GD0-110 Certification Exam for EnCE Outside North America Question and Answers

A global setting that can be changed.

A case-specific setting that can be changed.

A global setting that cannot be changed.

A case-specific setting that cannot be changed.

C:\Windows\Desktop

C:\Desktop

C:\Program files\Programs\Desktop

C:\Startup\Desktop\Items

Black

Red

Black on red

Red on black

Programs that are exported out of an evidence file.

Programs that are associated with EnCase to open specific file types.

Any program that is loaded on the lab hard drive.

Any program that will work with EnCase.

The case file

The configuration FileSignatures.ini file

The evidence file

All of the above

2

4

6

8

Record the location that the computer was recovered from.

Record the identity of the person(s) involved in the seizure.

Record the date and time the computer was seized.

Record nothing to avoid inaccuracies that might jeopardize the use of the evidence.

Tomorrow

Tom

Stomp

TomJ@hotmail.com

Be trained in the employment of the technique.

Test the technique on simulated evidence in a controlled environment to confirm that the results are consistent.

Both a and b.

Neither a or b.

800.555.1212

8005551212

800-555 1212

(800) 555-1212

Will compute a hash value of the evidence file and begin a verification process.

Will generate a hash set for every file in the case.

Will compare the hash value of the files in the case to the hash library.

Will create a hash set to the user specifications.

unique volume label

FAT 16 partition

NTFS partition

bare, unused partition

Areas compared with each other to verify the correct file type.

Synonymous.

The signature is the file extension. The header is a standard pattern normally found at the beginning of a file.

None of the above

C X H X S

C X H + S

C X H X S + 512

C X H X S X 512

Random Access Memory

Relative Address Memory

Random Addressable Memory

Relative Addressable Memory

An add-in card that controls all hard drive activity.

An add-in card that handles all RAM.

The main circuit board that has slots for the microprocessor, RAM, ROM, and add-in cards.

Any circuit board, regardless of its function.

C:\Windows\Temp

C:\Windows\Temporary Internet files

C:\Windows\History\Email

C:\Windows\Online\Applications\email

External viewers

Pointers to evidence files

Signature analysis results

Search results

The file that runs EnCase for Windows.

A file contain configuration settings for cases.

A file that contains information specific to one case.

None of the above.

True

False

File fragmentation

Every addressable cluster on the partition

Clusters marked as bad

All of the above.

Yes, because the chk1.dll file was moved and renamed.

No, because the Windows operating system likely moved and renamed the chk1.dll file during disk maintenance.

No, because the chk1.dll file has no evidentiary value.

Yes, because the ch1.dll is all the evidence required to prove the case.

The total size in bytes of a logical file.

The total size in sectors of an allocated file.

The total size of all the clusters used by the file measured in bytes.

The total size of the file including the ram slack in bytes.