Professional Documents
Culture Documents
Page 1 of 68
Term 1
Definition 1
Term 2
Definition 2
When an EnCase user double-clicks on a file within EnCase what determines the action that will result? A. B. The settings in the The settings in the case file. FileTypes.ini file B. The settings in the FileTypes.ini file. C. The setting in the evidence file.
Term 3 Definition 3
Search results are found in which of the following files? Select all that apply. C. The case file A. The evidence file B. The configuration Searches.ini file C. The case file
Term 4 Definition 4
If cluster #3552 entry in the FAT table contains a value of ?? this would mean:
A. The cluster is unallocated A. The cluster is unallocated B. The cluster is the end of a A. Bob@New zealand.com file B. Bob@My-Email.com C. The cluster is allocated C. Bob@America.com D. The cluster is marked bad D. Bob@a-z.com
Term 5 Definition 5 Term 6
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Bob@[a-z]+.com
C. Bob@America.com
Definition 6
You are an investigator and have encountered a computer that is running at the home of a suspect. The computer does not appear to A. Pull the plug from the be a part of a network. The back of the computer. operating system is Windows XP Home. No programs are visibly running. You should:
A physical file size is: A. The total size in sectors of an allocated file. B. The total size of all the B. The total size of all the clusters used by the file clusters used by the file measured in bytes. C. The total size in bytes of a logical file. D. The total size of the file including the ram slack in
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 2 of 68
Term 7
Definition 7
Term 8
Definition 8
If cluster number 10 in the FAT contains the number 55, this means: C. 2 A. That cluster 10 is used A. That cluster 10 is used and the file continues in and the file continues in cluster number 55. cluster number 55. B. That the file starts in cluster number 55 and continues to cluster number 10.
Definition 9 Term 10 Definition 10
How are the results of a signature analysis examined? A. By sorting on the category column in the Table view. By sorting on the category column in the Table view. B. By sorting on the
Term 11 Definition 11
The acronym ASCII stands for: B. By sorting on the signature column in the Table view. By sorting on the signature column in the Table view. A. American Standard Communication Information B. American Standard Code Index B. American Standard for Information Interchange Code for Information Interchange C. Accepted Standard Code for Information Interchange D. Accepted Standard
Term 12 Definition 12
The EnCase default export folder is: The default export folder remains the same for all cases. A. True B. False A. A case-specific setting that cannot be changed. B. A case-specific setting that can be changed. C. A global setting that can be changed. D. A global setting that cannot be changed.
B. False
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 3 of 68
Term 13
Definition 13
Term 14
Definition 14
Hash libraries are commonly used to: A. Compare a file header to a file extension. B. Identify files that are B. Identify files that are already known to the user. already known to the user. C. Compare one hash set with another hash set. D. Verify the evidence file.
Term 15 Definition 15
Which is the proper formula for determining the size in bytes of a hard drive that uses cylinders (C), heads (H), and sectors (S) geometry? A. C X H + S B. C X H X S + 512 C. C X H X S X 512 D. C X H X S
Term 16
C. C X H X S X 512
Definition 16
Within EnCase, clicking on Save on the toolbar affects what file(s)? A. All of the above B. The evidence files C. The open case file D. The configuration .ini files
Term 17
EnCase uses the _________________ to conduct a signature analysis. C. The open case file A. Both a and b B. file signature table C. hash library D. file Viewers
Definition 17 Term 18 Definition 18
EnCase is able to read and examine which of the following file systems? A. NTFS B. EXT3 C. FAT D. HFS
ROM is an acronym for: A. NTFS B. EXT3 C. FAT D. HFS A. Read Open Memory B. Random Open Memory C. Read Only Memory D. Relative Open Memory C. Read Only Memory
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 4 of 68
Term 19
Definition 19
Term 20
Definition 20
If a floppy diskette is in the ? drive, the computer will always boot to that drive before any other device. If a floppy diskette is in the ?? B. True drive, the computer will always boot to that drive before any other device. A. False B. True
Term 21 Definition 21
A standard Windows 98 boot disk is acceptable for booting a suspect drive. A. True B. False
A. True
Term 22
Definition 22
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Jan 1st , 2?0?00 A. Jan 1st , 1900 B. Jan 1st , 2100 C. Jan 1st , 2001 D. Jan 1st , 2000
Term 23
Definition 23
Term 24
Definition 24
An evidence file can be moved to another directory without changing the file verification. A. False B. True
Pressing the power button on a computer that is running could have which of the following results? B. True D. All of the above could A. The computer will happen. instantly shut off. B. The computer will go into stand-by mode. C. Nothing will happen. D. All of the above could
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 5 of 68
Term 25
Definition 25
Term 26
Definition 26
How does EnCase verify that the evidence file contains an exact copy of the suspect hard drive? How does EnCase verify that the evidence file contains an exact copy of the suspect's hard drive?
B. By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of the data stored in the evidence file. By means of an MD5 hash of the suspect? Hard drive compared to an MD5 hash of the data stored in the A. By means of a CRC value evidence file. of the suspect hard drive
Term 27 Definition 27
By default, EnCase will display the data from the end of a logical file, to the end of the cluster, in what color: A. Red B. Red on black C. Black on red D. Black
Term 28
A. Red
Definition 28
The following GREP expression was typed in exactly as shown. Choose A. The only drive on the the answer(s) that would computer. D. A SCSI drive is not pinned result. [^a-z]Tom[^a-z] B. The primary of two drives as a master. connected to one cable. A. Tomato C. Whenever another drive is B. om? ? RP on the same cable and is C. Toms pinned as a slave. D. Stomp D. A SCSI drive is not pinned
Term 29 Definition 29 Term 30
B. om? ? RP
Definition 30
This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and B. Will find it because ends in cluster 15 (the word EnCase performs a logical is fragmented), the search: A. Will not find it unlessile slack is checked on the search dialog box.
An evidence file was archived onto five CD-Rom disks with the third file segment on disk number three. Can the contents of the third file segment be verified by itself while still on the CD? A. No. Archived files are compressed and cannot be
C. Yes. Any segment of an evidence file can be verified through re-computing and comparing the CRCs, even if it is on a CD.
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 6 of 68
Term 31
Definition 31
Term 32
Definition 32
You are a computer forensic examiner tasked with determining what evidence is on a seized computer. On what part of the computer system will you find data of C. Hard drive evidentiary value? A. Microprocessor or CPU B. USB controller C. Hard drive
Term 33 Definition 33
You are a computer forensic examiner explaining how computers store and access the data you recovered as evidence during your B. operating system, file examination. The evidence system, partition was a log file and was recovered as an artifact of user activity on the ____________, which was stored on the
Term 34 Definition 34
You are a computer forensic examiner investigating a seized computer. You recovered a document containing potential C. Starting cluster of the file evidence. EnCase reports D. Fragmentation of the file the file system on the forensic image of the hard drive is FAT (File Allocation Table). What information about the document file can
Term 35 Definition 35
You are a computer forensic examiner investigating media on a seized computer. You recovered a document containing potential evidence. EnCase reports the file system on the forensic image of the hard drive is NTFS (New Technology File System). What information about the
Term 36
A. Name of the file B. Date and time stamps of the file C. Starting cluster of the file D. Fragmentation of the file E. Ownership of the file
Definition 36
You are preparing to lead a team to serve a search warrant on a business suspected of committing large-scale consumer fraud. Ideally, you would you assign which tasks to search team members? (Choose all that apply.) A. Photographer
A. Photographer B. Search and seizure specialists C. Recorder D. Digital evidence search and seizure specialists
You are a computer forensic examiner at a scene and have determined you will seize a Linux server, which according to your source of information contains the database records for the company under investigation for fraud. What is the best practice for taking down the server for
A. Photograph the screen and note any running programs or messages, and so on, and use the normal shutdown procedure.
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 7 of 68
Term 37
Definition 37
Term 38
Definition 38
You are a computer forensic examiner at a scene and are authorized to seize only media that can be determined to have evidence related to the investigation. What options do you have to determine whether evidence is present before seizure and a full forensic examination? (Choose all
Term 39
B. Use an EnCase boot floppy or CD to boot the machine into Linux, and use LinEn to preview the hard drive through a crossover cable with EnCase for Windows.
You are a computer forensic examiner at a scene and have determined you will need to image a hard drive in a workstation while onsite. What are your options for creating a forensically sound image of the hard C. Remove the subject hard drive? (Choose all that drive from the machine, and apply.) preview the hard drive in
Definition 39 Term 40
B. Use a forensically sound Linux boot CD to boot the machine into Linux, and use LinEn to image the subject hard drive to a second hard drive attached to the machine. C. Remove the subject hard drive from the machine, and image the hard drive in
Definition 40
You are a computer forensic examiner and have imaged a hard drive on site. Before you leave the scene, you want to ensure the image completely verifies as an exact forensic duplicate of the original. To verify the EnCase evidence file containing the image, you should do which of the
Term 41
D. Load the EnCase evidence files into EnCase for Windows, allow the verification process to finish, and then check the results for complete verification.
