ENCE Study Questions Chapter 1-5

Card Set Information

Author:
HorneK
ID:
272146
Filename:
ENCE Study Questions Chapter 1-5
Updated:
2014-05-17 20:26:34
Tags:
ENCE
Folders:

Description:
Questions to help you study for the Certification.....
Show Answers:

Home > Flashcards > Print Preview

The flashcards below were created by user HorneK on FreezingBlue Flashcards. What would you like to do?


  1. What is the definition of a CPU?

    A. The physical computer case that contains all of its internal components.

    B. The computer's internal hard drive. 

    C. A part of the computer whose function is to perform data processing. 

    D. A part of the computer that stores and manages memory.
    C. A part of the computer whose function is to perform data processing

    (C1)
  2. What
    is the BIOS?

    A. Basic Input Operating System
    B. Boot-level Input Output System
    C. Boot Initialization Operating System
    D. Bootstrap Initialization Operating System
    A. BIOS stands for Basic Input Output System and consists of all the low-level software that is the interface between the system hardware and its operating system.  It loads, typically, from three sources: the ROM/BIOS on the motherboard; the various BIOS ROMs on the video cards, SCSI cards, and so forth; and finally, the device drivers.

    (C1)
    (this multiple choice question has been scrambled)
  3. What is the definition of POST?

    A. A set of computer sequences the operating system executes upon a proper shutdown.
    B. A diagnostic test of the compute's hardware and software for presence and operability during the boot sequence prior to running the operating system.
    C. A diagnostic test of the computer's software for presence and operability during the boot sequence prior to running the operating system.
    D. A diagnostic test of the computer's hardware for presence and operability during the boot sequence prior to running the operating system.
    D.  Power On Self Test is a diagnostic test of the computer's hardware, such as the motherboard, memory, CD-ROM, and so forth.  POST does not test the computer's software.

    (C1)
    (this multiple choice question has been scrambled)
  4. Is the information stored on a computer's ROM chip lost during a proper shutdown?

    A. Yes
    B. No
    B. No, Information contained on a ROM chip, read-only memory, is not lost after the computer has been shut down.

    (C1)
  5. Is the information contained on a computer's RAM chip accessible after a proper shutdown?

    A. Yes
    B. No
    B. No, unlike a ROM chip information contained on a computer's RAM chip is not readily accessible after proper shutdown.

    (C1)
  6. Can information stored in the BIOS every change?

    A. Yes
    B. No
    A. Although not very common, information stored in the BIOS can change, such as when the BIOS needs to be upgraded to support new hardware.

    (C1)
  7. What is the purpose of the function of a computer's ROM chip?

    A. A portable storage device.
    B. Permanent storage area for programs and files.
    C. Long-term or permanent storage of information and instructions.
    D. Temporary storage area to run applications.
    C. Read-only memory (ROM) contains information about the computer, such as hardware configuration.  Unlike RAM, the information is not lost once power is disconnected.

    (C1)
    (this multiple choice question has been scrambled)
  8. Information contained in RAM memory (system's main memory), which is located on the motherboard, is _____.

    A. volatile
    B. nonvolatile
    A. Information contained in RAM memory is considered volatile, which means the data is lost after the computer has been disconnected.


    (C1)
  9. What is the maximum number of drive letters assigned to hard drive(s) partitions on a system?

    A. 4
    B. 16
    C. 24
    D. Infinity
    C. The answer is 24 drive letters (C-Z), with drive letters A and B reserved for floppy drives.

    (C1)
    (this multiple choice question has been scrambled)
  10. The smallest area on a drive that data can be written to is a ______, while the smallest area on a drive that a file can be written to is a ____.

    A. volume and drive
    B. bit and byte
    C. sector and cluster
    D. memory and disk
    C. Data is written to sectors, and files are written to clusters.

    (C1)
    (this multiple choice question has been scrambled)
  11. The size of a physical hard drive can be determined by which of the following?

    A. The cylinder x head x sector x 512 bytes
    B. Adding the total size of partitions
    C. The cylinder x head x sector
    D. Both B and C
    E. The total LBA sectors x 512 bytes
    D.  Multiplying C, H, and S gives the total amount of sectors in older systems if the number of sectors per track is constant.  When it's not, total LBA sectors give total sectors.  Multiplying the total number of sectors from the appropriate method by 512 bytes per sector gives the total number of bytes for the physical drive.  Adding up the total size of partitions does not include areas outside the partitions, such as unused disk area.

    (C1)
    (this multiple choice question has been scrambled)
  12. Which is not considered exclusively an output device.

    A.  Printer
    B.  Speaker
    C.  CD-RW drive
    D.  Monitor
    C. A CD-RW (rewriteable) drive is both an input and output device, as opposed to a CD drive, which only reads and inputs data to the computer system.

    (C1)
    (this multiple choice question has been scrambled)
  13. The electrical pathway used to transport data from on computer component to another is call what?

    A.  BIOS
    B.  RAM
    C.  Bus
    D.  CMOS
    C. A bus performs two functions; it transports data from on place to another and directs the information where to go.

    (C1)
    (this multiple choice question has been scrambled)
  14. What is the main component of a computer to which essential internal devices such as CPU, memory chips, and other chipsets are attached?

    A.  Motherboard
    B.  BIOS
    C.  Expansion card
    D.  Processor
    A.  The motherboard is the main circuit board used to attach internal hardware devices to its connectors.

