GD0-100 Certification Exam For ENCE North America Questions and Answers

True

False

Pull the plug from the back of the computer.

Turn it off with the power button.

Pull the plug from the wall.

Shut it down with the start menu.

True

False

From the My Pictures directory

From the My Documents directory

From the root directory c:\

From itself

The data taken from the starting cluster to the end of the last cluster that is occupied by the file.

A file including any RAM and disk slack.

A file including only RAM slack.

The data from the beginning of the starting cluster to the length of the file.

C X H + S

C X H X S + 512

C X H X S X 512

C X H X S

Will not find it because the letters of the keyword are not contiguous.

Will not find it because EnCase performs a physical search only.

Will find it because EnCase performs a logical search.

Will not find it unlessile slack?is checked on the search dialog box. Will not find it unless ?ile slack?is checked on the search dialog box.

An add-in card that handles allRAM.

Any circuit board, regardless of its function.

The main circuit board that has slots for the microprocessor, RAM, ROM, and add-in cards.

An add-in card that controls all hard drive activity.

EnCase reports that the file integrity has been compromised and renders the file useless. EnCase reports that the file integrity has been compromised and renders the file useless.

EnCase opens the case, excluding the moved evidence.

EnCase asks for the location of the evidence file the next time the case is opened.

EnCase reports a different hash value for the evidence file.

The evidence file

All of the above

The case file

The configuration HashAnalysis.ini file

Master file table

Volume boot device

Volume boot sector or record

Master boot record

C:\Personnel Folders

C:\WINNT\Profiles

C:\Windows\Users

C:\Documents and Settings

moved

wiped

deleted and wiped

deleted

Execute the POST during start-up.

Temporarily store electronic data that is being processed.

Permanently store electronic data.

Establish a connection with external devices.

True

False

No. Archived files are compressed and cannot be verified until un-archived.

No. All file segments must be put back together.

Yes. Any segment of an evidence file can be verified through re-computing and comparing the CRCs, even if it is on a CD.

No. EnCase cannot verify files on CDs.

A compressed zip file.

A graphics file attached to an e-mail message.

A compound e-mail attachment.

A file format used in the printing process by Windows.

A case-specific setting that cannot be changed.

A case-specific setting that can be changed.

A global setting that can be changed.

A global setting that cannot be changed.

The results of a hash analysis

The information contained in the signature table

The results of a signature analysis

Pointers to an evidence file

Directory Entry

Master File Table

Info2 file

Inode Table

Computes the hash value including the logical file and filename.

Computes the hash value including the physical file and filename.

Computes the hash value based on the logical file.

Computes the hash value based on the physical file.

C:\Windows\History

C:\Windows\Start menu\Documents

C:\Windows\Documents

C:\Windows\Recent

The computer will instantly shut off.

The computer will go into stand-by mode.

Nothing will happen.

All of the above could happen.

The operating system will shut down normally.

Make any changes to the evidence that will further the investigation.

Avoid making any changes to the original evidence.

Both a and b

Neither a or b

The evidence number

The acquisition notes

The investigator name

None of the above

Never

When the FAT 32 has the same number of sectors / clusters.

When the FAT 32 is the same size or bigger.

Both a and b

Red

Red on black

Black on red

Black

tom jones

Tom

Jones

Tom Jones

Copied to the default export folder and opened by an associated program.

Renamed to JPG_0001.jpg and copied to the default export folder.

Copied to the EnCase specified temp folder and opened by an associated program.

Opened by EnCase.

Red

Red on black

Black

Black on red

The MD5 hash value must verify.

The CRC values must verify.

The CRC values and the MD5 hash value both must verify.

Either the CRC or MD5 hash values must verify.

The evidence file

The configuration FileSignatures.ini file

All of the above

The case file

FF 0000 00 00 FF BA

0000 00 01 FF FF BA

04 06 0000 00 FF FF BA

04 0000 00 FF FF BA

Test the technique on simulated evidence in a controlled environment to confirm that the results are consistent.

Be trained in the employment of the technique.

Botha and b.

Neithera or b.

16

4

2

8

The .SHD file

The .SPL file

Neither a or b

Both a and b

Analyzing the relationship of a file signature to its file extension.Analyzing the relationship of a file signature to its file extension.

Analyzing the relationship of a file signature to its file header.Analyzing the relationship of a file signature to its file header.

Analyzing the relationship of a file signature to a list of hash sets.Analyzing the relationship of a file signature to a list of hash sets.

Analyzing the relationship of a file signature to its computed MD5 hash value.Analyzing the relationship of a file signature to its computed MD5 hash value.

Nothing

It is moved to a special area.

It is overwritten with zeroes.

The file header is marked with a Sigma so the file is not recognized by the operating system.

A chip that would be considered the brain of a computer, which is installed on a motherboard.

A Central Programming Unit.

A motherboard with all required devices connected.

An entire computer box, not including the monitor and other attached peripheral devices.

2

3

1

4

By sorting on the category column in the Table view. By sorting on the category column in the Table view.

By sorting on the signature column in the Table view. By sorting on the signature column in the Table view.

By sorting on the hash sets column in the Table view. By sorting on the hash sets column in the Table view.

By sorting on the hash library column in the Table view. By sorting on the hash library column in the Table view.

True

False

The Recycle Bin increases the chance of locating the existence of a file on a computer.

The Recycle Bin reduces the chance of locating the existence of a file on a computer.

Record nothing to avoid inaccuracies that might jeopardize the use of the evidence.

Record the location that the computer was recovered from.

Record the identity of the person(s) involved in the seizure.

Record the date and time the computer was seized.

The cluster is unallocated

The cluster is the end of a file

The cluster is allocated

The cluster is marked bad

True

False

Credit card readers

Personal assistant devices

Cellular phones

Digital cameras

a unique directory on the lab drive for case management

a text file for notes

All of the above

an .E01 file on the lab drive

External viewers

Pointers to evidence files

Signature analysis results

Search results