You are a computer forensic examiner and need to verify the integrity of an EnCase evidence file. To completely B. The CRC values and the verify the files integrity, which of the following must MD5 hash value both must verify. be true? A. The MD5 hash value must verify. B. The CRC values and the
Term 42 Definition 42
Definition 41
You are a computer forensic examiner and need to determine what files are contained within a folder called Business documents. What EnCase pane will you B. Table pane use to view the names of the files in the folder? A. Tree pane B. Table pane
You are a computer forensic examiner and need to view the contents of a file contained within a folder called Business documents. What EnCase pane will you C. View pane use to view the contents of the file? A. Tree pane B. Table pane
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 8 of 68
Term 43
Definition 43
Term 44
Definition 44
You are a computer forensic examiner and are viewing a file in an EnCase evidence file. With your cursor, you have selected one character in the file. What binary term C. A byte is used for the amount of data that represents a single character?
Term 45 Definition 45
You are a computer forensic examiner and need to search for the name of a suspect in an EnCase evidence file. You enter the name of the A. John Doe suspect into the EnCase C. john doe keyword interface as John Doe. What search hits will be found with this search term with the default settings? (Choose all that apply.)
Term 46 Definition 46
You are a computer forensic examiner and need to determine whether any Microsoft Office documents have been renamed with image extensions to obscure A. File signature analysis their presence. What EnCase process would you use to find such files? A. File signature analysis B. Recover Folders feature Term 47 You are a computer forensic examiner and want to determine whether a user has opened or doubleclicked a file. What folder B. Recent would you look in for an operating system artifact for this user activity? A. Temp B. Recent
Definition 47
You are a computer forensic examiner and want to reduce the number of files required for examination by identifying and filtering out known good or system files. D. File hash analysis What EnCase process would you use to identify such files? A. File signature analysis
Term 48 Definition 48
You are a computer forensic examiner and want to determine when a user deleted a file contained in a Windows XP Recycle Bin. In what file is the date and time C. INFO2 information about the file deletion contained? A. index.dat B. Link file
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 9 of 68
Term 49
Definition 49
Term 50
Definition 50
You are a computer forensic examiner and want to determine how many times a program was executed. Where would you find B. Registry information? A. Temp folder B. Registry C. Recycle Bin D. Program Files
Term 51 Definition 51
You are a computer forensic examiner and want to examine any email sent and received by the user of the computer system under investigation. What email formats are supported by EnCase? (Choose all that apply.)
Term 52
Definition 52
What is the BIOS? A. BIOS stands for Basic Input Output System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computers hardware and its operating system.
Definition 54
A. BIOS stands for Basic A. The physical computer Input Output System and is C. A part of the computer case that contains all its a combination of low-level whose function is to perform software and drivers that internal components data processing B. The computers internal function as the interface, hard drive intermediary, or layer C. A part of the computer between a computers whose function is to perform hardware and its operating data processing system.
Term 53 Definition 53 Term 54
Is the information stored on a computers ROM chip lost during a proper shutdown? A. Yes B. No
B. No
Is the information contained on a computers RAM chip accessible after a proper shutdown? B. No A. Yes B. No
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 10 of 68
Term 55
Definition 55
Term 56
Definition 56
What is the purpose or function of a computers ROM chip? A. Long-term or permanent storage of information and instructions B. Temporary storage area to run applications C. Permanent storage area for programs and files
Definition 57 Term 58
Term 57
Definition 58
Information contained in RAM memory (systems main memory), which is located on the motherboard, is _________. A. volatile B. nonvolatile
Term 59
What is the maximum number of drive letters assigned to hard drive(s) partitions on a system? A. volatile A. 4 B. 16 C. 24 D. Infinity
Definition 59 Term 60 Definition 60
C. 24
The size of a physical hard drive can be determined by which of the following? B. sector and cluster A. The cylinder head sector B. The cylinder head sector 512 bytes C. The total LBA sectors 512 bytes D. Adding the total size of E. Both B and C
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 11 of 68
Term 61
Definition 61
Term 62
Definition 62
The electrical pathway used to transport data from one computer component to another is called what? A. Bus B. RAM C. CMOS D. BIOS
Term 63 Definition 63 Term 64
A. Bus
Definition 64
What is the main component of a computer to which essential internal devices such as CPU, memory chips, and other chipsets are B. Motherboard attached? A. BIOS B. Motherboard C. Expansion card D. Processor
Term 65 Definition 65
IDE, SCSI, and SATA are different types of interfaces describing what device? A. RAM chips B. Flash memory C. CPUs D. Hard drives
Term 66
D. Hard drives
Definition 66
What do the terms master, slave, and Cable Select refer to? A. External SCSI devices B. Cable types for external hardware C. Jumper settings for internal hardware such as IDE hard drives and CD drives C. Jumper settings for internal hardware such as IDE hard drives and CD drives
What can you assume about a hard drive that is pinned as CS? A. Its an IDE drive. B. Its a SATA drive. C. Its a SCSI drive. D. All of the above. A. Its an IDE drive.
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 12 of 68
Term 67
Definition 67
Term 68
Definition 68
What is found at Cylinder 0, Head 0, Sector 1 on a hard drive? A. Master boot record B. Master file table C. Volume boot record D. Volume boot sector
Term 69
What is the first sector on a volume called? A. Master boot record A. File allocation table B. Volume boot record or sector C. Master boot record D. Volume boot device
Term 70
Definition 69
Definition 70
Which of the following is incorrect? A. The MBR is typically written when the drive is partitioned with FDISK or DISKPART. B. A file system is a system or method of storing and retrieving data on a
Term 71
FAT is defined as which of the following? D. The partition table is contained within the MBR and consists of a total of 16 bytes, which describes up to four partitions using 4 bytes each to do so. A. A table consisting of master boot record and logical partitions B. A table created during the format that the operating system reads to locate data on a drive C. A table consisting of file
Term 72
B. A table created during the format that the operating system reads to locate data on a drive
Definition 71
Definition 72
How does a corrupted sector located in the data area of a hard drive affect the D. It does affect the FAT table. corresponding cluster number on The corresponding cluster a FAT table? number is marked as bad, and the entire cluster is prevented A. It does not affect the from being written to. corresponding cluster number on a FAT table; therefore, the rest of the sectors associated with
Which of the following describes a partition table? A. It is located at cylinder 0, head 0, sector 1. B. Is located in the master boot record. C. It keeps track of the partitions on a hard drive. D. All of the above.
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 13 of 68
Term 73
Definition 73
Term 74
Definition 74
Which selection keeps track of a fragmented file in a FAT file system? A. File allocation table B. Directory structure C. Volume boot record D. Master file table
Term 75
If the FAT table lists cluster number 2749 with a value of 0, what does this mean about this specific cluster? A. File allocation table A. It is blank and contains no data. B. It is marked as bad and cannot be written to. C. It is allocated to a file. D. It is unallocated and is
Term 76
Definition 75
Definition 76
Which of the following is true about a volume boot record? A. It is always located at the D. A and C. first sector of its logical partition. B. It immediately follows the master boot record. C. It contains BIOS parameter block and volume
Term 77 Definition 77
The NTFS file system does which of the following? A. Supports long file names B. Compresses individual files and directories C. Supports large file sizes in excess of 4GB D. All of the above
Term 78
Definition 78
How many clusters can a FAT32 file system manage? A. 2 32 = 64 clusters D. 228 = 268,435,456 clusters B. 232 = 4,294,967,296 clusters C. 2 28 = 56 clusters D. 228 = 268,435,456 clusters
The FAT tracks the ________ while the directory entry tracks the ________. A. file name and file size B. files starting cluster and files last cluster (EOF) C. files last cluster (EOF) and files starting cluster D. file size and file fragmentation C. files last cluster (EOF) and files starting cluster
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 14 of 68
Term 79
Definition 79
Term 80
Definition 80
How many copies of the FAT does each FAT32 volume maintain in its default configuration? B. Two A. One B. Two C. Three D. Four
Term 81 Definition 81
A files logical size is displayed as? A. The number of sectors needed that the logical file contains B. The number of clusters that the logical file contains C. The number of bytes that the logical file contains D. The number of bits that
Term 82
Definition 82
A files physical size is? A. Always greater than the files logical size B. The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster
Term 83
B. The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster
A directory entry in a FAT file system has a logical size of which of the following? A. 0 bytes B. 8 bytes C. 16 bytes D. One sector
Term 84
A. 0 bytes
Definition 83
Definition 84
By default, what color does EnCase use to display directory entries within a directory structure? B. Red A. Black B. Red C. Gray D. Yellow
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 15 of 68
Term 85
Definition 85
Term 86
Definition 86
What is the area between the end of a files logical size and the files physical size called? D. Slack space A. Unused disk area B. Unallocated clusters C. Unallocated sectors D. Slack space
Term 87 Definition 87
What three things occur when a file is created in a FAT32 file system?
A. Directory entry for the file is created, the FAT assigns A. Directory entry for the file the necessary clusters to the is created, the FAT assigns file, and the files data is the necessary clusters to the filled in to the assigned file, and the files data is clusters. filled in to the assigned clusters.