    (C1)
    (this multiple choice question has been scrambled)
  15. IDE, SCSI and SATA are different types of interfaces describing what devices?

    A.  RAM chips
    B.  CPU's
    C.  Hard drives
    D.  Flash memory
    C. Integrated Drive Electronics (IDE), Small computer System Interface (SCSI), and Serial Advanced Technology Attachment (SATA) describe different hard drive interfaces.

    (C1)
    (this multiple choice question has been scrambled)
  16. What do the terms Master, Slave and Cable Select refer to?

    A.  Cable types for external hardware
    B.  Jumper settings for internal expansion cards.
    C.  External SCSI devices
    D.  Jumper settings for internal hardware such as IDE hard drives and CD drives.
    D. Master, Slave, and Cable Select are stings for internal devices such as IDE hard drives and CD drives to identify and differentiate the devices on the same channel.

    (C1)
    (this multiple choice question has been scrambled)
  17. What can you assume about a hard drive that is pinned as CS?

    A.  It's a IDE drive.
    B.  It's a SATA drive.
    C.  It's a SCSI drive.
    D.  All of the above.
    A, It's a IDE drive.   SATA and SCSI hard drives do not require jumper setting configurations.

    (C1)
  18. What is found at Cylinder 0, Head 0, Sector 1 on a hard drive?

    A.  Master boot record
    B.  Volume boot record
    C.  Maser file table
    D.  Volume boot sector
    A.  The master boot record is always located at the first physical sector on a hard drive.  This record stores key information about the drive itself, such as the master partition table and master boot code.

    (C1)
    (this multiple choice question has been scrambled)
  19. What is the first sector on a volume called?

    A.  Volume boot device
    B.  Master boot record
    C.  file allocation table
    D.  Volume boot record or sector
    D.  The first sector on a volume is called the volume boot record or volume boot sector.  This sector contains the disk parameter block and volume boot code.

    (C1)
    (this multiple choice question has been scrambled)
  20. Which of the following is incorrect?

    A.  The partition table is contained within the MBR and consists of a total of 16 bytes, which describes up to four partitions using 4 bytes each to do so.
    B.  A files system is a system or method of storing and retrieving data on a computer system that allows for a hierarchy of directories, subdirectories, and files.
    C.  The VBR is typically written when the drive is high-level formatted with a utility such as format.
    D.  The MBR is typically written when the drive is partitioned with FDISK or DISKPART.
    A.  All are true statements, except for a portion of D.  The partition table is contained within the MBR and consists of a total of 64 bytes, not 16 bytes, which describes up to four partitions using 16 bytes each to do so, not 4 bytes each.

    (C1)
    (this multiple choice question has been scrambled)
  21. On a FAT files system, FAT is defined as which of the following?

    A.  A table consisting of filenames, deleted filenames, and their attributes.
    B.  A table created during the format that the operating system reads to locate data on a drive.
    C.  A table consisting of filenames and file attributes.
    D.  A table consisting of a master boot record and logical partitions.
    B.  The file allocation table is created by the file system during format and contains pointers to clusters located on a drive.

    (C2)
    (this multiple choice question has been scrambled)
  22. How does a corrupted sector located in the data area of a hard drive affect the corresponding cluster number on a FAT in a FAT file system?

    A.  It does affect the FAT.  The corresponding cluster number is marked as bad: however, only the corrupted sector within the cluster is prevented from being written to.
    B.  It does affect the FAT.  The corresponding clusters number is marked as bad, and the entire cluster is prevented from being written to.
    C.  It does not affect the corresponding cluster number on a GAT; therefore, the rest of the sectors associated with the assigned cluster can still be written to.
    D.  It does not affect the corresponding cluster number on a FAT: only the corrupted portion of the sector is prevented from being written to.
    B.  When the FAT marks a cluster as being bad, the entire cluster prevented from being written to.


    (2)
    (this multiple choice question has been scrambled)
  23. Which of the following describes a partition table?

    A  It is located at cylinder 0, head 0, sector 1
    B.  Is located in the master boot record.
    C.  It keeps track of the partitions on the hard drive.
    D.  All of the above.
    D.  A partition table is located in the master boot record and is always located in the very first sector of a physical drive.  The partition table keeps track of the partitions located on the physical drive.

    (2)
  24. Which selection keeps track of a fragmented file in a FAT (not exFAT) file system?

    A.  Volume boot record
    B.  Master file table
    C.  Directory structure
    D.  File Allocation Table
    D.  The FAT assigns numbers to each cluster entry pointing to the next cluster in the cluster run until the last cluster is reached, which is marked as EOF.

    (2)
    (this multiple choice question has been scrambled)
  25. If the FAT, in a FAT file system, lists cluster number 2749 with a value of 0, what dies this mean about this specific cluster?

    A.  It is marked as bad and cannot be written to.
    B.  It is unallocated and is available to store data.
    C.  It is blank and contains no data.
    D.  It is allocated to a file.
    B.  When the FAT marks a cluster as 0, it is in unallocated clusters, which means it is freely available to store data.

    (2)
    (this multiple choice question has been scrambled)
  26. Which of the following is true about a volume boot record?

    A.  It contains BIOS parameter block and volume boot code.
    B.  It is always located at the first sector of its logical partition.
    C.  Both A and C.
    D.  It immediately follow the master boot record.
    C.  The volume boot record is always located a the first sector of its logical partition and contains the BIOS parameter block and volume boot code.

