Deck 2: Certification for EnCE Outside North America

A) A global setting that cannot be changed.
B) A case-specific setting that can be changed.
C) A global setting that can be changed.
D) A case-specific setting that cannot be changed.

A) Storage
B) There is no concern
C) Chain-of-custody
D) Cross-contamination

A) HFS
B) FAT
C) NTFS
D) EXT3
E) None of the above

A) Chain-of-custody
B) Cross-contamination
C) Storage
D) There is no concern

A) Renamed to JPG_0001. jpg and copied to the default export folder.
B) Copied to the default export folder and opened by an associated program.
C) Opened by EnCase.
D) Copied to the EnCase specified temp folder and opened by an associated program.

A) Storing information that will be available to EnCase each time it is opened, regardless of the active case(s).
B) Storing the results of a signature analysis.
C) Storing pointers to acquired evidence.
D) Storing information that is specific to a particular case.

A) The BIOS is responsible for checking and configuring the system after the power is turned on.
B) Both a and c
C) The BIOS is responsible for swapping out memory pages when RAM fills up.
D) The BIOS integrates compressed executable files with memory addresses for faster execution.

A) One cluster
B) 0 bytes
C) 128 bytes
D) 64 bytes

A) MyNote.txt, DC0.txt
B) MyNote.del, DC1.del
C) MyNote.txt, CD0.txt
D) MyNote.del, DC0.del

A) All of the above
B) The partition table of extents
C) The File Allocation Table
D) The directory entry for the fragmented file

A) EnCase will not see a drive that has been fdisked.
B) Use the recovered Deleted Partitions feature and then examine the system.
C) Conduct a physical search of the hard drive and bookmark any evidence.
D) Use the add Partition feature to rebuild the partition and then examine the system.

A) a search of the logical files
B) a search of the physical disk in unallocated clusters and other unused disk areas
C) both a and b
D) None of the above

A) Compare a file header to a file extension.
B) Compare one hash set with another hash set.
C) Identify files that are already known to the user.
D) Verify the evidence file.

A) Random Addressable Memory
B) Relative Addressable Memory
C) Relative Address Memory
D) Random Access Memory

A) 8
B) 4
C) 2
D) 1

A) 16
B) 8
C) 32
D) Variable
E) 64

A) 00 00 00 01 FF FF BA
B) FF 00 00 00 00 FF BA
C) 04 00 00 00 FF FF BA
D) 04 06 00 00 00 FF FF BA

A) Either the CRC or MD5 hash values must verify.
B) The CRC values must verify.
C) The CRC values and the MD5 hash value both must verify.
D) The MD5 hash value must verify.

A) Anything plugged into socket 7
B) A motherboard
C) A video card that is connected to the motherboard in the AGP slot
D) The board that connects to the power supply

A) 1
B) 5
C) 10
D) any number of

A) All of the above
B) The case file
C) The evidence file
D) The configuration Bookmarks.ini file

A) This is the folder used to hold copies of files that are sent to external viewers.
B) This is the folder that will automatically store an evidence file when the acquisition is made in DOS.
C) This is the folder that will be automatically selected when the copy/unerase feature is used.
D) This is the folder that temporarily stores all bookmark and search results.

A) 1
B) 8
C) 4
D) 2

A) The starting cluster
B) The fragmentation settings
C) The file attributes
D) The file size

A) Programs that are exported out of an evidence file.
B) Programs that are associated with EnCase to open specific file types.
C) Any program that will work with EnCase.
D) Any program that is loaded on the lab hard drive.

A) command.com
B) io.sys
C) autoexec.bat
D) drvspace.bin

A) Master boot record
B) Volume boot sector
C) Master file table
D) Volume boot record

A) Red
B) Black
C) Red on black
D) Black on red

A) No.  Data cannot be added to the evidence file after the acquisition is made.
B) Yes, but only bookmarks.
C) Yes, but only case information.
D) No, unless the user established a writing privilege when the evidence was acquired.
E) Yes, but only to resize the partitions.

A) The case file
B) All of the above
C) The configuration FileSignatures.ini file
D) The evidence file

A) There are no partitions present.
B) The partition scheme is not recognized by DOS.
C) Both a and b
D) Neither a or b

A) Credit Card
B) credit card
C) Card
D) Credit

A) Will find it because EnCase performs a logical search.
B) Will not find it unless slack is checked on the search dialog box.
C) Will not find it because EnCase performs a physical search only.
D) Will not find it because the letters of the keyword are not contiguous.

A) Random Open Memory
B) Read Open Memory
C) Relative Open Memory
D) Read Only Memory

A) Basic Integrated Operating System
B) Basic Input/Output System
C) Binary Input/Output System
D) Binary Integrated Operating System

A) The date and time
B) The video caching information
C) The port assigned to the serial port
D) The boot sequence

A) From the root directory C : \
B) From itself
C) From the My Pictures directory
D) From the My Documents directory

A) Nibble
B) Byte
C) Dword
D) Bit
E) Word

A) Unallocated space
B) Allocated space
C) Slack
D) Available space

A) directory entry
B) data on the hard drive
C) deletion table
D) FAT

A) When the power button to a computer is turned on.
B) When SCSI devices are configured.
C) When Windows starts up.
D) After a computer begins to boot from a device.

A) C : \ Program files\Programs\Desktop
B) C : \ Startup\Desktop\Items
C) C : \ Windows\Desktop
D) C : \ Desktop

A) The settings in the case file.
B) The setting in the evidence file.
C) The settings in the FileTypes.ini file.
D) Both a and b.