Term 88 Definition 88
How does EnCase recover a deleted file? A. It reads the deleted file name in the FAT and searches for the file by its starting cluster number and logical size. B. It reads the deleted file name in the directory entry
Term 89
What does EnCase do when a deleted files starting cluster number is assigned C. It obtains the deleted files starting cluster number to another file? and size from the directory C. EnCase marks the deleted A. EnCase reads the entire entry to obtain the datas file as being overwritten. starting location and number existing data as belonging to the deleted file. of clusters required. B. EnCase only reads the amount of data from the
Definition 89 Term 90 Definition 90
What information does a files directory entry in a FAT file system store about itself? A. File name B. Date/time C. File extension D. Starting cluster (extent) E. All of the above E. All of the above
What is the first consideration when responding to a scene? A. Your safety B. The safety of others C. The preservation of evidence D. Documentation A. Your safety
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 16 of 68
Term 91
Definition 91
Term 92
Definition 92
What are some variables regarding a facility that you should consider prior to responding to a scene? A. What type of structure is it? B. How large is the structure? C. What are the hours of operation?
Term 93
What are some variables regarding items to be seized that you should consider prior to responding to a scene? E. All of the above. A. Location(s) of computers B. Type of operating system C. Workstations or mainframes D. System-critical or
Definition 93 Term 94 Definition 94
Generally speaking, if you encounter a desktop computer running Windows XP, how should you take down the machine? A. Shut down using Windows XP. B. Shut down by pulling the power cord from the outlet. C. Shut down by pulling the
Term 95
Generally speaking, if you encounter a computer running Windows 2000 Server, how should you take C. Shut down by pulling the down the machine? A. Shut down using its plug from the computer box. operating system. A. Shut down using its operating system. B. Shut down by pulling the power cord from the outlet. C. Shut down by pulling the
Definition 95 Term 96 Definition 96
Generally speaking, if you encounter a Unix/Linux machine, how should you take down the machine? A. Shut down using its A. Shut down using its operating system. operating system. B. Shut down by pulling the power cord from the outlet. C. Shut down by pulling the plug from the computer box.
When unplugging a desktop computer, from where is it best to pull the plug? A. The back of the computer A. The back of the computer B. The wall outlet C. A or B
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 17 of 68
Term 97
Definition 97
Term 98
Definition 98
What is the best method to shut down a notebook computer? A. Unplug from the back of the computer. B. Unplug from the wall. C. Remove the battery. D. Both A and C.
Term 99
Generally speaking, if you encounter a Macintosh computer, how should you take down the machine? D. Both A and C. C. Shut down by pulling the A. Shut down using the plug from the computer box. operating system. B. Shut down by pulling the power cord from the outlet. C. Shut down by pulling the plug from the computer box.
Term 100 Definition 100
Definition 99
Which selection displays the incorrect method for shutting down a computer? A. DOS: Pull the plug. B. Windows 2000: Pull the plug. C. Windows XP: Pull the plug. D. Linux: Pull the plug.
Term 101
When shutting down a computer, what information is typically lost? D. Linux: Pull the plug. A. Data in RAM memory B. Running processes C. Current network connections D. Current logged-in users E. All of the above
Term 102
Definition 101
Definition 102
Which of the following is not acceptable for bagging a computer workstation? A. Large paper bag. B. Brown wrapping paper. C. Plastic garbage bag. D. Large antistatic plastic bag. E. All of the above are acceptable for bagging a C. Plastic garbage bag. EnCE Encase Certified Examiner
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 18 of 68
Term 103
Definition 103
Term 104
Definition 104
SCSI
IDE
Term 105
Definition 105
Term 106
Definition 106
SATA
Term 107
Definition 107
Term 108
Definition 108
DVD
USB
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 19 of 68
Term 109
Definition 109
Term 110
Definition 110
IEEE
IEEE 1394
Firewire
Term 111
Definition 111
Term 112
Definition 112
ISA
MCA
Term 113
Definition 113
Term 114
Definition 114
EISA
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 20 of 68
Term 115
Definition 115
Term 116
Definition 116
AGP
PCMCIA
Term 117
Definition 117
Term 118
Definition 118
PCI
CMOS
Term 119
Definition 119
Term 120
Definition 120
EFI
POST
Power On Self-Test
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 21 of 68
Term 121
Definition 121
Term 122
Definition 122
MBR
VBR
Term 123
Definition 123
Term 124
Definition 124
FAT
MFT
Term 125
Definition 125
Term 126
Definition 126
POST
Power On Self-Test
0000 0001
Read only Bit Flag Values for Attribute Field at Byte Offset 11
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 22 of 68
Term 127
Definition 127
Term 128
Definition 128
0000 0010
Hidden File
0000 0100
System File
Term 129
Definition 129
Term 130
Definition 130
0000 1000
Volume label
0000 1111
Term 131
Definition 131
Term 132
Definition 132
0001 0000
Directory
0010 0000
Archive
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 23 of 68
Term 133
Definition 133
Term 134
Definition 134
In which circumstance is pulling the plug to shut down a computer system considered the best practice? E. None of the above A. When the OS is Linux/Unix B. When the OS is Windows 2000 and known to be running a large business
Term 135 Definition 135
How is the chain of custody maintained? A. By bagging evidence and sealing it to protect it from contamination or tampering E. All of the above B. By documenting what, when, where, how, and by whom evidence was seized
Term 136 Definition 136
It is always safe to pull the plug on a Windows 2000 Professional operating system. A. True B. False
On a production Linux/Unix server, you must generally be which user to shut down the system? B. False A. sysadmin B. administrator C. root D. system C. root
Term 137
Definition 137
Term 138
Definition 138
When would it be acceptable to navigate through a live system? A. To observe the operating system to determine the proper shutdown process B. To document currently opened files (if Enterprise/FIM edition is not E. All of the above
A console prompt that displayed backslashes (\) as part of its display would most likely be which of the following? D. MS-DOS A. Red Hat Linux operating system B. Unix operating system C. Linux or Unix operating system logged in as root
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 24 of 68
Term 139
Definition 139
Term 140
Definition 140
When called to a large office complex with numerous networked machines, is it always a good idea to request the assistance of the B. False network administrator. A. True B. False
Term 141 Definition 141
Subsequent to a search warrant where evidence is seized, what items should be left behind? A. Copy of the affidavit B. Copy of the search warrant C. List of items seized D. A and B E. B and C
Term 142
E. B and C
Definition 142
SAFE
HPA
Term 143
Definition 143
Term 144
Definition 144
The odds of any two files having the same M in 2128, which is, more graphically, 1 in 340,282,366,920,938,000,000,000,000,000,00
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 25 of 68
Term 145
Definition 145
Term 146
Definition 146
CRC
When acquiring a hard drive in the DOS mode, what would be the cause of EnCase not detecting partition information? C. Both A and B. A. The drive has been FDisked and the partition(s) removed. B. The partition(s) are not recognized by DOS.
Term 148 Definition 148
Term 147
Definition 147
A standard DOS 6.22 boot disk does not make calls to the C: volume of a hard drive when the diskette is booted. B. False A. True B. False
As a good forensic practice, why would it be a good idea to wipe a forensic drive before reusing it? A. Chain-of-custody B. Cross-contamination C. Different file and operating systems D. Chain of evidence E. No need to wipe
Definition 149 Term 150
B. Cross-contamination
Term 149
Definition 150
If the number of sectors reported by EnCase does not match the number reported by the manufacturer for the drive, what should you do? A. Suspect HPA B. Suspect DCO C. Boot with EnCase for DOS and switch to Direct
What system files are changed or in any way modified by EnCase when creating an EnCase boot disk? E. All of the above A. IO.SYS B. COMMAND.COM C. DRVSPACE.BIN D. All of the above E. None of the above D. All of the above
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 26 of 68
Term 151
Definition 151
Term 152
Definition 152
Reacquiring an image and adding compression will change the MD5 value of the acquisition hash. B. False A. True B. False
When reacquiring an image, you can change the name of the evidence. A. True B. False
B. False
Term 153
Definition 153
Term 154
Definition 154
Which of the following should you do when creating a storage volume to hold an EnCase evidence file that will be created with EnCase for DOS or LinEn? (Choose all that apply.)
A. Format the volume with the FAT file system. B. Give the volume a unique label to identify it. C. Wipe the volume before formatting to conform to best practices, and avoid claims of A. Format the volume with crosscontamination. the FAT file system. D. Create a directory to B. Give the volume a unique contain the evidence file.
Term 155 Definition 155
In Linux, what describes hdb2? (Choose all that apply.) A. Refers to the primary master B. Refers to the primary slave C. Refers to hard drive number 2 D. Refers to the second
Term 156
Definition 156
When acquiring USB flash memory, you should writeprotect it by doing what? A. Engaging the writeprotect switch, if equipped B. Modifying the registry in Windows XP SP2 (or higher) to make USB read-only F. All of the above
Which type or types of cables can be used in a network cable acquisition? C. Network crossover cable A. Standard network patch D. Standard network patch cable cable used with a crossover B. CAT-6 network cable adaptor C. Network crossover cable D. Standard network patch cable used with a crossover adaptor
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 27 of 68
Term 157
Definition 157
Term 158
Definition 158
Should Zip/Jaz disks be acquired with EnCase in DOS or Windows? A. DOS B. Windows
When using LinEn, the level of support for USB, FireWire, and SCSI devices is determined by what? A. DOS C. The distribution of Linux A. The drivers built into being used LinEn B. The drivers provided with the ENBCD C. The distribution of Linux being used
Definition 159 Term 160 Definition 160
Term 159
Select all that are true about A. They can acquire or EE and FIM. preview a system live without shutting it down. A. They can acquire or B. They can capture live preview a system live system-state volatile data without shutting it down. using the Snapshot feature. C. With EE, the SAFE is on a B. They can capture live separate PC, administered system-state volatile data by the keymaster. using the Snapshot feature. D. With FIM, the SAFE is on the examiners PC and the
Term 162 Definition 162
Term 161
Definition 161
How does an EnCase boot disk differ from a DOS 6.22 disk? A. EnCase boot disk adds the EnCase executable, EN.EXE. B. EnCase boot disk switches all calls from C: to A:. C. Both A and B. C. Both A and B.
