Activedumpsnet Logo
The EnCase methodology dictates that the lab drive for evidence have a __________ prior to making an image.
How many copies of the FAT are located on a FAT 32, Windows 98-formatted partition?
The spool files that are created during a print job are __________ after the print job is completed.
EnCase can build a hash set of a selected group of files.
You are working in a computer forensic lab. A law enforcement investigator brings you a computer and a valid search warrant. You have legal authority to search the computer. The investigator hands you a piece of paper that has three printed checks on it. All three checks have the same check and account number. You image the suspect computer and open the evidence file with EnCase. You checks have the same check and account number. You image the suspect's computer and open the evidence file with EnCase. You perform a text search for the account number and check number. Nothing returns on the search results. You perform a text search for all other information found on the printed checks and there is still nothing returned in the search results. You run a signature analysis and check the gallery. You cannot locate any graphical copies of the printed checks in the gallery. At this point, is it safe to say that the checks are not located on the suspect computer?
The case number in an evidence file can be changed without causing the verification feature to report an error, if:
The default export folder remains the same for all cases.
A logical file would be best described as:
This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search:
Temp files created by EnCase are deleted when EnCase is properly closed.
Which statement would most accurately describe a motherboard?
The first sector on a hard drive is called the:
When an EnCase user double-clicks on a valid .jpg file, that file is:
In Windows 2000 and XP, which of the following directories contain user personal folders?
In the FAT file system, the size of a deleted file can be found:
Which is the proper formula for determining the size in bytes of a hard drive that uses cylinders (C), heads (H), and sectors (S) geometry?
In Windows, the file MyNote.txt is deleted from C Drive and is automatically sent to the Recycle Bin. The long filename was MyNote.txt and the short filename was MYNOTE.TXT. When viewing the Recycle Bin with EnCase, how will the long filename and MyNote.txt and the short filename was MYNOTE.TXT?
Changing the filename of a file will change the hash value of the file.
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Bob@ [a-z]+.com
A signature analysis has been run on a case. The result "Bad Signature " means:
EnCase can build a hash set of a selected group of files.
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result.[\x00-\x05]\x00\x00?>[?[@?[?[?[
The temporary folder of a case cannot be changed once it has been set.
Assume that MyNote.txt has been deleted. The FAT file system directory entry for that file has been overwritten.
The data for MyNote.txt is now:
A personal data assistant was placed in a evidence locker until an examiner has time to examine it. Which of the following areas would require special attention?
The case file should be archived with the evidence files at the termination of a case.