    (2)
    (this multiple choice question has been scrambled)
  27. The NTFS file system does which of the following?

    A.  Support long filenames
    B.  Compresses individual files and directories
    C.  Supports large file sizes in excess of 4 GB
    D.  All of the above.
    D.  The NTFS file system supports long filenames, compresses files and directories, and support file sizes in excess of 4 GB.

    (2)
  28. How many clusters can a FAT32 file system manage?

    A.  2(32) = 4,294,967,296 clusters
    B.  2 x 28 = 56 clusters
    C.  2(28) = 268,435,456 clusters
    D.  2 x 32 = 64 clusters
    C.  A FAT32 file system theoretically allows up to 2(28) =268,435,456 clusters.  The extra 4 bits are reserved by the file system, however, and the is an MBR imposed limit of 67,092,481 clusters, which means FAT32 is capable of supporting a partition size of 2 terabytes.

    (2)
    (this multiple choice question has been scrambled)
  29. In a FAT file system, the FAT track the ______ while the directory entry tracks the ______.

    A. The filename and file size
    B.  The file's last cluster (EOF) and file's starting cluster.
    C.  The file size and file fragmentation.
    D.  The file's starting cluster and file's last cluster (EOF)
    B.  The FAT tracks the location of the last cluster for a file (EOF), while the directory entry maintains the file's starting cluster number.

    (2)
    (this multiple choice question has been scrambled)
  30. How many copies of the FAT does each FAT32 volume maintain in its default configuration?

    A.  Four
    B.  Two
    C.  Three
    D.  One
    B.  Each volume maintains two copies (one for backup): FAT1 and FAT28
    (this multiple choice question has been scrambled)
  31. Which of the following is not true regarding the NTFS file system?

    A.  Data that is stored in clusters is called nonresident data.
    B.  Cluster allocation is traced in the File Allocation Table (FAT).
    C.  Data for very small files can be stored in the MFT itself and is refereed to as resident data.
    D.  Cluster allocation is tracked in the $Bitmap file.
    B.  A, B, and C are all true statements regarding NTFS; however, there is not FAT in an NTFS files system.  FAT is a element of the FAT files system.

    (C2)
    (this multiple choice question has been scrambled)
  32. A file's physical size is which of the following?

    A.  The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster.
    B.  Bothe A and B
    C.  Always greater than the file's logical size.
    D.  None of the above.
    A.  A file's physical size is the number of bytes to the end of the last cluster, and a file's logical size is the number of bytes that the actual files contains.  A file's physical size can be the same as its logical size.

    (C2)
    (this multiple choice question has been scrambled)
  33. A directory entry in a FAT file system has a logical size of which of the following?

    A.  8 bytes
    B.  0 bytes
    C.  16 bytes
    D.  One sector
    B.  A directory entry in a FAT file system has no logical size.

    (C2)
    (this multiple choice question has been scrambled)
  34. Each directory entry in a FAT file system is _____ bytes in length.

    A.  16
    B.  32
    C.  8
    D.  0
    B.  In a FAT file system, each directory entry is 32 bytes in length.

    (C2)
    (this multiple choice question has been scrambled)
  35. By default, what color does EnCase use to display directory entries within a directory structure.

    A.  Red
    B.  Yellow
    C.  Gray
    D.  Black
    A.  Because directory entries are just names with no logical size and because they do not contain any actual data, EnCase displays the information in red.

    (C2)
    (this multiple choice question has been scrambled)
  36. What is the are between the end of a file's logical size and the file's physical size called?

    A.  Unallocated clusters
    B.  Unallocated sectors
    C.  Unused disk area
    D.  Slack space
    D.  The area between a file's logical size and its physical size is commonly referred to as slack space.

    (C2)
    (this multiple choice question has been scrambled)
  37. What three things occur when a files is created in a FAT32 file system?

    A.  The directory entry for the file is created, the number of clusters is assigned by the directory structure, and the file's data is filled into the FAT.
    B.  The directory structure maintains the amount of clusters needed, the files name is recorded in the FAT, and the file's data is filled in to the assigned clusters.
    C.  The filename is entered in to the FAT, the directory structure assigns the number of clusters, and the file's data is filled in to the assigned clusters.
    D.  The directory entry for the files is created, the FAT assigns the necessary clusters to the file, and the file's data is filled in to the assigned clusters.
    D.  The directory structure records the file's information, the FAT tracks the number of clusters allocated to the file, and the file's data is filled in t the assigned clusters.

    (C2)
    (this multiple choice question has been scrambled)
  38. How does EnCase recover a deleted file in a FAT files system?

    A.  It reads the deleted filename in the directory entry and searches for the corresponding filename in unallocated clusters.
    B.  It obtains the deleted file's starting cluster number and size form the FAT to located the starting location and amount of clusters needed.
    C.  It obtains the deleted file's starting cluster number and size from the directory entry to obtain the data's staring location and number of clusters required.
    D.  It reads the deleted filename in the FAT and searches for the file by its starting cluster number and logical size.
    C.  EnCase recovers deleted files by first obtaining the file's starting cluster number and its size from the directory entry.  Then, EnCase determines the number of cluster needed based on the file's size and the attempts to recover the data from the staring extent through the amount of clusters needed.

    (C2)
    (this multiple choice question has been scrambled)
  39. What does EnCase do when a dleted file's starting cluster number is assigned to another files?