The EnCase evidence file is best described as follows: A. A mirror image of the source device written to a hard drive B. A sector-by-sector image of the source device written to corresponding sectors of a secondary hard drive C. A bitstream image of a D. A bitstream image of a source device written to a file or several file segments
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 28 of 68
Term 163
Definition 163
Term 164
Definition 164
How does EnCase verify the contents of an evidence file? A. EnCase writes an MD5 hash value for every 32 sectors copied. B. EnCase writes an MD5 value for every 64 sectors copied. C. EnCase writes a CRC value for every 32 sectors
Term 165
What is the smallest file size that an EnCase evidence file can be saved as? D. EnCase writes a CRC value for every 64 sectors copied. A. 64 sectors B. 512 sectors C. 1 MB D. 2 MB E. 640 MB
Term 166
C. 1 MB
Definition 165
Definition 166
What is the largest file segment size that an EnCase evidence file can be saved as? C. 2 GB A. 640 MB B. 1 GB C. 2 GB D. No maximum limit
Term 167 Definition 167
How does EnCase verify that the evidence file contains an exact copy of the source A. By comparing the MD5 device? hash value of the source device to the MD5 hash A. By comparing the MD5 value of the data stored in hash value of the source the evidence file device to the MD5 hash value of the data stored in the evidence file B. By comparing the CRC
Term 168 Definition 168
How does EnCase verify that the case informationsuch as case number, evidence number, notes, and so on in an evidence file has not been damaged or altered after the evidence file has been written?
C. EnCase writes a CRC value for the case B. The CRC values and the information and verifies the MD5 hash value both must CRC value when the A. The MD5 hash value must verify. evidence is added to a case. verify. B. The CRC values and the A. The case file writes a CRC MD5 hash value both must value for the case verify.
For an EnCase evidence file to successfully pass the file verification process, which of the following must be true?
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 29 of 68
Term 169
Definition 169
Term 170
Definition 170
The MD5 hash algorithm produces a _____ value. A. 32-bit B. 64-bit C. 128-bit D. 256-bit C. 128-bit
B. 32
Term 171
Definition 172
If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later altered? A. EnCase will detect the error when that area of the evidence file is accessed by the user.
Term 173
Which of the following aspects of the EnCase evidence file can be changed during a reacquire of the evidence file? D. All of the above. A. Investigators name B. Evidence number C. Notes D. Evidence file size E. All of the above
Definition 173 Term 174 Definition 174
An evidence file was archived onto five CD-ROMs with the third file segment on disc 3. Can the contents of the third file segment be verified by itself while still on the CD-ROM? A. No. All evidence file segments must be put back together.
Will EnCase allow a user to write data into an acquired evidence file? B. Yes. Any evidence file D. No, data cannot be added A. Yes, when adding notes segment can be verified or comments to bookmarks. to the evidence file after the independently by comparing B. Yes, when adding search acquisition is made. the CRC values. results. C. A and B. D. No, data cannot be added to the evidence file after the
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 30 of 68
Term 175
Definition 175
Term 176
Definition 176
All investigators using EnCase should run tests on the evidence file acquisition and verification process to do which of the following? D. All of the above A. To further the investigators understanding of the evidence file B. To give more weight to the investigators testimony
Term 177 Definition 177
When a noncompressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence A. True file will remain the same for both files. A. True B. False
Term 178 Definition 178
Search hit results and bookmarks are stored in the evidence file. A. True B. False
B. False
The EnCase evidence files logical file name can be changed without affecting the verification of the acquired evidence. A. True B. False
A. True
Term 179
Definition 179
Term 180
Definition 180
An evidence file can be moved to another directory without changing the file verification. A. True B. False
What happens when EnCase attempts to reopen a case once the evidence file has been moved? B. False C. EnCase prompts for the A. EnCase reports that the location of the evidence file. files integrity has been compromised and renders the file useless. B. EnCase reports a different hash value for the evidence
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 31 of 68
Term 181
Definition 181
Term 182
Definition 182
During reacquisition, you can change which of the following? (Choose all that apply.) A. Block size and error granularity B. Add or remove a password C. Investigators name D. Compression
Term 183
A. Block size and error granularity B. Add or remove a password D. Compression E. File segment size
In the EnCase Windows environment, must an examiner first create a new case before adding a device A. Yes to examine? A. Yes B. No
Term 184 Definition 184
Definition 183
Proper file management and organization require that which of the following should be created prior to acquiring evidence? D. All of the above A. Evidence, Export, Temp, and Index folders B. Unique naming conventions for folders belonging to the same case
Term 185 Definition 185
The EnCase methodology dictates that the lab drive used to store EnCase evidence files must have which of the following prior to acquiring an image? A. FAT 32 partition B. NTFS partition C. Clean format D. Previously wiped and
Term 186
Definition 186
When creating a new case, the Case Options dialog box prompts for which of the following? A. Name or (case name) B. Examiner name C. Default export folder D. Temporary folder E. All of the above E. All of the above
What determines the action that will result when a user double-clicks a file within EnCase? A. The settings in the TEXTSTYLES.INI file B. The settings in the FILETYPES.INI file C. The settings in the FILESIGNATURES.INI file B. The settings in the FILETYPES.INI file
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 32 of 68
Term 187
Definition 187
Term 188
Definition 188
In the EnCase environment, the term external viewers is best described as which of the following? C. External programs that A. Internal programs that are are associated with EnCase to open specific file types copied out of an evidence file B. External programs loaded in the evidence file to open
Term 189 Definition 189
Where is the list of external viewers kept within EnCase? A. The settings in the TEXTSTYLES.INI file B. The settings in the FILETYPES.INI file C. The settings in the FILESIGNATURES.INI file D. The settings in the VIEWERS.INI file
Term 190
Definition 190
When the copy/unerase feature is used, EnCase saves the selected file(s) to which folder? B. Export A. Evidence B. Export C. Temp D. None of the above
Term 191 Definition 191
Can the Export folder be moved once it is saved within a case? A. Yes B. No
A. Yes
Term 192
Definition 192
Files that have been sent to external viewers are copied to which folder? A. Evidence B. Export C. Temp D. None of the above C. Temp
The Temp folder of a case cannot be changed once the case has been saved. A. True B. False
B. False
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 33 of 68
Term 193
Definition 193
Term 194
Definition 194
Files stored in the Temp folder are removed once EnCase is properly closed. A. True B. False
How do you access the setting to adjust how often a backup file (.cbak) is saved? A. True A. Select Tools _ Options _ Case Options B. Select View _ Options _ Case Options C. Select Tools _ Options _ Global D. Select View _ Options _
Definition 195 Term 196
Term 195
Definition 196
What is the maximum number of columns that can be sorted simultaneously in the Table view tab? A. Two B. Three C. Five D. 28 (maximum number of tabs)
Term 197
How would a user reversesort on a column in the Table view? C. Five A. Hold down the Ctrl key, C. Both A and B. and double-click the selected column header. B. Right-click the selected column, select Sort, and select either Sort Ascending or Sort Descending.
Definition 197 Term 198 Definition 198
How can you hide a column in the Table view? A. Place the cursor on the selected column, and press Ctrl+H. B. Right-click on the selected column, select Column, and select Hide. C. Right-click on the selected column, select
What does the Gallery view tab use to determine graphics files? D. All of the above. A. Header or file signature B. File extension C. File name D. File size B. File extension
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 34 of 68
Term 199
Definition 199
Term 200
Definition 200
Will the EnCase Gallery view display a .jpeg file if its file extension was renamed C. Yes, but only if a to .txt? signature analysis is performed to correct the A. No, because EnCase will File Category to Picture treat it as a text file. based on its file header B. Yes, because the Gallery information. view looks at a files header information and not the file extension.
Term 201 Definition 201
How would a user change the default colors and text fonts within EnCase? A. The user cannot change the default colors and fonts settings. B. The user can change the default colors and fonts settings by right-clicking the selected items and scrolling
Term 202
D. The user can change default colors and fonts settings by clicking the Tools tab on the menu bar, selecting Options, and selecting the Colors tab or Fonts tab.
