Deck 1: Certification For ENCE North America

A) Never
B) When the FAT 32 has the same number of sectors / clusters.
C) When the FAT 32 is the same size or bigger.
D) Both B and C

A) There is no concern
B) Cross-contamination
C) Chain-of-custody
D) Storage

A) GIF
B) EMF
C) JPEG
D) Base64

A) command.com
B) autoexec.bat
C) drvspace.bin
D) io.sys

A) The Recycle Bin increases the chance of locating the existence of a file on a computer.
B) The Recycle Bin reduces the chance of locating the existence of a file on a computer.

A) a unique directory on the lab drive for case management
B) a text file for notes
C) an .E01 file on the lab drive
D) All of the above

A) The directory entry for the fragmented file
B) The partition table of extents
C) The File Allocation Table
D) All of the above

A) Navigate through the program and see what the program is all about, then pull the plug.
B) Pull the plug from the back of the computer.
C) Photograph the screen and pull the plug from the back of the computer.
D) Pull the plug from the wall.

A) Using the new library feature under hash libraries.
B) Right-clicking on a file and selecting add.
C) Using the new set feature under hash sets.
D) Using the new file signature feature under file signatures.

A) The file size
B) The file attributes
C) The starting cluster
D) The fragmentation settings

A) The file signature is unknown and the header is a JPEG.
B) The file signature is a JPEG signature and the file extension is incorrect.
C) The file signature is unknown and the file extension is JPEG.
D) None of the above.

A) Pull the plug from the back of the computer.
B) Press the power button and hold it in.
C) Shut it down normally.
D) Pull the plug from the wall.

A) No. Archived files are compressed and cannot be verified until un-archived.
B) No. All file segments must be put back together.
C) Yes. Any segment of an evidence file can be verified through re-computing and comparing the CRCs, even if it is on a CD.
D) No. EnCase cannot verify files on CDs.

A) FF 0000 00 00 FF BA
B) 0000 00 01 FF FF BA
C) 04 06 0000 00 FF FF BA
D) 04 0000 00 FF FF BA

A) Credit card readers
B) Personal assistant devices
C) Cellular phones
D) Digital cameras
E) None of the above

A) The file signature found in the .LNK file
B) The dates and time of the file found in the .LNK file, at file offset 28
C) Both a and b
D) The full path of the file, found in the .LNK file

A) UseFastBloc or a network/parallel port cable to preview the hard drives. Go to the Gallery view and search for the previously identified images.
B) UseFastBloc or a network/parallel port cable to acquire forensic images of the hard drives, then search the evidence files for the previously identified images.
C) UseFastBloc or a network/parallel port cable to preview the hard drives. Conduct a hash analysis of the files on the hard drives, using a hash library containing the hash values of the previously identified images.
D) Use an EnCase DOS boot disk to conduct a text search for child porn. Use an EnCase DOS boot disk to conduct a text search for child porn?

A) Overwritten
B) Allocated
C) Cross-linked
D) Unallocated

A) A compressed zip file.
B) A graphics file attached to an e-mail message.
C) A compound e-mail attachment.
D) A file format used in the printing process by Windows.

A) In the FAT
B) In the directory entry
C) In the file footer
D) In the file header

A) FAT 16 partition
B) NTFS partition
C) unique volume label
D) bare, unused partition

A) data on the hard drive
B) deletion table
C) directory entry
D) FAT

A) The file that runs EnCase for Windows.
B) A filecontain configuration settings for cases.
C) A file that contains information specific to one case.
D) None of the above.

A) From the My Pictures directory
B) From the My Documents directory
C) From the root directory C : \
D) From itself

A) all of the file
B) the starting cluster of the file
C) the directory entry for the file
D) any part of the file

A) EnCase writes a CRC value for every 64 sectors copied.
B) EnCase writes a CRC value for every 128 sectors copied.
C) EnCase writes an MD5 hash value every 64 sectors copied.
D) EnCase writes an MD5 hash value for every 32 sectors copied.

A) The boot sector is located on the hard drive.
B) The Power On Self-Test (POST) 
C) The floppy drive is checked for a diskette.
D) The BIOS on an add-in card is executed.

A) The FAT entries for that file are marked as allocated.
B) Nothing.
C) It is deleted as well.
D) The FAT entries for that file are marked as available.

A) Chain-of-custody
B) Storage
C) There is no concern
D) Cross-contamination

A) 4
B) 1
C) 2
D) 3

A) 1500 MB
B) 1000 MB
C) 2000 MB
D) There is no limit.
E) 500 MB

A) Analyzing the relationship of a file signature to its file extension.
B) Analyzing the relationship of a file signature to its file header.
C) Analyzing the relationship of a file signature to a list of hash sets.
D) Analyzing the relationship of a file signature to its computed MD5 hash value.

