New Year Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

Guidance Software GD0-110 - Certification Exam for EnCE Outside North America

Guidance Software GD0-110 Premium Access     Download Demo    
Page: 4 / 6
Total 174 questions

You are assigned to assist with the search and seizure of several computers. The magistrate ordered that the computers cannot be seized unless they are found to contain any one of ten previously identified images. You currently have the ten images in JPG format. Using the EnCase methodology, how would you best handle this situation?

A.

Use an EnCase DOS boot disk to conduct a text search for child porn

B.

Use FastBloc or a network/parallel port cable to acquire forensic images of the hard drives, then search the evidence files for the previously identified images.

C.

Use FastBloc or a network/parallel port cable to preview the hard drives. Go to the Gallery view and search for the previously identified images.

D.

Use FastBloc or a network/parallel port cable to preview the hard drives. Conduct a hash analysis of the files on the hard drives, using a hash library containing the hash values of the previously identified images.

In Windows 98 and ME, Internet based e-mail, such as Hotmail, will most likely be recovered in the _____________________ folder.

A.

C:\Windows\Temp

B.

C:\Windows\Temporary Internet files

C.

C:\Windows\History\Email

D.

C:\Windows\Online\Applications\email

Two allocated files can occupy one cluster, as long as they can both fit within the allotted number of bytes.

A.

True

B.

False

The end of a logical file to the end of the cluster that the file ends in is called:

A.

Unallocated space

B.

Allocated space

C.

Available space

D.

Slack

To later verify the contents of an evidence file?

A.

EnCase writes an MD5 hash value for every 32 sectors copied.

B.

EnCase writes a CRC value for every 64 sectors copied.

C.

EnCase writes a CRC value for every 128 sectors copied.

D.

EnCase writes an MD5 hash value every 64 sectors copied.

This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search:

A.

Will not find it because the letters of the keyword are not contiguous.

B.

Will not find it unless File slack is checked on the search dialog box.

C.

Will find it because EnCase performs a logical search.

D.

Will not find it because EnCase performs a physical search only.

A sector on a floppy disk is the same size as a sector on a NTFS formatted hard drive.

A.

True

B.

False

You are conducting an investigation and have encountered a computer that is running in the field. The operating system is Windows XP. A software program is currently running and is visible on the screen. You should:

A.

Photograph the screen and pull the plug from the back of the computer.

B.

Navigate through the program and see what the program is all about, then pull the plug.

C.

Pull the plug from the back of the computer.

D.

Pull the plug from the wall.

A hash library would most accurately be described as:

A.

A file containing hash values from one or more selected hash sets.

B.

A master table of file headers and extensions.

C.

A list of the all the MD5 hash values used to verify the evidence files.

D.

Both a and b.

The following keyword was typed in exactly as shown. Choose the answer(s) that would be found. All search criteria have default settings. Tom

A.

Tomorrow

B.

Tom

C.

Stomp

D.

TomJ@hotmail.com