Definition 202
An EnCase user will always know the exact location of the selected data in the evidence file by looking at which of the following? A. Data bar B. Dixon box C. Disk view D. Hex view
Term 203
A. Data bar
Computers use a numbering system with only two digits, 0 and 1. This system is referred to as which of the following? A. Hexadecimal B. ASCII C. Binary D. FAT
C. Binary
Definition 203
Term 204
Definition 204
A bit can have a binary value of which of the following? A. 0 or 1 B. 09 C. 09 and AF D. On or Off A. 0 or 1
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 35 of 68
Term 205
Definition 205
Term 206
Definition 206
If 1 bit can have two unique possibilities, 2 bits can have four unique possibilities, and 3 bits can have eight unique possibilities. This is D. 256 known as the power of 2. How many unique possibilities are there in 8 bits (28)? A. 16
Term 207 Definition 207
When the letter A is represented as 41h, it is displayed in which of the following? A. Hexadecimal A. Hexadecimal B. ASCII C. Binary D. Decimal
Term 208 Definition 208
What is the decimal integer value for the binary code 0000-1001? A. 7 B. 9 C. 11 D. 1001
Term 209
Select all of the following that depict a Dword value. B. 9 C. FF 00 10 AF A. 0000 0001 D. 0000 0000 0000 0000 0000 B. 0001 0000 0000 0001 C. FF 00 10 AF D. 0000 0000 0000 0000 0000 0000 0000 0001
Definition 209 Term 210 Definition 210
How many characters can be addressed by the 7-bit ASCII character table? 16-bit Unicode? D. 128 and 65,536 A. 64 and 256 B. 128 and 256 C. 64 and 65,536 D. 128 and 65,536
Where does EnCase (Version 5 or 6) store keywords? A. Within each specific case C. Both A and B file (.case and .cbak) B. In the KEYWORDS.INI file C. Both A and B D. None of the above
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 36 of 68
Term 211
Definition 211
Term 212
Definition 212
When performing a keyword search in Windows, EnCase searches which of the following? A. The logical files B. The physical disk in unallocated clusters and other unused disk areas C. Both A and B D. None of the above
Term 213
By default, search terms are case sensitive. C. Both A and B A. True B. False B. False
Definition 213
Term 214
Definition 214
By selecting the Unicode box, EnCase searches for both ASCII and Unicode formats. A. True B. False
A. True
With regard to a search using EnCase in the Windows environment, can EnCase find a word or phrase that is fragmented or D. Yes, EnCase performs both physical and logical spans in noncontiguous searches. clusters? A. No, because the letters are located in noncontiguous clusters.
Term 215
Definition 215
Term 216
Definition 216
Which of the following would be a search hit for the His keyword? A. this B. His C. history D. Bill_Chisholm@gmail.com E. All of the above E. All of the above
Which of the following would be a search hit for the following GREP expression? [^a-z]Liz[^a-z] C. Liz1 A. Elizabeth B. Lizzy C. Liz1 D. None of the above
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 37 of 68
Term 217
Definition 217
Term 218
Definition 218
Which of the following would be a search hit for the following GREP expression? [\x00-\x07]\x00\x00\x00 A. 00 00 00 01 A0 EE F1 B. 06 00 00 00 A0 EE F1 C. 0A 00 00 00 A0 EE F1 D. 08 00 00 00 A0 EE F1
Term 219 Definition 219
Which of the following would be a search hit for the following GREP expression? B. 06 00 00 00 A0 EE F1 Jan 1st, 2?0?06 A. Jan 1st, 2006 B. Jan 1st, 06 C. Both A and B D. None of the above
Term 220 Definition 220
C. Both A and B
Which of the following will not be a search hit for the following GREP expression? [^#]123[ \-]45[ \-]6789[^#] A. A1234567890 B. A123 45-6789 C. A123-45-6789 D. A123 45 6789
Term 221 Definition 221
A sweep or highlight of a specific range of text is referred to as which of the following? A. A1234567890 A. File group bookmark B. Folder information bookmark C. Highlighted data bookmark D. Notable file bookmark
Term 222
Definition 222
Which of the following is not correct regarding building and querying indexes? A. To search an index, click the Search button on the toolbar. B. Search hits will appear in the Docs tab and in the Transcript tab. C. The Hits tab appears in A. To search an index, click the Search button on the toolbar.
When running a signature analysis, EnCase will do which of the following? A. Compare a files header to D. Compare a files header to its hash value. its file extension. B. Compare a files header to its file signature. C. Compare a files hash value to its file extension. D. Compare a files header to
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 38 of 68
Term 223
Definition 223
Term 224
Definition 224
A. A unique set of A. A unique set of characters at the beginning characters at the beginning of a file that identifies the file of a file that identifies the file A. signature type type B. MD5 hash value C. extension B. A unique set of D. metadata characters following the file name that identifies the file
Term 225 Definition 225 Term 226
The Windows operating system uses a file names _______ to associate files with the proper applications. C. extension
Definition 226
Unix (including Linux) operating systems use a files _______ to associate file types to specific applications. A. metadata B. header C. extension D. hash value
Term 227
The Mac OS X operating system uses which of the following file information to associate a file to a specific application? B. header A. The user defined setting B. File name extension C. Metadata (creator code) D. All of the above
Definition 227 Term 228 Definition 228
Information regarding a files header information and extension is saved by EnCase in the _________ file. A. FileSignatures.ini B. FileExtensions.ini C. FileInformation.ini D. FileHeader.ini
A. FileSignatures.ini
When a files signature is unknown and a valid file extension exists, EnCase will display the following result after a signature analysis is performed: A. Alias (Signature Mismatch) B. !Bad Signature C. Unknown
B. !Bad Signature
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 39 of 68
Term 229
Definition 229
Term 230
Definition 230
When a files signature is known and the file extension does not match, EnCase will display the following result after a signature analysis is A. Alias (Signature performed: Mismatch) A. Alias (Signature Mismatch) B. !Bad Signature C. Unknown
Term 231 Definition 231
When a files signature is known and the file extension matches, EnCase will display the following result after a signature analysis is D. Match performed: A. Alias (Signature Mismatch) B. !Bad Signature C. Unknown
Term 232 Definition 232
When a files signature and extension are not recognized, EnCase will display the following result after a signature analysis is performed: A. Alias (Signature Mismatch) B. !Bad Signature C. Unknown
Term 233
C. Unknown
Can a file with a unique header share multiple file extensions? A. Yes B. No
A. Yes
Definition 233
Term 234
Definition 234
A user can manually add new file headers and extensions by doing which of the following? A. Manually inputting the data in the FileSignatures.ini file B. Right-clicking the file and choosing Add File Signature C. Choosing File Signatures
Select the correct answer that completes the following statement: An MD5 hash C. Choosing File Signatures ___________. view, right-clicking, and D. All of the above A. is a 128-bit value selecting New in the B. has odds of one in 2128 appropriate folder that two dissimilar files will share the same value C. is not determined by the file name
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 40 of 68
Term 235
Definition 235
Term 236
Definition 236
EnCase can create a hash value for the following: A. Physical devices B. Logical volumes C. Files or groups of files D. All of the above D. All of the above
What portion of an evidence file does EnCase analyze during the verification process to yield an MD5 hash value? A. Data area B. Entire evidence file C. Case information D. None of the above
A. Data area
Term 237
Definition 237
Term 238
Definition 238
Will changing a files name affect the files MD5 hash value? A. Yes B. No
B. No
Usually a hash value found in a hash set named Windows XP Home Edition would be reported in the Hash Category column as which of the following? A. Known B. Notable C. Evidentiary D. Nonevidentiary
A. Known
Term 239
Definition 239
Term 240
Definition 240
With regard to hash categories, evidentiary files or files of interest are categorized as which of the following? A. Known B. Notable C. Evidentiary D. Nonevidentiary
B. Notable
An MD5 hash of a specific media generated by EnCase will yield the same hash value as an independent third-party MD5 hashing A. True utility. A. True B. False
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 41 of 68
Term 241
Definition 241
Term 242
Definition 242
A hash _______ is comprised of hash _______, which is comprised of hash _______. A. set(s), library(ies), value (s) B. value(s), sets(s), library (ies) C. library(ies), set(s), value (s)
Term 243
An operating system artifact can be defined as which of the following? C. library(ies), set(s), value (s) A. Information specific to a E. All of the above users preference B. Information about the computers general settings C. Information stored about a users activities on the computer
Term 244 Definition 244
Definition 243
A FAT file system stores date and time stamps in _______, whereas the NTFS file system stores date and time stamps in _______. C. Local time and GMT A. DOS directory and local time B. Zulu time and GMT C. Local time and GMT D. SYSTEM.DAT and
Term 245 Definition 245
Where does Windows store the time zone offset? A. BIOS B. Registry C. INFO2 file D. DOS directory or MFT B. Registry
Term 246
Definition 246
The date and time of when a file was sent to the Recycle Bin can be found where? A. INFO2 file B. Original file names last access date C. DOS directory or MFT D. $I index file D. $I index file
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 42 of 68
Term 247
Definition 247
Term 248
Definition 248
When a text file is sent a preWindows Vista Recycle Bin, Windows changes the short file name of the deleted file to DC0.txt in the Recycle Bin. Select the best choice that explains the deleted file name. A. D=DOS, C=character, 0=index number, file
Term 249
When a document is opened, a link file bearing the documents file name is D. D=deleted, C=drive letter, created in the ____folder. 0=index number, file extension remains the same A. Shortcut B. Recent C. Temp D. History
Definition 249 Term 250
B. Recent
Definition 250
Link files are shortcuts or pointers to actual items. These actual items can be what? A. Programs B. Documents C. Folders D. Devices E. All of the above
Term 251
In NTFS, information unique to a specific user is stored in the ______ file. E. All of the above A. USER.DAT B. NTUSER.DAT C. SYSTEM.DAT D. None of the above
Term 252
B. NTUSER.DAT
Definition 251
Definition 252
In Windows XP or Windows Vista, by default, how many recently opened documents are displayed in the My Recent Documents or Recent Items folder? A. 4 B. 12 C. 15 D. Unlimited
Most of a users desktop items on a Windows XP operating system would be located in the _________ directory. C. 15 A. C:\WINDOWS\Desktop B. C:\WinNT\Desktop C. C:\WINDOWS\system32 \config\Desktop D. C:\Documents and
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 43 of 68
Term 253
Definition 253
Term 254
Definition 254
Because this file will hold the contents of RAM when the machine is powered off, the ______ file will be the size of the system RAM and will be in the root directory. A. hiberfil.sys B. WIN386.SWP C. PAGEFILE.SYS D. NTUSER.DAT
Term 255
Where can you find evidence of web-based email such as from MSN Hotmail or Google Gmail on a Windows XP system? A. hiberfil.sys A. In Temporary Internet Files under Local Settings in the users profile B. In Unallocated Clusters C. In the pagefile.sys folder
Definition 255 Term 256 Definition 256
File names with the .url extension that direct web browsers to a specific website are located in which folder? A. Favorites folder B. Cookies folder C. Send To folder D. History folder
Term 257
A. Favorites folder
Data about Internet cookies such as URL names, date and time stamps, and pointers to the actual location of the cookie is stored in: A. INFO2 file B. index.dat file C. EMF file D. pagefile.sys file
B. index.dat file
Definition 257
Term 258
Definition 258
On a Windows 98 machine, which folder is the swap or page file contained in? A. WIN386.SWP B. pagefile.sys C. swapfile.sys D. page.swp A. WIN386.SWP
When you are examining evidence that has been sent to a printer, which file contains an image of the actual print job? C. The spool file A. The Enhanced Metafile (EMF) B. The shadow file C. The spool file D. The RAW file
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 44 of 68
Term 259
Definition 259
Term 260
Definition 260
The two modes for printing in Windows are ______ and _______. A. Spooled and Shadowed B. Spooled and Direct C. Spooled and EM D. EMF and RAW
Term 261
Although the Windows operating system removed the EMF file upon a successful print job, the examiner may still recover A. True the file as a result of a search on its unique header information in areas such as Unallocated Clusters or swap file.
