Spring Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

  1. Home
  2. Guidance Software
  3. EnCE
  4. GD0-110
  5. Certification Exam for EnCE Outside North America Questions and Answers

GD0-110 Certification Exam for EnCE Outside North America Questions and Answers

Questions 4

A physical file size is:

Options:

A.

The total size in bytes of a logical file.

B.

The total size in sectors of an allocated file.

C.

The total size of all the clusters used by the file measured in bytes.

D.

The total size of the file including the ram slack in bytes.

Buy Now
Questions 5

Which of the following would be a true statement about the function of the BIOS?

Options:

A.

The BIOS is responsible for swapping out memory pages when RAM fills up.

B.

The BIOS is responsible for checking and configuring the system after the power is turned on.

C.

The BIOS integrates compressed executable files with memory addresses for faster execution.

D.

Both a and c.

Buy Now
Questions 6

Search terms are stored in what .ini configuration file?

Options:

A.

FileTypes.ini

B.

FileSignatures.ini

C.

Keywords.ini

D.

TextStyle.ini

Buy Now
Questions 7

Assume that MyNote.txt has been deleted. The FAT file system directory entry for that file has been overwritten. The data for MyNote.txt is now:

Options:

A.

Allocated

B.

Overwritten

C.

Unallocated

D.

Cross-linked

Buy Now
Questions 8

Using good forensic practices, when seizing a computer at a business running Windows 2000 Server you should:

Options:

A.

Shut it down normally.

B.

Pull the plug from the wall.

C.

Pull the plug from the back of the computer.

D.

Press the power button and hold it in.

Buy Now
Questions 9

The spool files that are created during a print job are __________ after the print job is completed.

Options:

A.

wiped

B.

deleted and wiped

C.

deleted

D.

moved

Buy Now
Questions 10

A FAT directory has as a logical size of:

Options:

A.

0 bytes

B.

64 bytes

C.

128 bytes

D.

One cluster

Buy Now
Questions 11

A logical file would be best described as:

Options:

A.

The data from the beginning of the starting cluster to the length of the file.

B.

The data taken from the starting cluster to the end of the last cluster that is occupied by the file.

C.

A file including any RAM and disk slack.

D.

A file including only RAM slack.

Buy Now
Questions 12

The EnCase signature analysis is used to perform which of the following actions?

Options:

A.

Analyzing the relationship of a file signature to its file header.

B.

Analyzing the relationship of a file signature to its computed MD5 hash value.

C.

Analyzing the relationship of a file signature to a list of hash sets.

D.

Analyzing the relationship of a file signature to its file extension.

Buy Now
Questions 13

What information should be obtained from the BIOS during computer forensic investigations?

Options:

A.

The video caching information

B.

The port assigned to the serial port

C.

The date and time

D.

The boot sequence

Buy Now
Questions 14

A restored floppy diskette will have the same hash value as the original diskette.

Options:

A.

True

B.

False

Buy Now
Questions 15

The EnCase methodology dictates that the lab drive for evidence have a __________ prior to making an image.

Options:

A.

unique volume label

B.

FAT 16 partition

C.

NTFS partition

D.

bare, unused partition

Buy Now
Questions 16

To generate an MD5 hash value for a file, EnCase:

Options:

A.

Computes the hash value based on the logical file.

B.

Computes the hash value based on the physical file.

C.

Computes the hash value including the logical file and filename.

D.

Computes the hash value including the physical file and filename.

Buy Now
Questions 17

In Windows 98 and ME, Internet based e-mail, such as Hotmail, will most likely be recovered in the _____________________ folder.

Options:

A.

C:\Windows\Temp

B.

C:\Windows\Temporary Internet files

C.

C:\Windows\History\Email

D.

C:\Windows\Online\Applications\email

Buy Now
Questions 18

The following keyword was typed in exactly as shown. Choose the answer(s) that would result. All search criteria have default settings. credit card

Options:

A.

Credit

B.

Card

C.

Credit Card

D.

credit card

Buy Now
Questions 19

The case number in an evidence file can be changed without causing the verification feature to report an error, if:

Options:

A.

The user utilizes the case information editor within EnCase.

B.

The evidence file is reacquired.

C.

The user utilizes a text editor.

D.

The case information cannot be changed in an evidence file, without causing the verification feature to report an error.

Buy Now
Questions 20

When a non-compressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence will remain the same for both files.

Options:

A.

True

B.