A) The evidence number
B) The acquisition notes
C) The investigator name
D) None of the above

A) It is zeroed out.
B) The first character of the directory entry is marked with a hex 00.
C) It is wiped from the directory.
D) The first character of the directory entry is marked with a hex E5.

A) The case file
B) The evidence file
C) The configuration Bookmarks.ini file
D) All of the above

A) A chip that would be considered the brain of a computer, which is installed on a motherboard.
B) A Central Programming Unit.
C) A motherboard with all required devices connected.
D) An entire computer box, not including the monitor and other attached peripheral devices.

A) tom jones
B) Tom
C) Jones
D) Tom Jones

A) 30
B) 3
C) 60
D) 15

A) A video card that is connected to the motherboard in the AGP slot
B) Anything plugged into socket 7
C) A motherboard
D) The board that connects to the power supply

A) C : \ Windows\History
B) C : \ Windows\Start menu\Documents
C) C : \ Windows\Documents
D) C : \ Windows\Recent

A) The BIOS integrates compressed executable files with memory addresses for faster execution.
B) The BIOS is responsible for checking and configuring the system after the power is turned on.
C) The BIOS is responsible for swapping out memory pages when RAM fills up.
D) Both a and c.

A) Clusters;starting extent
B) Sectors;starting extent
C) Clusters;file size
D) Sectors;file size

A) The MD5 hash value must verify.
B) The CRC values must verify.
C) The CRC values and the MD5 hash value both must verify.
D) Either the CRC or MD5 hash values must verify.

A) Yes, but only bookmarks.
B) Yes, but only to resize the partitions.
C) No. Data cannot be added to the evidence file after the acquisition is made.
D) Yes, but only case information.
E) No, unless the user established a writing privilege when the evidence was acquired.

A) Configure the motherboard settings to the BIOS.
B) Set up the connection of IDE hard drives.
C) Make SCSI hard drives and other SCSI devices accessible to the operating system.
D) None of the above.

A) MyNote.txt, CD0.txt
B) MyNote.txt, DC0.txt
C) MyNote.del, DC1.del
D) MyNote.del, DC0.del

A) 5
B) 1
C) any number of
D) 10

A) May be done by anyone because it is a relatively simple procedure.
B) May only be done by trained personnel because the process has the potential to alter the original evidence.
C) May only be done by computer scientists.
D) Should be done by the user, as they are most familiar with the hard drive.

A) Record nothing to avoid inaccuracies that might jeopardize the use of the evidence.
B) Record the location that the computer was recovered from.
C) Record the identity of the person(s) involved in the seizure.
D) Record the date and time the computer was seized.

A) moved
B) wiped
C) deleted and wiped
D) deleted

A) C : \ Personnel Folders
B) C : \ WINNT\Profiles
C) C : \ Windows\Users
D) C : \ Documents and Settings

A) This is the folder that will be automatically selected when the copy/unerase feature is used.
B) This is the folder that will automatically store an evidence file when the acquisition is made in DOS.
C) This is the folder that temporarily stores all bookmark and search results.
D) This is the folder used to hold copies of files that are sent to external viewers.

A) (800) 555-1212
B) 800-555 1212
C) 8005551212
D) 800.555.1212

A) External viewers
B) Pointers to evidence files
C) Signature analysis results
D) Search results

A) Tomorrow
B) TomJ@hotmail.com
C) Tom
D) Stomp
E) None of the above

A) Red
B) Red on black
C) Black
D) Black on red

A) A group of hash libraries organized by category.
B) A group of hash values that can be added to the hash library.
C) A table of file headers and extensions.
D) Both a and b.

A) Will compute a hash value of the evidence file and begin a verification process.
B) Will generate a hash set for every file in the case.
C) Will compare the hash value of the files in the case to the hash library.
D) Will create a hash set to the user specifications.

A) 32 bit
B) 256 bit
C) 64 bit
D) 128 bit

A) Meth
B) Meth Speed
C) Speed and Meth
D) Speed

A) The presence and location of the files is strong evidence the suspect committed the crime.
B) The presence and location of the files is not strong evidence the suspect committed the crime.

A) The evidence file
B) The case file
C) The configuration HashAnalysis.ini file
D) All of the above

A) The user utilizes a text editor.
B) The case information cannot be changed in an evidence file, without causing the verification feature to report an error.
C) The user utilizes the case information editor within EnCase.
D) The evidence file is reacquired.

A) can
B) cannot

A) 16
B) 4
C) 2
D) 8

A) A clone of the source hard drive.
B) A sector-by-sector copy of the source hard drive written to the corresponding sectors of the target hard drive.
C) A bit stream image of the source hard drive written to a file, or several file segments.
D) A bit stream image of the source hard drive written to the corresponding sectors of the target hard drive.

A) Master file table
B) Volume boot device
C) Volume boot sector or record
D) Master boot record

A) Execute the POST during start-up.
B) Temporarily store electronic data that is being processed.
C) Permanently store electronic data.
D) Establish a connection with external devices.