Certification Exam for EnCE Outside North America v5.0

Page:    1 / 12   
Exam contains 174 questions

To generate an MD5 hash value for a file, EnCase:

  • A. Computes the hash value based on the logical file.
  • B. Computes the hash value based on the physical file.
  • C. Computes the hash value including the logical file and filename.
  • D. Computes the hash value including the physical file and filename.


Answer : A

The FAT in the File Allocation Table file system keeps track of:

  • A. File fragmentation
  • B. Every addressable cluster on the partition
  • C. Clusters marked as bad
  • D. All of the above.


Answer : D

In DOS and Windows, how many bytes are in one FAT directory entry?

  • A. 8
  • B. 16
  • C. 32
  • D. 64
  • E. Variable


Answer : C

You are conducting an investigation and have encountered a computer that is running in the field. The operating system is Windows XP. A software program is currently running and is visible on the screen. You should:

  • A. Photograph the screen and pull the plug from the back of the computer.
  • B. Navigate through the program and see what the program is all about, then pull the plug.
  • C. Pull the plug from the back of the computer.
  • D. Pull the plug from the wall.


Answer : A

Within EnCase, what is the purpose of the temp folder?

  • A. This is the folder that will automatically store an evidence file when the acquisition is made in DOS.
  • B. This is the folder that temporarily stores all bookmark and search results.
  • C. This is the folder used to hold copies of files that are sent to external viewers.
  • D. This is the folder that will be automatically selected when the copy/unerase feature is used.


Answer : C

The spool files that are created during a print job are __________ after the print job is completed.

  • A. wiped
  • B. deleted and wiped
  • C. deleted
  • D. moved


Answer : C

If cases are worked on a lab drive in a secure room, without any cleaning of the contents of the drive, which of the following areas would be of most concern?

  • A. Cross-contamination
  • B. Storage
  • C. Chain-of-custody
  • D. There is no concern


Answer : A

The EnCase case file can be best described as:

  • A. The file that runs EnCase for Windows.
  • B. A file contain configuration settings for cases.
  • C. A file that contains information specific to one case.
  • D. None of the above.


Answer : C

The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. [^a-z]Tom[^a-z]

  • A. Stomp
  • B. Tomato
  • C. Tom
  • D. Toms


Answer : C

You are assigned to assist with the search and seizure of several computers. The magistrate ordered that the computers cannot be seized unless they are found to contain any one of ten previously identified images. You currently have the ten images in JPG format. Using the EnCase methodology, how would you best handle this situation?

  • A. Use an EnCase DOS boot disk to conduct a text search for child porn
  • B. Use FastBloc or a network/parallel port cable to acquire forensic images of the hard drives, then search the evidence files for the previously identified images.
  • C. Use FastBloc or a network/parallel port cable to preview the hard drives. Go to the Gallery view and search for the previously identified images.
  • D. Use FastBloc or a network/parallel port cable to preview the hard drives. Conduct a hash analysis of the files on the hard drives, using a hash library containing the hash values of the previously identified images.


Answer : D

A hash library would most accurately be described as:

  • A. A file containing hash values from one or more selected hash sets.
  • B. A master table of file headers and extensions.
  • C. A list of the all the MD5 hash values used to verify the evidence files.
  • D. Both a and b.


Answer : A

The MD5 hash algorithm produces a _____ number.

  • A. 32 bit
  • B. 64 bit
  • C. 128 bit
  • D. 256 bit


Answer : C

Which of the following items could contain digital evidence?

  • A. Cellular phones
  • B. Digital cameras
  • C. Personal assistant devices
  • D. Credit card readers


Answer : A,B,C,D

How does EnCase verify that the case information (Case Number, Evidence Number,
Investigator Name, etc) in an evidence file has not been damaged or changed, after the evidence file has been written?

  • A. The .case file writes a CRC value for the case information and verifies it when the case is opened.
  • B. EnCase does not verify the case information and case information can be changed by the user as it becomes necessary.
  • C. EnCase writes a CRC value of the case information and verifies the CRC value when the evidence is added to a case.
  • D. EnCase writes an MD5 hash value for the entire evidence file, which includes the case information, and verifies the MD5 hash when the evidence is added to a case.


Answer : C

A signature analysis has been run on a case. The result !Bad Signature means:

  • A. The file signature is known and the file extension is known.
  • B. The file signature is known and does not match a known file extension.
  • C. The file signature is unknown and the file extension is known.
  • D. The file signature is known and does not match a known file header.


Answer : C

Page:    1 / 12   
Exam contains 174 questions

Talk to us!


Have any questions or issues ? Please dont hesitate to contact us