54 of 68

Term 319

Definition 319

Term 320

Definition 320

YES Can individual segments of an evidence file be verified? In Encase go to <Tools> (YES / NO) <Verify Single Evidence File>

What three (3) aspects of an evidence file can be changed without impacting the evidence file verification?

1. Add / Remove PASSWORD protection 2. Change file COMPRESSION 3. Change the file SEGMENT SIZE

Term 321

Definition 321

Term 322

Definition 322

It is a TEXT file containing: - Pointers to evidence file(s) - Results of searches and analysis (File Signature / Hashes) - Bookmarks - Investigator's Notes
Definition 323

What is the CASE file?

What is the MAXIMUM There is NO limit. (ie. 8 number of evidence files HDDs, 200 FDDs, and 24 that can be added to a single CDRs) case file?

Term 323

Term 324

Definition 324

A. True CASE for Encase v4.x What is the file extension for (prior versions was .CAS) a Encase version 4.x case file? ...for the back-up case A backup file is created file? every 10 minutes by default with an extension of .CBK. Evidence files can be RENAMED and MOVED without changing their Verification and Validity? A. TRUE B. FALSE The applied filename of the evidence file can be changed, and/or moved to another location; however, Encase will prompt you to locate the renamed evidence file, if it is changed/moved after it has been added to a case.

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 55 of 68

Term 325

Definition 325

Term 326

Definition 326

In the EnCase Environment, what are configuration files and how are they used?

.INI files that store global changes and settings to the Encase Environment. The global environment dictates information/tools available for ALL cases.

Name the five (6) default configuration files and briefly describe what they are used for...

FileSignatures.INI - dictates what will happen when a user double-clicks on a specific file. FileTypes.INI - external viewers are associated with file extensions. Keywords.INI - stores global keyword lists used during

Term 327

Definition 327

Term 328

Definition 328

Searches within the EnCase Windows environment are - PHYSICAL both __________ and - LOGICAL __________.

What is UNICODE?

Unicode uses TWO (2) bytes for each character, allowing the representation of 65,536 characters.

Term 329

Definition 329

Term 330

Definition 330

During a search for a keyword, selecting the UNICODE option will cause Encase to search for the keyword in both ASCII and UNICODE. A. TRUE B. FALSE

A. TRUE

How is the GREP symbol " ? ? Means "or not" - joh?n will " used during a search? yield both JON and JOHN.

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 56 of 68

Term 331

Definition 331

Term 332

Definition 332

\x Indicates that the How is the GREP symbol " \x following value is to be " used during a search? treated as a hexadecimal value. (\xFF\xD8\xFF...)

How is the GREP symbol " * " used during a search?

* States to repeat the preceding character or set any number of times, including zero times.

Term 333

Definition 333

Term 334

Definition 334

+ States to repeat the How is the GREP symbol " + preceding chracter or set any number of times, but at " used during a search? least once.

How is the GREP symbol " ^ ^ States "not" - [^a-z] = NO " used during a search? alpha characters from a to z.

Term 335

Definition 335

Term 336

Definition 336

How is the GREP symbol " " used during a search?

- Denotes a range or characters, as in [1-9] or [az].

[ ] Square brackets form a set. The included values How is the GREP symbols within the set have to match " [ ] " used during a search? a single character. [1-9] will match any single numeric value from 1 to 9.

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 57 of 68

Term 337

Definition 337

Term 338

Definition 338

Default settings for the EnCase BOOT DISK search do NOT include case sensitivity, GREP or UNICODE. A. True B. False
Term 339

A. True

Searches in unallocated space are (Physical / Logical) only. (Choose one)

Searches in unallocated space are PHYSICAL only, as no logical definitions exist in this area.

Definition 339

Term 340

Definition 340

In the EnCase Windows environment, searches will find keywords in noncontiguous clusters in unallocated space. A. TRUE B. FALSE
Term 341

B. False Within the EnCase It simply compares the No searching tool will find Environment, what does the displayed file extension with keywords in non-contiguous File Signatures function do? the file's header/signature. clusters in unallocated space.

