New Year Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

Guidance Software GD0-110 - Certification Exam for EnCE Outside North America

Guidance Software GD0-110 Premium Access     Download Demo    
Page: 5 / 6
Total 174 questions

The first sector on a hard drive is called the:

A.

Volume boot record

B.

Master boot record

C.

Master file table

D.

Volume boot sector

The Windows 98 Start Menu has a selection called documents which displays a list of recently used files. Which of the following folders contain those files?

A.

C:\Windows\Start menu\Documents

B.

C:\Windows\Documents

C.

C:\Windows\Recent

D.

C:\Windows\History

Calls to the C:\ volume of the hard drive are not made by DOS when a computer is booted with a standard DOS 6.22 boot disk.

A.

True

B.

False

A suspect typed a file on his computer and saved it to a floppy diskette. The filename was MyNote.txt. You receive the floppy and the suspect's computer. The suspect denies that the floppy disk belongs to him. You search the suspect's computer and locate only the filename within a .LNK file. The .LNK file is located in the folder C:\Windows\Recent. How you would use the .LNK file to establish a connection between the file on the floppy diskette and the suspect computer?

A.

The dates and time of the file found in the .LNK file, at file offset 28

B.

The full path of the file, found in the .LNK file

C.

The file signature found in the .LNK file

D.

Both a and b

A CPU is:

A.

An entire computer box, not including the monitor and other attached peripheral devices.

B.

A motherboard with all required devices connected.

C.

A Central Programming Unit.

D.

A chip that would be considered the brain of a computer, which is installed on a motherboard.

A hash set would most accurately be described as:

A.

A group of hash libraries organized by category.

B.

A table of file headers and extensions.

C.

A group of hash values that can be added to the hash library.

D.

Both a and b.

The EnCase methodology dictates that ________ be created prior to acquiring evidence.

A.

an .E01 file on the lab drive

B.

a unique directory on the lab drive for case management

C.

a text file for notes

D.

All of the above

You are working in a computer forensic lab. A law enforcement investigator brings you a computer and a valid search warrant. You have legal authority to search the computer. The investigator hands you a piece of paper that has three printed checks on it. All three checks have the same check and account number. You image the suspect's computer and open the evidence file with EnCase. You perform a text search for the account number and check number. Nothing returns on the search results. You perform a text search for all other information found on the printed checks and there is still nothing returned in the search results. You run a signature analysis and check the gallery. You cannot locate any graphical copies of the printed checks in the gallery. At this point, is it safe to say that the checks are not located on the suspect computer?

A.

No. The images could be in an image format not viewable inside EnCase.

B.

No. The images could be located a compressed file.

C.

No. The images could be embedded in a document.

D.

No. The images could be in unallocated clusters.

E.

All of the above.

Creating an image of a hard drive that was seized as evidence:

A.

May be done by anyone because it is a relatively simple procedure.

B.

May only be done by trained personnel because the process has the potential to alter the original evidence.

C.

May only be done by computer scientists.

D.

Should be done by the user, as they are most familiar with the hard drive.

What information in a FAT file system directory entry refers to the location of a file on the hard drive?

A.

The file size

B.

The file attributes

C.

The starting cluster

D.

The fragmentation settings