Term 262 Definition 262
Definition 261
The index.dat files are system files that store information about other files. They track date and time stamps, file locations, and name changes. Select the folder that does not contain an index.dat file. A. Cookies B. History
Term 263
The Temporary Internet Files directory contains which of the following? C. Recycle Bin A. Web page files that are cached or saved for possible D. All of the above later reuse B. An index.dat file that serves as a database for the management of the cached files
Term 264 Definition 264
Definition 263
How many sector(s) on a hard drive are reserved for the master boot record (MBR)? A. 1 B. 4 C. 16 D. 62 E. 63 E. 63
The very first sector of a formatted hard drive that contains an operating system is referred to as which of the following? D. All of the above A. Absolute sector 0 B. Boot sector C. Containing the master boot record (MBR) D. All of the above
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 45 of 68
Term 265
Definition 265
Term 266
Definition 266
How many logical partitions does the partition table in the master boot record allow for a physical drive? C. 4 A. 1 B. 2 C. 4 D. 24
Term 267 Definition 267
The very first sector of a partition is referred to as which of the following? A. Master boot record B. Physical sector 0 C. Active primary partition D. Volume boot record
Term 268
Definition 268
If a hard drive has been fdisked, EnCase can still recover the deleted partition (s), if you point to the _________, right-click, and B. volume boot record select Add Partition. A. master boot record B. volume boot record C. partition table D. unallocated space
Term 269 Definition 269
In an NTFS partition, where is the backup copy of the volume boot record (VBR) stored? C. The last sector of the A. In the partition table partition B. Immediately after the VBR C. The last sector of the partition D. An NTFS partition does not store a backup of the
Term 270 Definition 270
EnCase can mount a compound file, which can then be viewed in a hierarchical format. Select an example of a compound file. A. Registry file (that is, .dat) B. Email file (that is, .edb, nsf, pst, dbx) C. Compressed file (that is,
Windows XP contains two master keys in its registry. They are KEY_LOCAL_MACHINE and which of the following? E. All of the above A. HKEY_USERS B. HKEY_CLASSES_ROOT C. HKEY_CURRENT_USER D. HKEY_CURRENT_CONFIG A. HKEY_USERS
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 46 of 68
Term 271
Definition 271
Term 272
Definition 272
In Windows 2000/XP, information about a specific users preference is stored in the NTUSER.DAT file. This compound file can be found C. C:\Documents and where? Settings\username A. C:\ B. C:\WINDOWS\ C. C:\Documents and Settings\username
Term 273 Definition 273
In an NTFS file system, the date and time stamps recorded in the registry are stored where?
B. GMT and converted based on the systems time zone A. Local time based on the settings BIOS settings B. GMT and converted based on the systems time zone settings
Term 274 Definition 274
EnScript is a proprietary programming language and application programming interface (API) developed by Guidance Software, A. True designed to function properly only within the EnCase environment. A. True B. False
Term 275 Definition 275
Since EnScript is a proprietary programming language developed by Guidance Software, EnScripts can be created by B. False and obtained only from Guidance Software. A. True B. False
Term 276 Definition 276
Filters are a type of EnScript that filters a case for certain file properties such as file types, dates, and hash categories. Like EnScripts, filters can also be A. True changed or created by a user. A. True B. False
Select the type of email that EnCase 6 is not capable of recovering. A. Microsoft Outlook and Outlook Express B. AOL C. Netscape, MSN Hotmail, and Yahoo! Mail D. Lotus Notes and Microsoft Exchange Server E. None of the above
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 47 of 68
Term 277
Definition 277
Term 278
Definition 278
Which method is used to view the contents of a compound file that contains emails such as a PST file in EnCase 6? C. Both A and B. A. Right-click, and select View File Structure. B. Run search, and in the Search menu select the types of email to recover.
Term 279 Definition 279
EnCase 6 cannot process web-based email such as MSN Hotmail or Yahoo! Mail because the information can be found only on the mail B. False servers. A. True B. False
Term 280 Definition 280
The EnCase Decryption Suite (EDS) will not decrypt Microsofts Encrypting File System (EFS) on the ___________ operating system. A. Windows 2000 Professional and Server B. Windows XP Professional C. Windows 2003 Server
Term 281
At which levels can the VFS module mount objects in the Windows environment? D. Windows XP Home Edition A. The case level B. The disk or device level C. The volume level D. The folder level E. All of the above
Term 282
Definition 281
Definition 282
The Physical Disk Emulator (PDE) module is similar to the Virtual File System (VFS); the module can mount a piece of media that is accessible in the Windows E. Both A and B environment. Select the type (s) of media that the Physical Disk Emulator cannot mount.
The Physical Disk Emulator (PDE) module is similar to the Virtual File System (VFS); the module can mount a piece of media that is accessible in the Windows E. Both A and B environment. Select the type (s) of media that the Physical Disk Emulator cannot mount.
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 48 of 68
Term 283
Definition 283
Term 284
Definition 284
The Virtual File System (VFS) module mounts data as _______, while the Physical Disk Emulator (PDE) module mounts data as _______. A. network share, emulated disk B. emulated disk, network share
Term 285
The end of a logical file to the end of the cluster that the file ends is called: A. network share, emulated disk A. Unallocated space B. Allocated space C. Available space D. Slack D. Slack
Definition 285
Term 286
Definition 286
The boot partitioin table found at the beginning of a hard drive is located in what sector? B. Master boot record A. Volume boot record B. Master boot record C. Master file table D. Volume boot sector
Term 287 Definition 287
What information in a FAT file system directory entry refers to the location of a file on a hard drive? A. The file size B. The file attributes C. The starting cluster D. The fragmentation settings
Term 288
Definition 288
A logical file would be best described as: A. The data from the beginning of the starting cluster to the length of the file. B. The data taken from the starting cluster to the end that occupied by the file. A. The data from the beginning of the starting cluster to the length of the file.
A case file can contain __ hard drive images? A. 1 B. 5 C. 10 D. Any number of D. Any number of
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 49 of 68
Term 289
Definition 289
Term 290
Definition 290
Calls to the C:\ volume of the hard drive are not made by DOS when a computer is booted with standard DOS B. False 6.22 boot disk. A. True B. False
Term 291 Definition 291
Select the appropriate name for the hightlighted area of the binary numbers. 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 A. Word
Term 292 Definition 292
E. Byte
If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later changed? A. EnCase will detect the error when that area of the evidence files is accessed by the user.