    A.  EnCase reads the entire existing data as belonging to the deleted file.
    B.  EnCase does not display a deleted filename when the data has been overwritten.
    C.  EnCase reads the amount of data only form the existing file that is associated with the deleted file.
    D.  EnCase marks the deleted file as being overwritten.
    D.  When EnCase determines that the starting cluster listed in the FAT has been reassigned to an existing file, it reports the previously deleted file as being overwritten.

    (C2)
    (this multiple choice question has been scrambled)
  40. Which of the following is not true regarding the exFAT file syatem?

    A.  When a file is deleted, the corresponding entries in the File Allocation Table (FAT) are reset or zeroed out.
    B.  Cluster allocation is tracked in an allocation bitmap.
    C.  Cluster allocation is tracked in the File Allocation Table (FAT).
    D.  An entry in the FAT of 00 00 00 00 means that the FAT is not tracking allocation for this file.
    C.  All are true regarding exFAT except A, since cluster allocation is not tracked by the FAT but rather by and allocation bitmap.

    (C2)
    (this multiple choice question has been scrambled)
  41. What is the first consideration when responding to a scene?

    A.  Your safety
    B.  Documentation
    C.  The safety of others
    D.  The preservation of evidence
    A.  Without consideration for your own personal safety, none of the other considerations can be accomplished.

    (C3)
    (this multiple choice question has been scrambled)
  42. What are some variables regarding a facility that you should consider prior to responding to a scene?

    A. What type of structure is it?
    B.  How large is the structure?
    C.  What are the hours of operation?
    D.  Is there a  helpful person to aid in your task?
    d.  All of the above.
    E.  When responding to a facility, your most helpful ally is prior knowledge of the location, its hours of activity, and the people who occupy it.

    (C3)
  43. What are some vatiables regarding items to be seized that you should consider prior to responding to a scene?

    A.  Location(s) of computers
    B.  Type of operating system
    C.  Workstations or mainframes
    D.  System-critical or auxiliary machine
    E.  All of the above
    E. When responding to a facility, having prior knowledge of the types of functions of the computers and their locations will help reduce any unforeseen complications, thus easing the task.

    (C3)
  44. Generally speaking, if you encounter a desktop computer running Windows 7, how should you take down the machine?

    A.  Shut down by pulling the plug from the computer box.
    B.  Shut down using Windows 7.
    C.  Shut down by pulling the power cord from the outlet.
    D.  All of the above.
    A.  Pulling the plug on a workstation , unlike doing so on a server, will not lose any critical information.

    (C3)
    (this multiple choice question has been scrambled)
  45. Generally speaking, if you encounter a computer running Windows 2008 Server, how should  you take down the machine.

    A.  Shut down by pulling the plug form the computer box.
    B.  Shut down using its operating system.
    C.  Shut down by pulling the power cord from the outlet.
    D.  All of the above.
    B.  Unlike with a Windows desktop computer, certain information may not be recovered if a server is not properly shut down.  It is best to properly shut down a Windows server and document your actions.

    (C3)
    (this multiple choice question has been scrambled)
  46. Gnereallyl speaking, if you encounter a Unix/Linus machine, how should you take down the machine?

    A.  Shut down by pulling the power cord from the outlet.
    B.  Shut down using it operating system.
    C.  Shut down by pulling the power cord from the computer box.
    D.  All of the above.
    B.  Unix/Linus machines can store critical information that may be lost if the machine is improperly shut down.

    (C3)
    (this multiple choice question has been scrambled)
  47. When unplugging a desktop computer, from where is it best to pull the plug.

    A.  A or B
    B.  The wall outlet
    C.  The back of the computer
    C.  When unplugging a desktop computer, it is best to unplug a power cord from the back of the computer at the power supply.  Unplugging a cord from the outlet connected to an uninterrupted power supply (UPS) will not shut down the computer.

    (C3)
    (this multiple choice question has been scrambled)
  48. What is the best method to shut down a notebook computer.

    A.  Unplug from the back of the computer.
    B.  Remove the battery.
    C.  Unplug from the wall.
    D.  Both A and C
    D.  Removing both the power cord (AC) and the battery (DC) will ensure that no electricity is being fed to the computer.

    (C3)
    (this multiple choice question has been scrambled)
  49. Generally speaking, if you encounter a Macintosh computer, how should you take down the machine?

    A.  Shut down by pulling the poser cord from the outlet.
    B.  Shut down by pulling the plug from the computer box.
    C.  Shut down using the operating system.
    D.  All of the above.
    B.  A MAC should generally be shut down by pulling the power plug from the back of the computer.

    (C3)
    (this multiple choice question has been scrambled)
  50. Which selection display the incorrect method for shutting down a computer?

    A  DOS: Pull the plug.
    B.  Windows 7:  Pull the plug.
    C.  Windows XP:  Pull the plug.
    D.  Linus:  Pull the plug.
    D.  The best way to shut down a Linux/Unix system is to perform a proper shutdown using the operating system.

    (C3)
  51. When shutting down a computer, what information is typically lost?

    A.  Data in RAM memory
    B.  Running processes
    C.  Current network connections
    D.  Current logged-in users
    E.  All of the above.
    E.  When the system is shut down normally or the plug is pulled, all the other live system-state data mentioned is lost.
  52. Which of the following is not acceptable for "bagging" a computer workstation?