Definition 341

Term 342

Definition 342

The File Signature table in EnCase CANNOT be changed. A. TRUE B. FALSE

After adding a device to your case, you immediately go to B. FALSE. the Gallery View tab, as this will display all supported The File Signature table CAN image files, even if they be edited and/or added to by maintain extensions accessing the table, and inconsisent with image files. choosing [right-click]-New. A. TRUE B. FALSE

B. FALSE The Gallery View will NOT display image files with incorrect extensions until the File Signature Analysis function has been run.

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 58 of 68

Term 343

Definition 343

Term 344

Definition 344

!Bad Signature - The extension is in the File After running the File Signature table, but the Signature Analysis function, header is incorrect and the a file shows " !Bad Signature header is not in the File " as the result. What does Signatures table. this mean? BAD -> [header].[ext] <GOOD
Term 345 Definition 345

After running the File Signature Analysis function, a file shows " *[Alias] " as the result. What does this mean?

*[Alias] - The header is in the table and the extension is incorrect. this indicates a file with a renamed extension. GOOD -> [header].[ext] <BAD

Term 346

Definition 346

MATCH - The header matches the extension. If the extension has no header in After running the File the File Signatures table Signature Analysis function, then EnCase will return a a file shows " MATCH " as MATCH as long as the the result. What does this header of the file does not mean? match any header in the File Signatures table. GOOD -> [header].[ext] <Term 347 Definition 347

Before running the File Signature Analysis function, the Gallery View will display all supported image files, even if they maintain extensions inconsisent with image files. A. TRUE B. FALSE
Term 348

B. FALSE The Gallery View will NOT display image files with incorrect extensions until the File Signature Analysis function has been run.

Definition 348

UNKNOWN - Indicates that neither the header/signature nor the extension is listed in After running the File the table. If either the Signature Analysis function, header/signature or the a file shows " UNKNOWN " extension is listed in the as the result. What does this table, you will NOT obtain a mean? value of UNKNOWN. UNKNOWN -> [header].[ext] <- UNKNOWN

The hash value computed for a given file is based upon B. FALSE the physical file, including the files slack area. The hash value is computed on the LOGICAL file only. A. TRUE B. FALSE

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 59 of 68

Term 349

Definition 349

Term 350

Definition 350

The hash value for a file will change if it is moved to another Folder/Directory. A. TRUE B. FALSE

B. FALSE The Folder/Directory that a file resides within has NO bearing on its hash value. What purpose does a Hash Analysis serve for the Examiner?

Hash Analysis allows the examiner to identify files that are known - either as innocuous files that can be ignord, or as files that are evidentiary in content.

Term 351

Definition 351

Term 352

Definition 352

A files content can be recreated based on the B. FALSE computed hash value of that file. A file CANNOT be created from the files computed A. TRUE hash value. B. FALSE

What does ASCII stand for?

American Standard Code for Information Exchange.

Term 353

Definition 353

Term 354

Definition 354

The ASCII Table is a _____ Bit table.

The ASCII table is a 7-bit table. The resultant 128 values represent alpha/numeric values, common punctuation, etc.

What does the "LE" indicator within EnCase indicate?

It indicates the number of BYTES that been selected / swept / highlighted.

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 60 of 68

Term 355

Definition 355

Term 356

Definition 356

Nibble = _____ Byte = _____ Word = _____ DWord = _____

Nibble = 4 bits (16 possible values) Byte = 8 bits (256 possible values) Word = 2 bytes (16 bits) DWord = 4 bytes (32 bits)

Only one file can occupy a CLUSTER at one time. A. TRUE B. FALSE

A. TRUE No two files can occupy the same cluster.

Term 357

Definition 357

Term 358

Definition 358

___________ file size is the amount of actual media space allocated to the file. Choose One: A. Physical B. Logical C. Allocated
Term 359 Definition 359

___________ file size is the actual number of bytes that the file contains. A. PHYSICAL Choose One: A. Physical B. Logical C. Allocated
Term 360 Definition 360

B. LOGICAL

By default, each sector contains ____ data bytes.