Term 293
The BIOS chip on an IBM clone computer is most commonly located on: D. All of the above. A. The motherboard B. The controller card C. The microprocessor D. The RAM chip
Term 294
A. The motherboard
Definition 293
Definition 294
Consider the following path in the FAT file system: C:\My Documents\My Pictures\Bikes. Where does the directory bikes receive A. From the My Pictures its name? directory A. From the My Pictures directory B. From itself C. From the root directory c:\
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. 800[) \-]+555-1212. A. 800.555.1212 B. 8005551212 C. 800-555-1212 D. (800) 555-1212
D. (800) 555-1212
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 50 of 68
Term 295
Definition 295
Term 296
Definition 296
How does EnCase verify that the case information (Case Number, Evidence Number, Investigator Name, etc) in an evidence file has not been damaged or changed, after the evidence file has been written? A. The .case file writes a CRC value for the case
Term 297
Which of the following statements is more accurate? C. Encase writes a CRC value of the case information and verifies the CRC value when the evidenece is. A. The Recycle Bin increases the chance of locating the existence of a file on a computer. B. The Recycle Bin reduces the chance of locating the
Definition 297 Term 298 Definition 298
A. The Recycle Bin increases the chance of locating the existence of a file on a computer.
The first sector on a volume is called the: A. Volume boot device B. Master boot record C. Master file table D. Volume boot sector or record
Term 299
When an EnCase user double-clicks on a file within EnCase what determines the action that will result? D. Volume boot sector or record A. The settings in the case file. B. The setting in the evidence file. C. The settings in the FileTypes.ini file.
Term 300
Definition 299
Definition 300
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Bob@[a-z]+.com A. Bob@America.com B. Bob@New zealand.com C. Bob@a-z.com D. Bob@My-Email.com
A. Bob@America.com
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. [^a-z]Tom[a-z] A. Stomp B. Tomato C. Tom D. Toms
C. Tom
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 51 of 68
Term 301
Definition 301
Term 302
Definition 302
The following GREP expressioin was typed in exactly as shown. Choose the answer(s) that would result. [\x00-\x05]\x00\x00 \x00?[\x00-\x05]\x00\x00\x00 A. 00 00 00 01 FF FF BA B. FF 00 00 00 FF BA
Term 303 Definition 303 Term 304
C. 04 00 00 FF FF BA
Definition 304
This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search: A. Will not find it because the letters of the keyword are not contiguous.
Term 305
When a file is deleted in the FAT file system, what happens to the FAT? C. Will find it because EnCase performs a logical search. A. It is deleted as well. B. Nothing. C. The FAT entries for that file are marked as allocated.
Definition 305 Term 306 Definition 306
In DOS and Windows, how many bytes are in one FAT directory entry? A. 8 B. 16 C. 32 D. 64 E. Variable C. 32
When a non-compressed evidence file is reacquired with compression, the aquistion and verification hash value for the evidence will remain the same for both files. A. True B. False
A. True
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 52 of 68
Term 307
Definition 307
Term 308
Definition 308
An EnCase evidence file of a hard drive _____ be restored to another hard drive of A. Can equal or greater size. A. Can B. Cannot
Term 309
Definition 309
Term 310
Definition 310
All lab media should be forensically sterile. What does this mean?
The media should be: - WIPED of all data - VERIFIED to be absent of all data - Freshly partitioned and formatted
All lab media should maintain a unique __________, and a unique __________ to receive evidence files.
Term 311
Definition 311
Term 312
Definition 312
What happens when an examiner double-clicks on a file of a file type known by EnCase?
The data is copied to the case defined TEMP directory, and the associated viewer is then called to display the file data.
What happens to the data files that are copied by EnCase to the case defined TEMP directory?
When Encase is PROPERLY shut down, EnCase will DELETE the files from the temp folder.
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 53 of 68
Term 313
Definition 313
Term 314
Definition 314
Min 1 Mb - Max 2000 Mb. It is a BIT STREAM image of Evidence files can be the source media written to segmented between a range (The default size of an a file(s). of _____ and _____. evidence file is 640 Mb.)
Term 315
Definition 315
Term 316
Definition 316
FALSE You can add data to an existing evidence file. (TRUE / FALSE)
It contains the CASE What does the FIRST block INFORMATION, which is The contents of an evidence of the evidence file contain? validated by an attached file CANNOT be changed, CRC. altered, or modified.
Term 317
Definition 317
Term 318
Definition 318
- CRC (32bit) every 64 Sectors - MD5 (128bit) computed during the source media If any changes occur to the acquisition and placed at the evidence file (file corruption, end of the evidence file. etc...), what happens? ALL CRC's and the MD5 MUST validate and verify.
The CRC for the affected block(s) will NO LONGER VERIFY, and EnCase will display an ERROR when any data in that block(s) are accessed.
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 54 of 68
Term 319
Definition 319
Term 320
Definition 320
YES Can individual segments of an evidence file be verified? In Encase go to <Tools> (YES / NO) <Verify Single Evidence File>
What three (3) aspects of an evidence file can be changed without impacting the evidence file verification?
1. Add / Remove PASSWORD protection 2. Change file COMPRESSION 3. Change the file SEGMENT SIZE
Term 321
Definition 321
Term 322
Definition 322
It is a TEXT file containing: - Pointers to evidence file(s) - Results of searches and analysis (File Signature / Hashes) - Bookmarks - Investigator's Notes
Definition 323
What is the MAXIMUM There is NO limit. (ie. 8 number of evidence files HDDs, 200 FDDs, and 24 that can be added to a single CDRs) case file?
Term 323
Term 324
Definition 324
A. True CASE for Encase v4.x What is the file extension for (prior versions was .CAS) a Encase version 4.x case file? ...for the back-up case A backup file is created file? every 10 minutes by default with an extension of .CBK. Evidence files can be RENAMED and MOVED without changing their Verification and Validity? A. TRUE B. FALSE The applied filename of the evidence file can be changed, and/or moved to another location; however, Encase will prompt you to locate the renamed evidence file, if it is changed/moved after it has been added to a case.
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 55 of 68
Term 325
Definition 325
Term 326
Definition 326
In the EnCase Environment, what are configuration files and how are they used?
.INI files that store global changes and settings to the Encase Environment. The global environment dictates information/tools available for ALL cases.
Name the five (6) default configuration files and briefly describe what they are used for...
FileSignatures.INI - dictates what will happen when a user double-clicks on a specific file. FileTypes.INI - external viewers are associated with file extensions. Keywords.INI - stores global keyword lists used during
Term 327
Definition 327
Term 328
Definition 328
Searches within the EnCase Windows environment are - PHYSICAL both __________ and - LOGICAL __________.
What is UNICODE?
Unicode uses TWO (2) bytes for each character, allowing the representation of 65,536 characters.
Term 329
Definition 329
Term 330
Definition 330
During a search for a keyword, selecting the UNICODE option will cause Encase to search for the keyword in both ASCII and UNICODE. A. TRUE B. FALSE
A. TRUE
How is the GREP symbol " ? ? Means "or not" - joh?n will " used during a search? yield both JON and JOHN.
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 56 of 68
Term 331
Definition 331
Term 332
Definition 332
\x Indicates that the How is the GREP symbol " \x following value is to be " used during a search? treated as a hexadecimal value. (\xFF\xD8\xFF...)
* States to repeat the preceding character or set any number of times, including zero times.
Term 333
Definition 333
Term 334
Definition 334
+ States to repeat the How is the GREP symbol " + preceding chracter or set any number of times, but at " used during a search? least once.
How is the GREP symbol " ^ ^ States "not" - [^a-z] = NO " used during a search? alpha characters from a to z.
Term 335
Definition 335
Term 336
Definition 336
[ ] Square brackets form a set. The included values How is the GREP symbols within the set have to match " [ ] " used during a search? a single character. [1-9] will match any single numeric value from 1 to 9.
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 57 of 68
Term 337
Definition 337
Term 338
Definition 338
Default settings for the EnCase BOOT DISK search do NOT include case sensitivity, GREP or UNICODE. A. True B. False
Term 339
A. True
Searches in unallocated space are PHYSICAL only, as no logical definitions exist in this area.
Definition 339
Term 340
Definition 340
In the EnCase Windows environment, searches will find keywords in noncontiguous clusters in unallocated space. A. TRUE B. FALSE
Term 341
B. False Within the EnCase It simply compares the No searching tool will find Environment, what does the displayed file extension with keywords in non-contiguous File Signatures function do? the file's header/signature. clusters in unallocated space.
Definition 341
Term 342
Definition 342
After adding a device to your case, you immediately go to B. FALSE. the Gallery View tab, as this will display all supported The File Signature table CAN image files, even if they be edited and/or added to by maintain extensions accessing the table, and inconsisent with image files. choosing [right-click]-New. A. TRUE B. FALSE
B. FALSE The Gallery View will NOT display image files with incorrect extensions until the File Signature Analysis function has been run.
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 58 of 68
Term 343
Definition 343
Term 344
Definition 344
!Bad Signature - The extension is in the File After running the File Signature table, but the Signature Analysis function, header is incorrect and the a file shows " !Bad Signature header is not in the File " as the result. What does Signatures table. this mean? BAD -> [header].[ext] <GOOD
Term 345 Definition 345
After running the File Signature Analysis function, a file shows " *[Alias] " as the result. What does this mean?
