Certification Exam for EnCE Outside North America v5.0 (GD0-110)

Page:    1 / 12   
Total 183 questions

A logical file would be best described as:

  • A. The data from the beginning of the starting cluster to the length of the file.
  • B. The data taken from the starting cluster to the end of the last cluster that is occupied by the file.
  • C. A file including any RAM and disk slack.
  • D. A file including only RAM slack.


Answer : A

When a document is printed using EMF in Windows, what file(s) are generated in the spooling process?

  • A. The .SPL file
  • B. The .SHD file
  • C. Both a and b
  • D. Neither a or b


Answer : C

A personal data assistant was placed in a evidence locker until an examiner has time to examine it. Which of the following areas would require special attention?

  • A. Cross-contamination
  • B. Storage
  • C. Chain-of-custody
  • D. There is no concern


Answer : B

The end of a logical file to the end of the cluster that the file ends in is called:

  • A. Unallocated space
  • B. Allocated space
  • C. Available space
  • D. Slack


Answer : D

You are at an incident scene and determine that a computer contains evidence as described in the search warrant. When you seize the computer, you should:

  • A. Record the location that the computer was recovered from.
  • B. Record the identity of the person(s) involved in the seizure.
  • C. Record the date and time the computer was seized.
  • D. Record nothing to avoid inaccuracies that might jeopardize the use of the evidence.


Answer : A,B,C

In Unicode, one printed character is composed of ____ bytes of data.

  • A. 1
  • B. 2
  • C. 4
  • D. 8


Answer : B

This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search:

  • A. Will not find it because the letters of the keyword are not contiguous.
  • B. Will not find it unless File slack is checked on the search dialog box.
  • C. Will find it because EnCase performs a logical search.
  • D. Will not find it because EnCase performs a physical search only.


Answer : C

If a hash analysis is run on a case, EnCase:

  • A. Will compute a hash value of the evidence file and begin a verification process.
  • B. Will generate a hash set for every file in the case.
  • C. Will compare the hash value of the files in the case to the hash library.
  • D. Will create a hash set to the user specifications.


Answer : C

EnCase uses the _________________ to conduct a signature analysis.

  • A. file signature table
  • B. hash library
  • C. file Viewers
  • D. Both a and b


Answer : A

Assume that MyNote.txt has been deleted. The FAT file system directory entry for that file has been overwritten. The data for MyNote.txt is now:

  • A. Allocated
  • B. Overwritten
  • C. Unallocated
  • D. Cross-linked


Answer : C

How many partitions can be found in the boot partition table found at the beginning of the drive?

  • A. 2
  • B. 4
  • C. 6
  • D. 8


Answer : B

Using good forensic practices, when seizing a computer at a business running Windows
2000 Server you should:

  • A. Shut it down normally.
  • B. Pull the plug from the wall.
  • C. Pull the plug from the back of the computer.
  • D. Press the power button and hold it in.


Answer : A

This question addresses the EnCase for Windows search process. If a target word is located in the unallocated space, and the word is fragmented between clusters 10 and 15, the search:

  • A. Will not find it because the letters of the keyword are not contiguous.
  • B. Will not find it unless ile fslack is checked on the search dialog box.
  • C. Will find it because EnCase performs a logical search.
  • D. Will not find it because EnCase performs a physical search only.


Answer : A

Assume that an evidence file is added to a case, the case is saved, and the case is closed.
What happens if the evidence file is moved, and the case is then opened?

  • A. EnCase reports that the file integrity has been compromised and renders the file useless.
  • B. EnCase reports a different hash value for the evidence file.
  • C. EnCase asks for the location of the evidence file the next time the case is opened.
  • D. EnCase opens the case, excluding the moved evidence.


Answer : C

A sector on a floppy disk is the same size as a sector on a NTFS formatted hard drive.

  • A. True
  • B. False


Answer : A

Page:    1 / 12   
Total 183 questions