512 data bytes. This size is consistant across different media types. (ZIP Disks, Floppies, HDD, etc...)

Each FAT volume maintains how many copies of the FAT?

It maintains two (2) copies of the FAT - FAT1 and FAT2.

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 61 of 68

Term 361

Definition 361

Term 362

Definition 362

The number of clusters that a file system can manage is determined by the available number of _____ employed by the FAT. Choose One: A. bytes B. bits C. sectors
Term 363

B. BITS. FAT16 (2/16) - allows 65,536 clusters FAT32 (2/32) - allows 268,435,456 clusters

The FAT file systems (FAT12, FAT16, FAT32) group one or more sectors, in powers of 2, into _________. Choose One: A. Blocks B. Clusters C. Groups
Term 364

B. Clusters

Definition 363

Definition 364

The FAT maintains information regarding the status of all the clusters on the volume. What are some of these settings?

- Available - End of File - BAD - In Use

What is Slack Space?

It is the data from the end of the logical file to end of the physical file. EnCase displays this data in RED text.

Term 365

Definition 365

Term 366

Definition 366

EnCase displays Slack Space in red text. By default, what other entry is also displayed in red and why?

Directory entries are also displayed in red. Neither slack nor directories have any logical size.

How does EnCase determine If the starting extent (cluster) if a deleted file has been is in use by another file. overwritten?

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 62 of 68

Term 367

Definition 367

Term 368

Definition 368

Deleting a file has NO effect on the actual data in FAT or NTFS. A. TRUE B. FALSE

A. TRUE

What two (2) actions occur when a file is deleted from a FAT system? 2. The values within the FAT that pertain to this file is reset to zero (available).

1. The first character of the directory entry pertianing to the file is changed to E5h.

Term 369

Definition 369

Term 370

Definition 370

What does BIOS stand for?

BIOS = Basic Input Output System

What does the BIOS do?

It is responsible for the initial checking of the system components and initial configuration of the system once power is turned on.

Term 371

Definition 371

Term 372

Definition 372

What does the Examiner access to determine the target system boot sequence and system date/time?

The systems BIOS (Basic Input/Output System).

What is RAM?

Random Access Memory stores data temorarily and is accessible immediately to the Operating System.

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 63 of 68

Term 373

Definition 373

Term 374

Definition 374

What is ROM?

Read Only Memory

POST - Power On Self Test. What is the first activity This includes the testing of taken by a computer system identified attached devices after power is applied? on the system bus.

Term 375

Definition 375

Term 376

Definition 376

When are drive letters assigned by the operating system?

During the boot process. Note these letters are NOT written to the media.

In order for media to be bootable it must maintain a _________________.

Bootable partition / volume and in the case of HDD's it must also be set to Active.

Term 377

Definition 377

Term 378

Definition 378

What are some examples of Add-In Cards?

How are most standard IDE SCSI Host Card, Video Card, Drives configured for the Network Interface Card roles of (NIC), etc... MASTER/SLAVE/CABLE?

Through the use of Jumper PINs on the physical drive.

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 64 of 68

Term 379

Definition 379

Term 380

Definition 380

SCSI drives follow the same B. FALSE. methodology as IDE drives of MASTER/SLAVE. SCSI drives are assigned ID numbers, usually by a A. TRUE jumper PIN on the physical B. FALSE drive.

What is the formula for determing hard drive capacity (CHS geometry)?

Clusters x Heads x Sectors x 512

Term 381

Definition 381

Term 382

Definition 382

The MASTER BOOT What is contained in the first RECORD. In the Windows sector of a standard hard and Linux operating system drive? environment, the partition table is also located here.

What is contained in the first sector of each defined VOLUME BOOT RECORD. partition on a physical hard drive?

Term 383

Definition 383

Term 384

Definition 384

The partition Master Boot Record (MBR) can maintian how many entries? What is each records length?

Using EnCase while doing The MBR can maintian four an on-site triage, what are (4) records, each 16 Bytes in the four (4) options for length. previewing a drive?

