A hard drive has been formatted as NTFS and Windows XP was installed. The user used fdisk to remove all partitions from that drive. Nothing else was done. You have imaged the drive and have opened the evidence file with EnCase. What would be the best way to examine this hard drive?
A) Use the add Partition feature to rebuild the partition and then examine the system.
B) EnCase will not see a drive that has been fdisked.
C) Conduct a physical search of the hard drive and bookmark any evidence.
D) Use the Recovered Deleted Partitions feature and then examine the system.
Correct Answer:
Verified
Q92: GREP terms are automatically recognized as GREP
Q93: You are working in a computer forensic
Q94: In DOS acquisition mode, if a physical
Q95: The FAT in the File Allocation Table
Q96: RAM is an acronym for:
A) Random Addressable
Q97: How does EnCase verify that the case
Q98: The term signature and header as they
Q99: By default, what color does EnCase use
Q101: Assume that an evidence file is added
Q102: To undelete a file in the FAT
Unlock this Answer For Free Now!
View this answer and more for free by performing one of the following actions
Scan the QR code to install the App and get 2 free unlocks
Unlock quizzes for free by uploading documents