    A.  Plastic garbage bag.
    B.  Brown wrapping paper.
    C.  Large paper bag.
    D.  Large antistatic plastic bag.
    E.  All of the above are acceptable for bagging a workstation.
    A.  A plastic garbage bag has properties that are conducive to static electricity discharge, which could damage sensitive computer components, including media.

    (C3)
    (this multiple choice question has been scrambled)
  53. In which circumstance is pulling the plug to shut down a computer system considered the best practice?

    A.  When the OS is Linux/Unix.
    B.  When the OS is Windows 7 and known to be running a large business database application.
    C.  When thee OS is Windows (NT/2000/2003/2008) server.
    D.  When MAC OS X Server is running as a web server.
    E.  None of the above.
    E.  In all circumstances described, the best course of action would be a normal shutdown, and thus pulling the plug is considered best practice fro any of these.

    (C3)
  54. How is the chain of custody maintained?

    A.  By bagging evidence and sealing it to protect if from contamination or tampering.
    V.  By documenting what, when, where, how, and by whom evidence was seized.
    C.  by documenting in a log the circumstances under which evidence was removed from the evidence control room.
    D.  By documenting the circumstances under which evidence was subjected to analysis.
    E.  All of the above.
    E.  The evidence steps described here are an important component in maintaining the chain of custody and hence the integrity of the evidence.

    (C3)
  55. It is always safe to pull the plug on a Windows 7 Enterprise operating system.

    A.  True
    B.  False
    B.  In a business setting, anything is possible.  A large business database could be hosted on a Windows 7 Enterprise operating system, as could a number of other critical applications, which include access control systems, critical process control software, life-support systems, life-safety alarm monitoring, and so forth.

    (C3)
  56. `On a production Linux/Unix server, you must generally be which user to shut down the system?

    A.  system
    B.  sysadmin
    C.  root
    D.  administrator
    C. generally, unless configured otherwise, you must be root to shut down a Linux/Unix system in a production environment.  This prevents a typical user from stopping the system and halting mission-critical computing processes.

    (C3)
    (this multiple choice question has been scrambled)
  57. When would it be acceptable to navigate through a live system?

    A.  To observe the operating system to determine the proper shutdown process.
    B.  To document currently opened files (if Enterprise/FIM edition is not available)
    C.  To detect mounted encryption
    D.  To access virtual storage facility (if search warrant permits; some are very specific about physical location).
    E.  All of the above.
    E. Certain information may not be retrievable after the system has been shut down.  Given that, it is acceptable to access a system to retrieve information of evidentiary value as long as the actions are justified, documented, and explained.

    (C3)
  58. A console prompt that displayed backslashes () as par of its display would most likely be which of the following?

    A.  MS-DOS
    B.  Unix operating system
    C.  Linux or Unix operating system logged in as root.
    D.  Red Hat Linux operating system
    A.  Microsoft PC operating systems use backslashes () for the directory path structure, whereas Linux/Unix uses forward slashes (/) for the same purpose.

    (C3)
    (this multiple choice question has been scrambled)
  59. When called to a large office complex with numerous networked machines, it is always a good idea to request the assistance of the network administrator.

    A.  True
    B.  False
    B.  False. Although most of the time the network administrator knows much more about the computers than the responding examiner and may be of great help, requesting that person's assistance me be detrimental to the investigation if the network administrator is the target of the investigation.  As part of you preplanning, you must determine whether the administrator is part of the problem or part of the solution before you make such an approach.

    (C3)
  60. Subsequent to a search warrant where evidence is seized, what items should be left behind?

    A.  Copy of the search warrant
    B.  List of items seized
    C.  A and B
    D.  copy of the affidavit
    E.  B and C
    E.  Upon leaving the scene of a search, you should leave behind a copy of the signed search warrant and a list of items seized.

    (C3)
    (this multiple choice question has been scrambled)
  61. When acquiring a hard drive using a Linux boot disk with LinEn, what would be the cause of EnCase (LinEn) not detecting partition information?

    A.  The drive has been FDisked and the partiion(s) removed.
    B.  The partions(s) are not recognized by Linux.
    C.  Both A and B.
    D.  None of the above.
    C.  When partitions have been removed or the partitions are not recognized by Linux, EnCase still recognizes the physical drive and acquires it as such.

    (C4)
    (this multiple choice question has been scrambled)
  62. LinEn contains a write blocker that protects the target media from being altered.

    A.  True
    B.  false
    B.  LinEn does not have a built in write blocker.  Rather, it relies upon Linux's automount feature having been disabled.

    (C4)
  63. As a good forensic practice, why would it be a good idea to wipe a forensic drive before reusing it?

    A.  Cross-contamination
    B.  Different file and operating systems
    C.  Chain of evidence
    D.  No need to wipe
    E.  Chain-of-custody
    A.  Although EnCase only examines the contents within the evidence files, it is still good forensic practice to wipe/sterilize each hard drive prior to reusing it to eliminate the argument of possible cross-contamination.

    (C4)
    (this multiple choice question has been scrambled)
  64. If the number of sectors reported by EnCase does not match the number reported by the manufacturer for the drive, what should you do?

    A.  Suspect HPA
    B.  Suspect DCO
    C.  Use Tableau of FastBloc SE to access the sectors protected by HPA or DCO.
    D.  boot with a LinEn in Linux.
    E.  All of the above.
    ,E.  You should suspect an HPA or a DCO.  Booting with LinEn or using Tableau or FastBloc SE should enable you to see all sectors.

