You are investigating a case involving fraud. You seized a computer from a suspect who stated that the computer is not used by anyone other than himself. The computer has Windows 98 installed on the hard drive. You find the filename C : \ downloads\check01. jpg that EnCase shows as being moved. The starting extent is 0C4057. You find another filename C : \ downloads\chk1.dll with the starting extent 0C4057, which EnCase also shows as being moved. In the C : \ windows\System folder you find an allocated file named chk1.dll with the starting extent 0C4057. The chk1.dll file is a JPEG image of a counterfeit check. Could this information be used to refute the suspect claim that he never knew it was on the computer?
A) Yes, because the chk1.dll file was moved and renamed.
B) No, because the Windows operating system likely moved and renamed the chk1.dll file during disk maintenance.
C) No, because the chk1.dll file has no evidentiary value.
D) Yes, because the ch1.dll is all the evidence required to prove the case.
Correct Answer:
Verified
Q48: If cluster number 10 in the FAT
Q49: Which of the following selections is NOT
Q50: You are working in a computer forensic
Q51: To undelete a file in the FAT
Q52: By default, what color does EnCase use
Q54: A SCSI host adapter would most likely
Q55: To later verify the contents of an
Q56: Assume that MyNote.txt has been deleted. The FAT
Q57: When Unicode is selected for a search
Q58: Select the appropriate name for the highlighted
Unlock this Answer For Free Now!
View this answer and more for free by performing one of the following actions
Scan the QR code to install the App and get 2 free unlocks
Unlock quizzes for free by uploading documents