Summer Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exc65

examout.co

This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search:

A.

Will not find it because the letters of the keyword are not contiguous.

B.

Will not find it unless File slack is checked on the search dialog box.

C.

Will find it because EnCase performs a logical search.

D.

Will not find it because EnCase performs a physical search only.

In Windows 2000 and XP, which of the following directories contain user personal folders?

A.

C:\Windows\Users

B.

C:\Personnel Folders

C.

C:\Documents and Settings

D.

C:\WINNT\Profiles

A file extension and signature can be manually added by:

A.

Using the new set feature under hash sets.

B.

Using the new file signature feature under file signatures.

C.

Using the new library feature under hash libraries.

D.

Right-clicking on a file and selecting add.

Search results are found in which of the following files?

A.

The case file

B.

The configuration Searches.ini file

C.

The evidence file

D.

All of the above

If cluster number 10 in the FAT contains the number 55, this means:

A.

That there is a cross-linked file.

B.

That cluster 10 is used and the file continues in cluster number 55.

C.

The cluster number 55 is the end of an allocated file.

D.

That the file starts in cluster number 55 and continues to cluster number 10.

If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later changed?

A.

EnCase will detect the error when that area of the evidence file is accessed by the user.

B.

EnCase detect the error if the evidence file is manually re-verified.

C.

EnCase will allow the examiner to continue to access the rest of the evidence file that has not been changed.

D.

All of the above.

RAM is tested during which phase of the power-up sequence?

A.

Pre-POST

B.

During POST

C.

After POST

D.

None of the above.

Which of the following selections would be used to keep track of a fragmented file in the FAT file system?

A.

The File Allocation Table

B.

The directory entry for the fragmented file

C.

The partition table of extents

D.

All of the above

You are conducting an investigation and have encountered a computer that is running in the field. The operating system is Windows XP. A software program is currently running and is visible on the screen. You should:

A.

Photograph the screen and pull the plug from the back of the computer.

B.

Navigate through the program and see what the program is all about, then pull the plug.

C.

Pull the plug from the back of the computer.

D.

Pull the plug from the wall.

A hard drive was imaged using EnCase. The original drive was placed into evidence. The restore feature was used to make a copy of the original hard drive. EnCase verifies the restored copy using:

A.

An MD5 hash

B.

A 32 bit CRC

C.

A running log

D.

Nothing. Restored volumes are not verified.