    (C4)
  65. When acquiring digital evidence, why shouldn't the evidence be left unattended in an unsecured location?

    A.  Cross-contamination
    B.  Not an issue
    C.  Chain-of-custody.
    D.  Storage
    C.  digital evidence must be treated like any other evidence, whereas a chain of custody must be established to account for everyone who has access to the property.

    (C4)
    (this multiple choice question has been scrambled)
  66. Which describes an HPA? (Choose all that apply.)

    A.  Stands for Host Protected Area
    B.  Is not normally seen by the BIOS
    C.  Is not normally seen through Direct ATA access
    D.  Was introduced in the ATA-6 specification
    A and B.  HPA stands for Host Protected Area and is not normally seen by the BIOS.  It was introduce in the ATA-4 specification, not ATA-6, and is seen when directly accessed via the Direct ATA mode.

    (C4)
  67. Which describes a DCO?
    A.  Was introduced in the ATA-6 specification.
    B.  Stands for Device Configuration Overlay.
    C.  Is not normally seen by the BIOS.
    D.  It may contain hidden data, which can be seen by switching to the Direct ATA mode in EnCase for DOX.
    E.  All of the above.
    E.  All are correct statements with regard to DCO.

    (C4)
  68. At which user level must the examiner function when using LinEn?

    A.  Any user
    B.  Administrator
    C.  Root
    D.  Admin
    E.  None of the above
    C.  LinEn runs on the Linux OS, and the user must be the root user to successfully work with LinEn.

    (C4)
    (this multiple choice question has been scrambled)
  69. Reacquiring an image and adding compression will change the MD5 value of the acquisition hash.

    A.  True
    B.  False
    B.  False - When reacquiring an image, the MD5 of the original data stream remains the same despite the compression applied.

    (C4)
  70. When reacquiring an image, you can change the name of the evidence.

    A.  True
    B.  False
    B.  False - When reacquiring, you can change the compression, you can add or remove a password, you can change the file segment size, you can change the block and error granularity sizes, or you can change the start and stop sectors.  Other properties can't be changed.

    (C4)
  71. Which of the following should you do when creating a storage volume to hold an EnCase evidence file that will be created with LinEn?  (Choose all that apply.)

    A.  Format the volume with the FAT file system.
    B.  Give the volume a unique label to identify it.
    C.  Wipe the volume before formatting to conform to best practices, and avoid claims of cross-contamination
    D.  Creat a directory to contain the evidence file.
    E.  Format the volume with the NTFS files system
    F.  All of the above.
    F.  All of the above are correct answers.  Linux can read or write to both FAT and NTFS file systems.

    (C4)
  72. In Linux, what describes hdb2? (Choose all that apply.)

    A.  Refers to the primary master
    B.  Refers to the primary slave
    C.  Refers to hard drive number 2
    D.  Refers to the second partition
    E.  Refers to the secondary master
    B and D.  Here, hdb2 refers to the second partition on the primary slave.

    (C4)
  73. In Linux, what describes sdb? (Choose all that apply.)

    A.  Refers to an IDE device
    B.  Refers to a SCSI device
    C.  Refers to USB device
    D.  Refers to FireWire device
    B, C, and D.  Linux will name and IDE device, normally, with had, hdb, hdc, or hdd, to denote their position on the ATA controller (primary master, primary slave, secondary master, secondary slave, respectively).  SDB is the second SCSI device, and since Linux calls USB or FireWire devices SCSI devices, any of the three (B, C, or D) could be represented by sdb.

    (C4)
  74. When acquiring USG flash memory, you could write-protect it by doing what?

    A.  Engaging the write-protect switch, if equipped.
    B.  Modifying the registry in Window XL SP2 (or higher) to make the USG read-only
    C.  Using EnBD/ENBCD USB DOS drivers and having EnCase for DOS "lock" the Flash media
    Dl  Using LinEn in Linux with automount of file system disabled
    E.  Using FastBloc SE to write block USB, FireWire, SCSI drives
    F.  All of the above
    F.  All are methods of write-protecting USB devices, some arguably better than others, but methods nevertheless.

    (C4)
  75. Which are true with regard to EnCase Portable?  (Choose all that apply?)

    A.  Storage media must be prepared using the Portable Management tool before it can be used by EnCase Portable.
    B.  If booting  usng EnCase Portable Boot CD to boot, the EnCase Portable dongle must also be connected so that the license can be accessed.
    C.  The EnCae Portable can triage and collect evidence in a forensically sound manner form live machines or to do so in a boot mode.
    d.  The EnCase Portable can be configured with custom tasks created by the examiner using the Portable Management tool.
    A, B, C, and D.  All of these statements are true regarding EnCase Portable.

    (C4)
  76. LinEn can be run under both Windows an dDOS operating systems.

    A.  True
    B.  False
    B.  False - LinEn can't be run under DOS and can't be run under Windows.  Rather, LinEn must be run under the Linus OS.

    (C4)
  77. When using LinEn, the level of support for USB, FireWire, and SCSI devices is determined by What?

    A.  A and B
    B.  The drivers provided with the ENBCD
    C.  The distribution of Linux being used.
    D.  The drivers built into LinEn
    E.  None of the above.
    C.  The level of support for USB, FireWire, SCSI, and other devices is totally dependent on the Linus distribution being used to run LinEn.  for the most support, try to use the latest Linux distribution available.

