Certification Exam For ENCE North America v5.0 (GD0-100)

Page:    1 / 12   
Total 176 questions

The EnCase evidence file logical filename can be changed without affecting the verification of the acquired evidence.

  • A. True
  • B. False


Answer : B

In the FAT file system, the size of a deleted file can be found:

  • A. In the FAT
  • B. In the directory entry
  • C. In the file footer
  • D. In the file header


Answer : B

A sector on a floppy disk is the same size as a sector on a NTFS formatted hard drive.

  • A. False
  • B. True


Answer : A

A suspect typed a file on his computer and saved it to a floppy diskette. The filename was
MyNote.txt. You receive the floppy and the suspect computer. The suspect denies that the floppy disk belongs to him. You search the suspect computer and locate only the suspect? computer. The suspect denies that the floppy disk belongs to him. You search the suspect? computer and locate only the filename within a .LNK file. The .LNK file is located in the folder C:\Windows\Recent. How you would use the .LNK file to establish a connection between the file on the floppy diskette and the suspect computer? connection between the file on the floppy diskette and the suspect? computer?

  • A. Both a and b
  • B. The dates and time of the file found in the .LNK file, at file offset 28
  • C. The full path of the file, found in the .LNK file
  • D. The file signature found in the .LNK file


Answer : A

Select the appropriate name for the highlighted area of the binary numbers.

  • A. Word
  • B. Dword
  • C. Byte
  • D. Nibble
  • E. Bit


Answer : B

The EnCase methodology dictates that the lab drive for evidence have a __________ prior to making an image.

  • A. FAT 16 partition
  • B. NTFS partition
  • C. unique volume label
  • D. bare, unused partition


Answer : C

In hexadecimal notation, one byte is represented by _____ character(s).

  • A. 2
  • B. 1
  • C. 8
  • D. 4


Answer : A

A personal data assistant was placed in a evidence locker until an examiner has time to examine it. Which of the following areas would require special attention?

  • A. Chain-of-custody
  • B. Storage
  • C. There is no concern
  • D. Cross-contamination


Answer : B

When a non-compressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence will remain the same for both files.

  • A. True
  • B. False


Answer : A

To generate an MD5 hash value for a file, EnCase:

  • A. Computes the hash value including the logical file and filename.
  • B. Computes the hash value including the physical file and filename.
  • C. Computes the hash value based on the logical file.
  • D. Computes the hash value based on the physical file.


Answer : C

Which of the following is found in the FileSignatures.ini configuration file

  • A. The results of a hash analysis
  • B. The information contained in the signature table
  • C. The results of a signature analysis
  • D. Pointers to an evidence file


Answer : B

During the power-up sequence, which of the following happens first?

  • A. The boot sector is located on the hard drive.
  • B. Theower On Self-Test.? 7KH ? RZHU2Q6HOI7HVW
  • C. The floppy drive is checked for a diskette.
  • D. The BIOS on an add-in card is executed.


Answer : B

A restored floppy diskette will have the same hash value as the original diskette.

  • A. True
  • B. False


Answer : B

A hard drive was imaged using EnCase. The original drive was placed into evidence. The restore feature was used to make a copy of the original hard drive. EnCase verifies the restored copy using:

  • A. An MD5 hash
  • B. A 32 bit CRC
  • C. Nothing. Restored volumes are not verified.
  • D. A running log


Answer : A

To later verify the contents of an evidence file
7RODWHUYHULI\WKHFRQWHQWVRIDQHYLGHQFHILOH

  • A. EnCase writes a CRC value for every 64 sectors copied.
  • B. EnCase writes a CRC value for every 128 sectors copied.
  • C. EnCase writes an MD5 hash value every 64 sectors copied.
  • D. EnCase writes an MD5 hash value for every 32 sectors copied.


Answer : A

Page:    1 / 12   
Total 176 questions