GD0-100 Certification Exam For ENCE North America Question and Answers

If a hard drive is left in a room while acquiring, and several persons have access to that room, which of the following areas would be of most concern?

The following keyword was typed in exactly as shown. Choose the answer(s) that would be found. All search criteria have default settings. Tom

Before utilizing an analysis technique on computer evidence, the investigator should:

The case file should be archived with the evidence files at the termination of a case.

EnCase marks a file as overwritten when _____________ has been allocated to another file.

The MD5 hash algorithm produces a _____ number.

Which of the following items could contain digital evidence?

A sector on a hard drive contains how many bytes?

If a floppy diskette is in the ?drive, the computer will always boot to that drive before any other device. If a floppy diskette is in the ??drive, the computer will always boot to that drive before any other device.

This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search:

Consider the following path in a FAT file system:

A sector on a floppy disk is the same size as a sector on a NTFS formatted hard drive.

Using good forensic practices, when seizing a computer at a business running Windows 2000 Server you should:

A hard drive was imaged using EnCase. The original drive was placed into evidence. The restore feature was used to make a copy of the original hard drive. EnCase verifies the restored copy using:

You are working in a computer forensic lab. A law enforcement investigator brings you a computer and a valid search warrant. You have legal authority to search the computer. The investigator hands you a piece of paper that has three printed checks on it. All three checks have the same check and account number. You image the suspect computer and open the evidence file with EnCase. You checks have the same check and account number. You image the suspect's computer and open the evidence file with EnCase. You perform a text search for the account number and check number. Nothing returns on the search results. You perform a text search for all other information found on the printed checks and there is still nothing returned in the search results. You run a signature analysis and check the gallery. You cannot locate any graphical copies of the printed checks in the gallery. At this point, is it safe to say that the checks are not located on the suspect computer?

An evidence file can be moved to another directory without changing the file verification.

To undelete a file in the FAT file system, EnCase obtains the starting extent from the:

What information should be obtained from the BIOS during computer forensic investigations?

Search results are found in which of the following files? Select all that apply.

When handling computer evidence, an investigator should:

In DOS and Windows, how many bytes are in one FAT directory entry?

In Windows 98 and ME, Internet based e-mail, such as Hotmail, will most likely be recovered in the _____________________ folder.

Temp files created by EnCase are deleted when EnCase is properly closed.