3 Months Free Update
3 Months Free Update
3 Months Free Update
Within EnCase, you highlight a range of data within a file. The length indicator displays the value 30. How many bytes have you actually selected?
The EnCase methodology dictates that the lab drive for evidence have a __________ prior to making an image.
When a non-compressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence will remain the same for both files.
The boot partition table found at the beginning of a hard drive is located in what sector?
Which of the following would be a true statement about the function of the BIOS?
If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later changed?
When a document is printed using EMF in Windows, what file(s) are generated in the spooling process?
You are an investigator and have encountered a computer that is running at the home of a suspect. The computer does not appear to be a part of a network. The operating system is Windows XP Home. No programs are visibly running. You should:
You are investigating a case of child pornography on a hard drive containing Windows XP. In the C:\Documents and Settings\Bad Guy\Local Settings\Temporary Internet Files folder you find three images of child pornography. You find no other copies of the images on the suspect hard drive, and you find no other copies of the filenames. What can be deduced from your findings?
To undelete a file in the FAT file system, EnCase computes the number of _______ the file will use based on the file ______.
Select the appropriate name for the highlighted area of the binary numbers.
You are investigating a case involving fraud. You seized a computer from a suspect who stated that the computer is not used by anyone other than himself. The computer has Windows 98 installed on the hard drive. You find the filename C:\downloads\check01.jpg that EnCase shows as being moved. The starting extent is 0C4057. You find another filename :\downloads\chk1.dll with the starting extent 0C4057, which EnCase also shows as being moved. In the C:\Windows\System folder you find an allocated file named chk1.dll with the starting extent 0C4057. The chk1.dll file is a JPEG image of a counterfeit check. What can be deduced from your findings?
When an EnCase user double-clicks on a file within EnCase what determines the action that will result?