GD0-110 Certification Exam for EnCE Outside North America Questions and Answers

No. The images could be in an image format not viewable inside EnCase.

No. The images could be located a compressed file.

No. The images could be embedded in a document.

No. The images could be in unallocated clusters.

All of the above.

A clone of the source hard drive.

A sector-by-sector copy of the source hard drive written to the corresponding sectors of the target hard drive.

A bit stream image of the source hard drive written to the corresponding sectors of the target hard drive.

A bit stream image of the source hard drive written to a file, or several file segments.

The settings in the case file.

The setting in the evidence file.

The settings in the FileTypes.ini file.

Both a and b.

C:\Windows\Temp

C:\Windows\Temporary Internet files

C:\Windows\History\Email

C:\Windows\Online\Applications\email

May be done by anyone because it is a relatively simple procedure.

May only be done by trained personnel because the process has the potential to alter the original evidence.

May only be done by computer scientists.

Should be done by the user, as they are most familiar with the hard drive.

True

False

Avoid making any changes to the original evidence.

Make any changes to the evidence that will further the investigation.

Both a and b

Neither a or b

Tom

Jones

Tom Jones

tom jones

C:\Windows\Users

C:\Personnel Folders

C:\Documents and Settings

C:\WINNT\Profiles

Photograph the screen and pull the plug from the back of the computer.

Navigate through the program and see what the program is all about, then pull the plug.

Pull the plug from the back of the computer.

Pull the plug from the wall.

256

1024

16,384

65,536

3

15

30

60

A file containing hash values from one or more selected hash sets.

A master table of file headers and extensions.

A list of the all the MD5 hash values used to verify the evidence files.

Both a and b.

Use an EnCase DOS boot disk to conduct a text search for child porn

Use FastBloc or a network/parallel port cable to acquire forensic images of the hard drives, then search the evidence files for the previously identified images.

Use FastBloc or a network/parallel port cable to preview the hard drives. Go to the Gallery view and search for the previously identified images.

Use FastBloc or a network/parallel port cable to preview the hard drives. Conduct a hash analysis of the files on the hard drives, using a hash library containing the hash values of the previously identified images.

Record the location that the computer was recovered from.

Record the identity of the person(s) involved in the seizure.

Record the date and time the computer was seized.

Record nothing to avoid inaccuracies that might jeopardize the use of the evidence.

Black

Red

Black on red

Red on black

By sorting on the signature column in the table view.

By sorting on the hash library column in the table view.

By sorting on the hash sets column in the table view

By sorting on the category column in the table view.

any part of the file

all of the file

the starting cluster of the file

the directory entry for the file

True

False

This is the folder that will automatically store an evidence file when the acquisition is made in DOS.

This is the folder that temporarily stores all bookmark and search results.

This is the folder used to hold copies of files that are sent to external viewers.

This is the folder that will be automatically selected when the copy/unerase feature is used.

The cluster is allocated

The cluster is unallocated

The cluster is marked bad

The cluster is the end of a file

Pointers to an evidence file

The results of a signature analysis

The results of a hash analysis

The information contained in the signature table

True

False