Summer Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exc65

examout.co

In the FAT file system, the size of a deleted file can be found:

A.

In the FAT

B.

In the directory entry

C.

In the file footer

D.

In the file header

In DOS and Windows, how many bytes are in one FAT directory entry?

A.

Variable

B.

32

C.

16

D.

64

E.

8

Temp files created by EnCase are deleted when EnCase is properly closed.

A.

True

B.

False

If a hash analysis is run on a case, EnCase:

A.

Will compute a hash value of the evidence file and begin a verification process.

B.

Will generate a hash set for every file in the case.

C.

Will compare the hash value of the files in the case to the hash library.

D.

Will create a hash set to the user specifications. Will create a hash set to the user?specifications.

The following keyword was typed in exactly as shown. Choose the answer(s) that would be found. All search criteria have default settings. Tom

A.

Tomorrow

B.

TomJ@hotmail.com

C.

Tom

D.

Stomp

EnCase can build a hash set of a selected group of files.

A.

True

B.

False

Which of the following is found in the FileSignatures.ini configuration file

A.

The results of a hash analysis

B.

The information contained in the signature table

C.

The results of a signature analysis

D.

Pointers to an evidence file

A hard drive has 8 sectors per cluster. File Mystuff.doc has a logical file size of 13,000 bytes. How many clusters will be used by Mystuff.doc?

A.

4

B.

1

C.

2

D.

3

The EnCase evidence file logical filename can be changed without affecting the verification of the acquired evidence.

A.

True

B.

False

How does EnCase verify that the evidence file contains an exact copy of the suspect hard drive? How does

EnCase verify that the evidence file contains an exact copy of the suspect's hard drive?

A.

By means of a CRC value of the suspect hard drive compared to a CRC value of the data stored in the evidence file.By means of a CRC value of the suspect? hard drive compared to a CRC value of the data stored in the evidence file.

B.

By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of the data stored in the evidence file.By means of an MD5 hash of the suspect? hard drive compared to an MD5 hash of the data stored in the evidence file.

C.

By means of a CRC value of the evidence file itself.

D.

By means of an MD5 hash value of the evidence file itself.