    (C4)
    (this multiple choice question has been scrambled)
  78. How should CDs be acquired using EnCase?

    A.  DOS
    B.  Windows
    B.  CDs can be safely acquired in the Windows environment.

    (C4)
  79. Select all that are true about EE and FIM.

    A.  They can acquire or preview a system live without shutting it down.
    B.  They can capture live system-state volatile dta using the Snapshot feature.
    C.  With EE, the SAVE is on a separate PC, administered by the keymaster.
    d.  With FIM, the SAVE is on the examiner's PC and the keymaster and the examiner are the same person.
    E.  FIM can be licensed to private individuals.
    A, B, C, and D.  A FIM can be licensed only to law enforcement or military customers.  All other statements are correct.

    (C4)
  80. Which of the following are true?  (Choose all that apply.)

    A.  LinEn can format drives to EXT2 or EXT3 format.
    B.  LInEn contains no write-blocking capability.  Rather, write blocking is achieved by disabling the automount feature within the host Linux operating system.
    C.  Before using a target drive onto which to write evidence files, LinEn must be used to unlock the target drive and render it writable.
    D.  LinEn contains its own onboard write-blocking drivers and therefore can be safely run on any version of Linux.
    E.  LinEn can format drives to both NTFS and FAT formats.
    B.  Only A is correct.  LinEn has no onboard drivers for write blocking, relying on the host OS to have its automount feature disabled.  LinEn can't format to any format because formatting is not included with the tool.  EnCase for DOS contained an unlock feature by which the target drive was unlocked for writing.  LinEn contains no such feature.

    (C4)
    (this multiple choice question has been scrambled)
  81. The EnCase evidence file is best described as follow:

    A.  A mirror image of the source device written to a hard drive
    B.  A bitstream image of a source device written to a file or several file segments
    C.  A sector-by-sector image of the source device written to corresponding sectors of a secondary hard drive
    D.  A bitstream image of a source device written to the corresponding sectors of a secondary hard drive
    B.  An EnCase evidence file is a bitstream image of a source device such as a hard drive, CD-ROM, or gloppy disk written to a file (.Ex01) or several file segments (.Ex02, .Ex03, and so on).

    (C5)
    (this multiple choice question has been scrambled)
  82. How does EnCase verify the contents of an evicence files, using the default settings?

    A.  EnCase writes and MD5 and/or SHA-1 value for every 64 sectors copied.
    B.  EnCase writes a CRC value for every 32 sectors copied.
    C.  EnCase writes and MD5 and/or SHA-1 hash value for every 32 sectors copied.
    D.  EnCase writes a CRC value for every 64 sectors copied.
    D.  EnCase writes a CRC value for every 64 sectors copied, by default.  If the block size has been increased, the CRC frequency will be adjusted accordingly.

    (C5)
    (this multiple choice question has been scrambled)
  83. What is the smallest files size that an EnCae evidence file can be saved as?
    A.  512 sectors
    B.  1 MB
    C.  30 MB
    D.  54 sectors
    E.  640 MB
    C.  The smallest file size that an EnCase evidence file can be saved as is 30 MB.

    (C5)
    (this multiple choice question has been scrambled)
  84. What is the largest file segment size that an EnCase evidence file can be saved as?

    A.  640 MB
    B.  2 GB
    C.  No maximum limit
    D.  1 GB
    E.  8,796,093.018,112 MB
    E.  The largest file size that an EnCase evidence file can be saved as is now 8,589,934,588 GB with EnCase 7.  Naturally the file system storing the file must support this file size.

    (C5)
    (this multiple choice question has been scrambled)
  85. How does EnCase verify that the evidence file contains an exact copy of the source device?

    A.  By comparing the MD5 hash value (alternatively SHA-1 or both) of the source device to the MD5 hash value (alternatively SHA-1 or both) of the entire evidence file.
    B.  By comparing the CRC value of the source device to the CRC of the entire evidence file.
    C.  By comparing the CRC value of the source device to the CRC of the data stored in the evidence file.
    D.  By comparing the MD5 hash value (alternatively SHA-1 or both) of the source device to the MD5 hash value (alternatively SHA-1 or both) of the data stored in the evidence file.
    D.  Encase compares the MD5 hash value (alternatively SHA-1 or both) of the source device to the MD5 hash value (alternatively SHA-1 or both) of just the data stored in the evidence file, not the entire contents of the evidence file, such as case information and CRC values of each data block.

    (C5)
    (this multiple choice question has been scrambled)
  86. How does EnCase verify that the case information - such as case number, evidence number, notes, and so on - in an evidence file, has not been damaged or altered after the evidence files has been written?

    A.  EnCase does not verify the case information, because it can be changed at any time.
    B.  EnCase writes a CRC value for the case information and verifies the CRC value when the evidence is added to a case.
    C.  EnCase writes an MD5 value of the case information and verifies the MD5 value when the evidence is added to a case.
    D.  The case file writes a CRC value for the case information and verifies it when the case is opened.
    B.  EnCase calculates a CRC value for the case information, Which is verified when the evidence file is added to a case.

    (C5)
    (this multiple choice question has been scrambled)
  87. For an EnCase evidence file to successfully pass the file verification process, which of the following must be true?