1. FastBloc 2. Parallel Cable 3. Network Cable 4. Boot Disk Text Search

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 65 of 68

Term 385

Definition 385

Term 386

Definition 386

To prevent writes to the Why is it important to boot a target hard drive and the target system with a default mounting of a Forensic Boot Disk? compressed volume.

1. IO.SYS What two files need to be 2. COMMAND.COM modified on a standard DOS boot disk to make it Also, the drvspace.bin forensically sound? command must be removed.

Term 387

Definition 387

Term 388

Definition 388

Run through the basic procedure for a forensic system takedown.

1. Photograph environment 2. external inspection 3. lable connections 4. internal inspection 5. disconnnect power/data cables from HDD 6. boot with EnCase boot disk 7. access BIOS - note date/time and boot sequence
Definition 389

B. FALSE Using the EnCase Boot Disk, you will be able to see ALL The EnCase boot disk uses file systems, including NT DOS, which cannot logical partitions, Linux, understand other file Unix, and MAC HFS. systems. You should obtain the physical disk evidence A. TRUE file, and then resolve the file B. FALSE structure using EnCase.
Term 390 Definition 390

Term 389

Evidence files can be restored to media of equal OR greater size. A. TRUE B. FALSE

A. TRUE

The MD5 hash value of a How can you verify that the properly restored evidence restore completed properly file will match the value and that it is an exact match maintained within the to the original media? evidence file.

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 66 of 68

Term 391

Definition 391

Term 392

Definition 392

When restoring evidence files of a logical partition, the file system it is being restored to must match the original. A. TRUE B. FALSE
Term 393

A. TRUE

Where do you commonly see BASE64 encoded files?

Email Attachments.

Definition 393

Term 394

Definition 394

Where does Windows 2000 "C:\Documents and and XP store users personal Settings" folders?

What are .LNK files?

.lnk are "shortcut" files created by the windows operating system to files manipulated by the logged in user. They can show dates, times, and full path to the target file.

Term 395

Definition 395

Term 396

Definition 396

Name some of the more common artifact locations in the Windows 9X operating environment.

C:\Windows\Recent C:\Windows\Desktop C:\Windows\Send To C:\Windows\Temp

In DOS/Windows environments, what is the length of FAT Directory entries?

32 Bytes in Length.

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 67 of 68

Term 397

Definition 397

Term 398

Definition 398

A. TRUE. Every printed document from a computer is considered an "Original". A. TRUE B. FALSE Compression of evidence files has no bearing on the validity or admissibility fo the data. A. TRUE B. FALSE Courts have ruled that the manner in which data is maintained, while in storage, is not relevant, as long as the data is accurately portrayed when accessed and presented in a printout or other output, readable by sight.
Definition 400

A. TRUE

Term 399

Definition 399

Term 400

What is meant by the legal term "Daubert"?

It is a legal test employed by US courts to determine if a scientific or technical process is acceptable.

What are the three basic questions asked to determine if a process is acceptable under Daubert?

1. Has the process been tested and subjected to peer review? 2. Does the process/application maintain general acceptance within the related community. 3. Can the findings be duplicated/repeated?
Definition 402

Term 401

Definition 401

Term 402

If the original evidence must be returned to the owner, can the EnCase Evidence Yes. files be considered "Best Evidence"?

What type of files are commonly associated with printing in the Windows operating system?

.emf / .spl / .shd

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

Printable Flash Cards

Page 68 of 68

Term 403

Definition 403

Term 404

Definition 404

If the file system is not support by EnCase, the Examiner cannot use EnCase to do the examination. A. TRUE B. FALSE
Term 405

B. FALSE.

You need to do an onsite acquisition of a Windows NT The examiner can still to text Server, should you Shut searches, run EnScripts for Down the system or pull the file headers and footers, power plug? etc...

Gracefully shut down the system. Generally, servers need to be shut down gracefully. Workstations or personal computers should have the power plug pulled.

Definition 405

Term 406

Definition 406

What does IDE stand for?

Integrated Drive Electronics.

http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011

You might also like