Crack4sure Logo
3 Months Free Update
3 Months Free Update
3 Months Free Update
Using good forensic practices, when seizing a computer at a business running Windows 2000 Server you should:
You are examining a hard drive that has Windows XP installed as the operating system. You see a file that has a date and time in the deleted column. Where does that date and time come from?
When undeleting a file in the FAT file system, EnCase will check the _____________ to see if it has already been overwritten.
If cases are worked on a lab drive in a secure room, without any cleaning of the contents of the drive, which of the following areas would be of most concern?
What files are reconfigured or deleted by EnCase during the creation of an EnCase boot disk?
A suspect typed a file on his computer and saved it to a floppy diskette. The filename was MyNote.txt. You receive the floppy and the suspect's computer. The suspect denies that the floppy disk belongs to him. You search the suspect's computer and locate only the filename within a .LNK file. The .LNK file is located in the folder C:\Windows\Recent. How you would use the .LNK file to establish a connection between the file on the floppy diskette and the suspect computer?
Pressing the power button on a computer that is running could have which of the following results?
You are investigating a case involving fraud. You seized a computer from a suspect who stated that the computer is not used by anyone other than himself. The computer has Windows 98 installed on the hard drive. You find the filename C:\downloads\check01.jpg?that EnCase shows as being moved. The starting extent is 0C4057. You find another filename C:\downloads\chk1.dll with the starting extent 0C4057, which EnCase also shows as being moved. In the C:\windows\System folder you find an allocated file named chk1.dll with the starting extent 0C4057. The chk1.dll file is a JPEG image of a counterfeit check. Could this information be used to refute the suspect claim that he never knew it was on the computer?
Two allocated files can occupy one cluster, as long as they can both fit within the allotted number of bytes.
When a document is printed using EMF in Windows, what file(s) are generated in the spooling process?
The following keyword was typed in exactly as shown. Choose the answer(s) that would be found. All search criteria have default settings. Tom
To undelete a file in the FAT file system, EnCase obtains the starting extent from the:
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Jan 1 st , 2?0?00
When a file is deleted in the FAT or NTFS file systems, what happens to the data on the hard drive?
Which of the following would be a true statement about the function of the BIOS?
How many copies of the FAT are located on a FAT 32, Windows 98-formatted partition?
Which of the following selections would be used to keep track of a fragmented file in the FAT file system?
A restored floppy diskette will have the same hash value as the original diskette.
Which of the following is found in the FileSignatures.ini configuration file?
All investigators using EnCase should run tests on the evidence file acquisition and verification process to:
This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search:
The EnCase evidence file logical filename can be changed without affecting the verification of the acquired evidence.
If cluster #3552 entry in the FAT table contains a value of this would mean:
Select the appropriate name for the highlighted area of the binary numbers.
TESTED 13 Sep 2025