False

Buy Now
Questions 21

You are working in a computer forensic lab. A law enforcement investigator brings you a computer and a valid search warrant. You have legal authority to search the computer. The investigator hands you a piece of paper that has three printed checks on it. All three checks have the same check and account number. You image the suspect's computer and open the evidence file with EnCase. You perform a text search for the account number and check number. Nothing returns on the search results. You perform a text search for all other information found on the printed checks and there is still nothing returned in the search results. You run a signature analysis and check the gallery. You cannot locate any graphical copies of the printed checks in the gallery. At this point, is it safe to say that the checks are not located on the suspect computer?

Options:

A.

No. The images could be in an image format not viewable inside EnCase.

B.

No. The images could be located a compressed file.

C.

No. The images could be embedded in a document.

D.

No. The images could be in unallocated clusters.

E.

All of the above.

Buy Now
Questions 22

When undeleting a file in the FAT file system, EnCase will check the _____________ to see if it has already been overwritten.

Options:

A.

directory entry

B.

FAT

C.

data on the hard drive

D.

deletion table

Buy Now
Questions 23

If a hard drive is left in a room while acquiring, and several persons have access to that room, which of the following areas would be of most concern?

Options:

A.

Cross-contamination

B.

Storage

C.

Chain-of-custody

D.

There is no concern

Buy Now
Questions 24

Assume that an evidence file is added to a case, the case is saved, and the case is closed. What happens if the evidence file is moved, and the case is then opened?

Options:

A.

EnCase reports that the file integrity has been compromised and renders the file useless.

B.

EnCase reports a different hash value for the evidence file.

C.

EnCase asks for the location of the evidence file the next time the case is opened.

D.

EnCase opens the case, excluding the moved evidence.

Buy Now
Questions 25

EnCase is able to read and examine which of the following file systems?

Options:

A.

NTFS

B.

FAT

C.

EXT3

D.

HFS

Buy Now
Questions 26

How are the results of a signature analysis examined?

Options:

A.

By sorting on the signature column in the table view.

B.

By sorting on the hash library column in the table view.

C.

By sorting on the hash sets column in the table view

D.

By sorting on the category column in the table view.

Buy Now
Questions 27

All investigators using EnCase should run tests on the evidence file acquisition and verification process to:

Options:

A.

Further the investigator understanding of the evidence file.

B.

Give more weight to the investigator testimony in court.

C.

Insure that the investigator is using the proper method of acquisition.

D.

All of the above.

Buy Now
Questions 28

In Unicode, one printed character is composed of ____ bytes of data.

Options:

A.

1

B.

2

C.

4

D.

8

Buy Now
Questions 29

The signature table data is found in which of the following files?

Options:

A.

The case file

B.

The configuration FileSignatures.ini file

C.

The evidence file

D.

All of the above

Buy Now
Questions 30

Hash libraries are commonly used to:

Options:

A.

Identify files that are already known to the user.

B.

Compare one hash set with another hash set.

C.

Verify the evidence file.

D.

Compare a file header to a file extension.

Buy Now
Questions 31

A SCSI host adapter would most likely perform which of the following tasks?

Options:

A.

Make SCSI hard drives and other SCSI devices accessible to the operating system.

B.

Configure the motherboard settings to the BIOS.

C.

Set up the connection of IDE hard drives.

D.

None of the above.

Buy Now
Questions 32

If cases are worked on a lab drive in a secure room, without any cleaning of the contents of the drive, which of the following areas would be of most concern?

Options:

A.

Cross-contamination

B.

Storage

C.

Chain-of-custody

D.

There is no concern

Buy Now
Questions 33

In the EnCase environment, the term uxternal viewers is best described as:

Options:

A.

Programs that are exported out of an evidence file.

B.

Programs that are associated with EnCase to open specific file types.

C.

Any program that is loaded on the lab hard drive.

D.

Any program that will work with EnCase.

Buy Now
Questions 34

The Unicode system can address ____ characters?

Options:

A.

256

B.

1024

C.

16,384

D.

65,536

Buy Now
Questions 35

Search results are found in which of the following files?

Options:

A.

The case file

B.

The configuration Searches.ini file

C.

The evidence file

D.

All of the above

Buy Now
Questions 36

A hard drive has been formatted as NTFS and Windows XP was installed. The user used fdisk to remove all partitions from that drive. Nothing else was done. You have imaged the drive and have opened the evidence file with EnCase. What would be the best way to examine this hard drive?

Options:

A.

Conduct a physical search of the hard drive and bookmark any evidence.

B.

Use the add Partition feature to rebuild the partition and then examine the system.

C.

Use the recovered Deleted Partitions feature and then examine the system.

D.

EnCase will not see a drive that has been fdisked.

Buy Now
Questions 37

EnCase can make an image of a USB flash drive.