    A.  Either the CRC or MD5 hash value (alternatively SHA-1 or both) must verify
    B.  the CRC values must verify.
    C.  The MD5 hash value (alternatively SHA-1 or both) must verify.
    D.  The CRC values and the MD5 hash value (alternatively SHA-1 or both) both must verify.
    D.  When an evidence files is added to a case, EnCase verifies both the CRC and the MD5 hash value (alternatively SHA-1 or both).  All acquisition values (CRC and hashes) must match the recalculated verification values.

    (C5)
    (this multiple choice question has been scrambled)
  88. The MD5 hash algorithm produces a _____ value.

    A.  64 bit
    B.  32 bit
    C.  128 bit
    D.  256 bit
    C.  the MD5 has algorithm produces a 128-bit value.

    (C5)
    (this multiple choice question has been scrambled)
  89. Regarding the EnCase backup process (EnCase 7.04 and newer), which of the following are true?

    A  The case file backup  is stored with a .cbak extension.
    B.  By default, the backup frequency is every 30 minutes after completion of the previous backup.
    C.  The evidence cache and the case folder are backup up, except for EnCase evidence files and the Temp and Export folders.
    d.  All of the above are correct.
    E.  Only B and C are correct.
    E.  Starting with EnCase 7.04, the backup process has been greatly enhanced and .cbak files are no longer used, making A no longer correct.  Options B and C are true statements regarding the backup process.

    (C5)
  90. If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later altered?

    A.  EnCase will detect the error only if the evidence file is manually reverified.
    B.  EnCase will detect the error when that area of the evidence file is accessed by the user.
    C.  EnCase will allow the examiner to continue to access the rest of the evidence file that has not been changed, but will not allow access to the corrupted or changed block.
    D. All of the above.
    A.  EnCase will no longer (as of v5) detect corrupted data on the fly.  Therefore, EnCase will show and allow corrupted data to be searched, bookmarked, and so on.  Post-verification corruption, although rare, can occur, and therefore every case should be subjected to verification at the end of the case to assure no corruption has occurred.

    (C5)
    (this multiple choice question has been scrambled)
  91. Which of the following aspects of the EnCase evidence file can be changed during a reacquisition of the evidence files.

    A.  Evidence number
    B.  Evidence file size
    C.  Notes
    D. Investigator's name
    B.  The evidence file size can be changed during a reacquire.

    (C5)
    (this multiple choice question has been scrambled)
  92. An evidence file was archived onto five CD-ROMs with the third file segment on disc 3.  Can the content of the third file segment be verified by itself while still on the CD-ROM?

    A.  No.  All evidence file segments must be put back together.
    B.  Yes.  Any evidence file segment can be verified independensly by comparing the CRC values.
    B.  EnCase can verify the independent evidence file segments by comparing the CRC values of the data blocks.  This function is accessed from the Tools menu and is called Verify Evidence Files.

    (C5)
  93. Will EnCase allow a user to write data into an acquired evidence file?

    A.  Yes, when adding notes or comments to bookmarks.
    B.  No, data cannot be added to the evidence file after the acquisition is made.
    C.  Yes, when adding search results
    D.  A and B
    B.  EnCase does not write to the evidence file after the acquisition is complete.

    (C5)
    (this multiple choice question has been scrambled)
  94. All investigators using EnCase should run tests on the evidence file acquisition and verification process to do which of the following?

    A.  To further the investigator's understanding of the evidence file
    B.  To give more weight to the investigator's testomy in court
    C.  To verify that all hardware and software is functioning properly
    D.  All of the above
    D.  As with any forensic tool, the investigator should test the tools to better understand how the tool performs and to verify that it is functioning properly.

    (C4)
  95. When a noncompressed evidence file is acquired with compression, the acquisition and verification hash values for the evidence file will remain the same for both files.

    A.  True
    B.  False
    A.  True, Compressing an evidence file does not change its MD5 and0or SHA-1 hash value(s).

    (C5)
  96. The Ex01 evidence file format consists of three parts, which are the Ev2 Header, Data, and CRC record.

    A.  True
    B.  False
    B.  False,  The three parts are the Ev2 Header, Data, and Link Record.  There is no such part called CRC record.

    (C5)
  97. The EnCase evidence file's logical filename can be changed without affecting the verification of the acquired evidence?

    A.  True
    B.  False
    A.  True, An Encase evidence file's logical filename can be renamed without affecting the verification of the acquired evidence.

    (C5)
  98. An evidence file can be moved to another directory without changing the file verification.

    A.  True
    B.  False
    A.  True, EnCase evidence files can be moved without affecting the file verification.

    (C5)
  99. What happens when EnCase attempts to reopen a case once the evidence file has been moved?

    A.  EnCase prompts for the location of the evidence file.
    B.  Encase report that the file's integrity has been compromised and renders the file useless.
    C.  EnCase opens the case, excluding the moved evidence file.
    D.  EnCase report a different has value for the evidence file.
    A.  When an evidence file has moved from the previous path, EnCase will prompt for the new location of the evidence file.

    (C5)
    (this multiple choice question has been scrambled)
  100. During reacquisition, you can change which of the following? (Choose all that apply.)

    A.  Block size and error granularity
    B.  Add or remove a password
    C.  Investigator's name
    D.  Compression
    E.  File segment size
    A, B, D, and E.  All may be changed during the reacquisition with the exception of the investigator's name.

    (C5)

What would you like to do?

Home > Flashcards > Print Preview