*[Alias] - The header is in the table and the extension is incorrect. this indicates a file with a renamed extension. GOOD -> [header].[ext] <BAD
Term 346
Definition 346
MATCH - The header matches the extension. If the extension has no header in After running the File the File Signatures table Signature Analysis function, then EnCase will return a a file shows " MATCH " as MATCH as long as the the result. What does this header of the file does not mean? match any header in the File Signatures table. GOOD -> [header].[ext] <Term 347 Definition 347
Before running the File Signature Analysis function, the Gallery View will display all supported image files, even if they maintain extensions inconsisent with image files. A. TRUE B. FALSE
Term 348
B. FALSE The Gallery View will NOT display image files with incorrect extensions until the File Signature Analysis function has been run.
Definition 348
UNKNOWN - Indicates that neither the header/signature nor the extension is listed in After running the File the table. If either the Signature Analysis function, header/signature or the a file shows " UNKNOWN " extension is listed in the as the result. What does this table, you will NOT obtain a mean? value of UNKNOWN. UNKNOWN -> [header].[ext] <- UNKNOWN
The hash value computed for a given file is based upon B. FALSE the physical file, including the files slack area. The hash value is computed on the LOGICAL file only. A. TRUE B. FALSE
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 59 of 68
Term 349
Definition 349
Term 350
Definition 350
The hash value for a file will change if it is moved to another Folder/Directory. A. TRUE B. FALSE
B. FALSE The Folder/Directory that a file resides within has NO bearing on its hash value. What purpose does a Hash Analysis serve for the Examiner?
Hash Analysis allows the examiner to identify files that are known - either as innocuous files that can be ignord, or as files that are evidentiary in content.
Term 351
Definition 351
Term 352
Definition 352
A files content can be recreated based on the B. FALSE computed hash value of that file. A file CANNOT be created from the files computed A. TRUE hash value. B. FALSE
Term 353
Definition 353
Term 354
Definition 354
The ASCII table is a 7-bit table. The resultant 128 values represent alpha/numeric values, common punctuation, etc.
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 60 of 68
Term 355
Definition 355
Term 356
Definition 356
Nibble = 4 bits (16 possible values) Byte = 8 bits (256 possible values) Word = 2 bytes (16 bits) DWord = 4 bytes (32 bits)
Only one file can occupy a CLUSTER at one time. A. TRUE B. FALSE
Term 357
Definition 357
Term 358
Definition 358
___________ file size is the amount of actual media space allocated to the file. Choose One: A. Physical B. Logical C. Allocated
Term 359 Definition 359
___________ file size is the actual number of bytes that the file contains. A. PHYSICAL Choose One: A. Physical B. Logical C. Allocated
Term 360 Definition 360
B. LOGICAL
512 data bytes. This size is consistant across different media types. (ZIP Disks, Floppies, HDD, etc...)
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 61 of 68
Term 361
Definition 361
Term 362
Definition 362
The number of clusters that a file system can manage is determined by the available number of _____ employed by the FAT. Choose One: A. bytes B. bits C. sectors
Term 363
B. BITS. FAT16 (2/16) - allows 65,536 clusters FAT32 (2/32) - allows 268,435,456 clusters
The FAT file systems (FAT12, FAT16, FAT32) group one or more sectors, in powers of 2, into _________. Choose One: A. Blocks B. Clusters C. Groups
Term 364
B. Clusters
Definition 363
Definition 364
The FAT maintains information regarding the status of all the clusters on the volume. What are some of these settings?
It is the data from the end of the logical file to end of the physical file. EnCase displays this data in RED text.
Term 365
Definition 365
Term 366
Definition 366
EnCase displays Slack Space in red text. By default, what other entry is also displayed in red and why?
Directory entries are also displayed in red. Neither slack nor directories have any logical size.
How does EnCase determine If the starting extent (cluster) if a deleted file has been is in use by another file. overwritten?
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 62 of 68
Term 367
Definition 367
Term 368
Definition 368
Deleting a file has NO effect on the actual data in FAT or NTFS. A. TRUE B. FALSE
A. TRUE
What two (2) actions occur when a file is deleted from a FAT system? 2. The values within the FAT that pertain to this file is reset to zero (available).
1. The first character of the directory entry pertianing to the file is changed to E5h.
Term 369
Definition 369
Term 370
Definition 370
It is responsible for the initial checking of the system components and initial configuration of the system once power is turned on.
Term 371
Definition 371
Term 372
Definition 372
What does the Examiner access to determine the target system boot sequence and system date/time?
What is RAM?
Random Access Memory stores data temorarily and is accessible immediately to the Operating System.
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 63 of 68
Term 373
Definition 373
Term 374
Definition 374
What is ROM?
POST - Power On Self Test. What is the first activity This includes the testing of taken by a computer system identified attached devices after power is applied? on the system bus.
Term 375
Definition 375
Term 376
Definition 376
During the boot process. Note these letters are NOT written to the media.
Bootable partition / volume and in the case of HDD's it must also be set to Active.
Term 377
Definition 377
Term 378
Definition 378
How are most standard IDE SCSI Host Card, Video Card, Drives configured for the Network Interface Card roles of (NIC), etc... MASTER/SLAVE/CABLE?
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 64 of 68
Term 379
Definition 379
Term 380
Definition 380
SCSI drives follow the same B. FALSE. methodology as IDE drives of MASTER/SLAVE. SCSI drives are assigned ID numbers, usually by a A. TRUE jumper PIN on the physical B. FALSE drive.
What is the formula for determing hard drive capacity (CHS geometry)?
Term 381
Definition 381
Term 382
Definition 382
The MASTER BOOT What is contained in the first RECORD. In the Windows sector of a standard hard and Linux operating system drive? environment, the partition table is also located here.
What is contained in the first sector of each defined VOLUME BOOT RECORD. partition on a physical hard drive?
Term 383
Definition 383
Term 384
Definition 384
The partition Master Boot Record (MBR) can maintian how many entries? What is each records length?
Using EnCase while doing The MBR can maintian four an on-site triage, what are (4) records, each 16 Bytes in the four (4) options for length. previewing a drive?
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 65 of 68
Term 385
Definition 385
Term 386
Definition 386
To prevent writes to the Why is it important to boot a target hard drive and the target system with a default mounting of a Forensic Boot Disk? compressed volume.
1. IO.SYS What two files need to be 2. COMMAND.COM modified on a standard DOS boot disk to make it Also, the drvspace.bin forensically sound? command must be removed.
Term 387
Definition 387
Term 388
Definition 388
1. Photograph environment 2. external inspection 3. lable connections 4. internal inspection 5. disconnnect power/data cables from HDD 6. boot with EnCase boot disk 7. access BIOS - note date/time and boot sequence
Definition 389
B. FALSE Using the EnCase Boot Disk, you will be able to see ALL The EnCase boot disk uses file systems, including NT DOS, which cannot logical partitions, Linux, understand other file Unix, and MAC HFS. systems. You should obtain the physical disk evidence A. TRUE file, and then resolve the file B. FALSE structure using EnCase.
Term 390 Definition 390
Term 389
Evidence files can be restored to media of equal OR greater size. A. TRUE B. FALSE
A. TRUE
The MD5 hash value of a How can you verify that the properly restored evidence restore completed properly file will match the value and that it is an exact match maintained within the to the original media? evidence file.
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 66 of 68
Term 391
Definition 391
Term 392
Definition 392
When restoring evidence files of a logical partition, the file system it is being restored to must match the original. A. TRUE B. FALSE
Term 393
A. TRUE
Email Attachments.
Definition 393
Term 394
Definition 394
Where does Windows 2000 "C:\Documents and and XP store users personal Settings" folders?
.lnk are "shortcut" files created by the windows operating system to files manipulated by the logged in user. They can show dates, times, and full path to the target file.
Term 395
Definition 395
Term 396
Definition 396
Name some of the more common artifact locations in the Windows 9X operating environment.
32 Bytes in Length.
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 67 of 68
Term 397
Definition 397
Term 398
Definition 398
A. TRUE. Every printed document from a computer is considered an "Original". A. TRUE B. FALSE Compression of evidence files has no bearing on the validity or admissibility fo the data. A. TRUE B. FALSE Courts have ruled that the manner in which data is maintained, while in storage, is not relevant, as long as the data is accurately portrayed when accessed and presented in a printout or other output, readable by sight.
Definition 400
A. TRUE
Term 399
Definition 399
Term 400
What are the three basic questions asked to determine if a process is acceptable under Daubert?
1. Has the process been tested and subjected to peer review? 2. Does the process/application maintain general acceptance within the related community. 3. Can the findings be duplicated/repeated?
Definition 402
Term 401
Definition 401
Term 402
If the original evidence must be returned to the owner, can the EnCase Evidence Yes. files be considered "Best Evidence"?
What type of files are commonly associated with printing in the Windows operating system?
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011
Page 68 of 68
Term 403
Definition 403
Term 404
Definition 404
If the file system is not support by EnCase, the Examiner cannot use EnCase to do the examination. A. TRUE B. FALSE
Term 405
B. FALSE.
You need to do an onsite acquisition of a Windows NT The examiner can still to text Server, should you Shut searches, run EnScripts for Down the system or pull the file headers and footers, power plug? etc...
Gracefully shut down the system. Generally, servers need to be shut down gracefully. Workstations or personal computers should have the power plug pulled.
Definition 405
Term 406
Definition 406
http://www.flashcardmachine.com/print/?limit_flagged=include&topic_id=1014337&mod... 3/14/2011