A) Bit
B) Nibble
C) Word
D) Byte
E) Dword

A) The BIOS on an add-in card is executed.
B) The boot sector is located on the hard drive.
C) The power On Self-Test.
D) The floppy drive is checked for a diskette.

A) That the file starts in cluster number 55 and continues to cluster number 10.
B) The cluster number 55 is the end of an allocated file.
C) That there is a cross-linked file.
D) That cluster 10 is used and the file continues in cluster number 55.

A) Signature analysis results
B) Search results
C) Pointers to evidence files
D) External viewers

A) No.  The images could be located a compressed file.
B) No.  The images could be in unallocated clusters.
C) No.  The images could be embedded in a document.
D) All of the above.
E) No.  The images could be in an image format not viewable inside EnCase.

A) Clusters; file size
B) Sectors; file size
C) Clusters; starting extent
D) Sectors; starting extent

A) Red
B) Black
C) Black on red
D) Red on black

A) Yes, because the chk1.dll file was moved and renamed.
B) No, because the Windows operating system likely moved and renamed the chk1.dll file during disk maintenance.
C) No, because the chk1.dll file has no evidentiary value.
D) Yes, because the ch1.dll is all the evidence required to prove the case.

A) Set up the connection of IDE hard drives.
B) None of the above.
C) Configure the motherboard settings to the BIOS.
D) Make SCSI hard drives and other SCSI devices accessible to the operating system.

A) EnCase writes a CRC value for every 64 sectors copied.
B) EnCase writes an MD5 hash value for every 32 sectors copied.
C) EnCase writes an MD5 hash value every 64 sectors copied.
D) EnCase writes a CRC value for every 128 sectors copied.

A) Allocated
B) Cross-linked
C) Unallocated
D) Overwritten

A) Will only find the keyword if it is Unicode.
B) None of the above.
C) Unicode is not a search option for EnCase.
D) Will find the keyword if it is either Unicode or ASCII.

A) Nibble
B) Dword
C) Word
D) Bit
E) Byte

A) The presence and location of the images is strong evidence of possession.
B) The presence and location of the images is not strong evidence of possession.
C) The presence and location of the images proves the images were intentionally downloaded.
D) Both a and c

A) Record the identity of the person(s) involved in the seizure.
B) Record the location that the computer was recovered from.
C) Record nothing to avoid inaccuracies that might jeopardize the use of the evidence.
D) Record the date and time the computer was seized.

A) The user utilizes a text editor.
B) The user utilizes the case information editor within EnCase.
C) The evidence file is reacquired.
D) The case information cannot be changed in an evidence file, without causing the verification feature to report an error.

A) The total size of all the clusters used by the file measured in bytes.
B) The total size in bytes of a logical file.
C) The total size of the file including the ram slack in bytes.
D) The total size in sectors of an allocated file.

A) Pull the plug from the wall.
B) Photograph the screen and pull the plug from the back of the computer.
C) Pull the plug from the back of the computer.
D) Navigate through the program and see what the program is all about, then pull the plug.

A) Areas compared with each other to verify the correct file type.
B) Synonymous.
C) The signature is the file extension.  The header is a standard pattern normally found at the beginning of a file.
D) None of the above

A) When the FAT 32 has the same number of sectors / clusters.
B) When the FAT 32 is the same size or bigger.
C) Never
D) Both A and B

A) A compound e-mail attachment.
B) A graphics file attached to an e-mail message.
C) A file format used in the printing process by Windows.
D) A compressed zip file.

A) Test the technique on simulated evidence in a controlled environment to confirm that the results are consistent.
B) Be trained in the employment of the technique.
C) Neither a or b.
D) Both a and b.

A) Jan 1 st , 1900
B) Jan 1 st , 2001
C) Jan 1 st , 2000
D) Jan 1 st , 2100

A) Establish a connection with external devices.
B) Temporarily store electronic data that is being processed.
C) Execute the POST during start-up.
D) Permanently store electronic data.

A) Right-clicking on a file and selecting add  
B) Using the new file signature feature under file signatures.
C) Using the new library feature under hash libraries.
D) Using the new set feature under hash sets.

A) Should be done by the user, as they are most familiar with the hard drive.
B) May only be done by trained personnel because the process has the potential to alter the original evidence.
C) May be done by anyone because it is a relatively simple procedure.
D) May only be done by computer scientists.

A) C : \ Windows\Online\Applications\email
B) C : \ Windows\Temp
C) C : \ Windows\Temporary Internet files
D) C : \ Windows\History\Email

A) A group of hash libraries organized by category.
B) A table of file headers and extensions.
C) A group of hash values that can be added to the hash library.
D) Both a and b.

A) The .case file writes a CRC value for the case information and verifies it when the case is opened.
B) EnCase does not verify the case information and case information can be changed by the user as it becomes necessary.
C) EnCase writes a CRC value of the case information and verifies the CRC value when the evidence is added to a case.
D) EnCase writes an MD5 hash value for the entire evidence file, which includes the case information, and verifies the MD5 hash when the evidence is added to a case.

A) Tom
B) Toms
C) Tomato
D) Stomp

A) American Standard Communication Information Index
B) Accepted Standard Communication Information Index
C) American Standard Code for Information Interchange
D) Accepted Standard Code for Information Interchange

A) By means of a CRC value of the suspect hard drive compared to a CRC value of the data stored in the evidence file.
B) By means of a CRC value of the evidence file itself.
C) By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of the data stored in the evidence file.
D) By means of an MD5 hash value of the evidence file itself.

A) The main circuit board that has slots for the microprocessor, RAM, ROM, and add-in cards.
B) Any circuit board, regardless of its function.
C) An add-in card that controls all hard drive activity.
D) An add-in card that handles all RAM.