Options:

A.

True

B.

False

Buy Now
Questions 38

RAM is used by the computer to:

Options:

A.

Permanently store electronic data.

B.

Execute the POST during start-up.

C.

Temporarily store electronic data that is being processed.

D.

Establish a connection with external devices.

Buy Now
Questions 39

Which of the following would most likely be an add-in card?

Options:

A.

A motherboard

B.

The board that connects to the power supply

C.

A video card that is connected to the motherboard in the AGP slot

D.

Anything plugged into socket 7

Buy Now
Questions 40

You are an investigator and have encountered a computer that is running at the home of a suspect. The computer does not appear to be a part of a network. The operating system is Windows XP Home. No programs are visibly running. You should:

Options:

A.

Shut it down with the start menu.

B.

Pull the plug from the wall.

C.

Turn it off with the power button.

D.

Pull the plug from the back of the computer.

Buy Now
Questions 41

Which of the following aspects of the EnCase evidence file can be changed during a reacquire of the evidence file?

Options:

A.

The investigator name

B.

The evidence number

C.

The acquisition notes

D.

None of the above

Buy Now
Questions 42

If a hash analysis is run on a case, EnCase:

Options:

A.

Will compute a hash value of the evidence file and begin a verification process.

B.

Will generate a hash set for every file in the case.

C.

Will compare the hash value of the files in the case to the hash library.

D.

Will create a hash set to the user specifications.

Buy Now
Questions 43

The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. 800[) \-]+555-1212

Options:

A.

800.555.1212

B.

8005551212

C.

800-555 1212

D.

(800) 555-1212

Buy Now
Questions 44

How does EnCase verify that the evidence file contains an exact copy of the suspect hard drive?

Options:

A.

By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of the data stored in the evidence file.

B.

By means of a CRC value of the suspect hard drive compared to a CRC value of the data stored in the evidence file.

C.

By means of an MD5 hash value of the evidence file itself.

D.

By means of a CRC value of the evidence file itself.

Buy Now
Questions 45

How many clusters can a FAT 16 system address?

Options:

A.

4,096

B.

65,536

C.

268,435,456

D.

4,294,967,296

Buy Now
Questions 46

An EnCase evidence file of a hard drive ________ be restored to another hard drive of equal or greater size.

Options:

A.

can

B.

cannot

Buy Now
Questions 47

You are investigating a case involving fraud. You seized a computer from a suspect who stated that the computer is not used by anyone other than himself. The computer has Windows 98 installed on the hard drive. You find the filename C:\downloads\check01.jpg that EnCase shows as being moved. The starting extent is 0C4057. You find another filename :\downloads\chk1.dll with the starting extent 0C4057, which EnCase also shows as being moved. In the C:\Windows\System folder you find an allocated file named chk1.dll with the starting extent 0C4057. The chk1.dll file is a JPEG image of a counterfeit check. What can be deduced from your findings?

Options:

A.

The presence and location of the files is strong evidence the suspect committed the crime.

B.

The presence and location of the files is not strong evidence the suspect committed the crime.

Buy Now
Questions 48

RAM is an acronym for:

Options:

A.

Random Access Memory

B.

Relative Address Memory

C.

Random Addressable Memory

D.

Relative Addressable Memory

Buy Now
Questions 49

A hard drive has 8 sectors per cluster. File Mystuff.doc has a logical file size of 13,000 bytes. How many clusters will be used by Mystuff.doc?

Options:

A.

1

B.

2

C.

3

D.

4

Buy Now
Questions 50

When an EnCase user double-clicks on a valid .jpg file, that file is:

Options:

A.

Copied to the EnCase specified temp folder and opened by an associated program.

B.

Copied to the default export folder and opened by an associated program.

C.

Opened by EnCase.

D.

Renamed to JPG_0001.jpg and copied to the default export folder.

Buy Now
Questions 51

An evidence file can be moved to another directory without changing the file verification.

Options:

A.

True

B.

False

Buy Now
Questions 52

A hash set would most accurately be described as:

Options:

A.

A group of hash libraries organized by category.

B.

A table of file headers and extensions.

C.

A group of hash values that can be added to the hash library.

D.

Both a and b.

Buy Now
Exam Code: GD0-110
Exam Name: Certification Exam for EnCE Outside North America
Last Update: Apr 30, 2026
Questions: 174

PDF + Testing Engine

$63.52  $181.49
buy now GD0-110 pdf + testing engine

Testing Engine

$50.57  $144.49
buy now GD0-110 testing engine

PDF (Q&A)

$43.57  $124.49
buy now GD0-110 pdf