GD0-100 Certification Exam For ENCE North America Questions and Answers

Which of the following would be a true statement about the function of the BIOS?

EnCase can build a hash set of a selected group of files.

Which of the following is commonly used to encode e-mail attachments?

An evidence file was archived onto five CD-Rom disks with the third file segment on disk number three. Can the contents of the third file segment be verified by itself while still on the CD?

A logical file would be best described as:

The acronym ASCII stands for:

When a non-compressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence will remain the same for both files.

Select the appropriate name for the highlighted area of the binary numbers.

An EnCase evidence file of a hard drive ________ be restored to another hard drive of equal or greater size.

The EnCase case file can be best described as:

How does EnCase verify that the evidence file contains an exact copy of the suspect hard drive? How does

EnCase verify that the evidence file contains an exact copy of the suspect's hard drive?

When a file is deleted in the FAT or NTFS file systems, what happens to the data on the hard drive?

Using good forensic practices, when seizing a computer at a business running Windows 2000 Server you should:

The results of a hash analysis on an evidence file that has been added to a case will be stored in which of the following files?

Within EnCase for Windows, the search process is:

When a document is printed using EMF in Windows, what file(s) are generated in the spooling process?

Changing the filename of a file will change the hash value of the file.

What are the EnCase configuration .ini files used for?

Consider the following path in a FAT file system:

You are working in a computer forensic lab. A law enforcement investigator brings you a computer and a valid search warrant. You have legal authority to search the computer. The investigator hands you a piece of paper that has three printed checks on it. All three checks have the same check and account number. You image the suspect computer and open the evidence file with EnCase. You checks have the same check and account number. You image the suspect's computer and open the evidence file with EnCase. You perform a text search for the account number and check number. Nothing returns on the search results. You perform a text search for all other information found on the printed checks and there is still nothing returned in the search results. You run a signature analysis and check the gallery. You cannot locate any graphical copies of the printed checks in the gallery. At this point, is it safe to say that the checks are not located on the suspect computer?

The first sector on a volume is called the:

A suspect typed a file on his computer and saved it to a floppy diskette. The filename was MyNote.txt. You receive the floppy and the suspect computer. The suspect denies that the floppy disk belongs to him. You search the suspect computer and locate only the suspect? computer. The suspect denies that the floppy disk belongs to him. You search the suspect? computer and locate only the filename within a .LNK file. The .LNK file is located in the folder C:\Windows\Recent. How you would use the .LNK file to establish a connection between the file on the floppy diskette and the suspect computer? connection between the file on the floppy diskette and the suspect? computer?

EnCase marks a file as overwritten when _____________ has been allocated to another file.