Massive Summer Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: netdisc

Certensure Logo
  1. Home
  2. Guidance Software
  3. EnCE
  4. GD0-100 - Certification Exam For ENCE North America

Guidance Software GD0-100 Certification Exam For ENCE North America Exam Practice Test

Demo: 26 questions
Total 176 questions
Get GD0-100 Full Access Download GD0-100 PDF

Certification Exam For ENCE North America Questions and Answers

Question 1

Select the appropriate name for the highlighted area of the binary numbers.

Options:

A.

Byte

B.

Dword

C.

Bit

D.

Word

E.

Nibble

Question 2

The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. 800[) \-]+555-1212

Options:

A.

(800) 555-1212

B.

800-555 1212

C.

8005551212

D.

800.555.1212

Question 3

What files are reconfigured or deleted by EnCase during the creation of an EnCase boot disk?

Options:

A.

command.com

B.

autoexec.bat

C.

drvspace.bin

D.

io.sys

Question 4

By default, what color does EnCase use for the contents of a logical file

Options:

A.

Red

B.

Red on black

C.

Black

D.

Black on red

Question 5

Select the appropriate name for the highlighted area of the binary numbers.

Options:

A.

Bit

B.

Nibble

C.

Word

D.

Dword

E.

Byte

Question 6

Select the appropriate name for the highlighted area of the binary numbers.

Options:

A.

Word

B.

Dword

C.

Byte

D.

Nibble

E.

Bit

Question 7

RAM is used by the computer to:

Options:

A.

Execute the POST during start-up.

B.

Temporarily store electronic data that is being processed.

C.

Permanently store electronic data.

D.

Establish a connection with external devices.

Question 8

You are an investigator and have encountered a computer that is running at the home of a suspect. The computer does not appear to be a part of a network. The operating system is Windows XP Home. No programs are visibly running. You should:

Options:

A.

Pull the plug from the back of the computer.

B.

Turn it off with the power button.

C.

Pull the plug from the wall.

D.

Shut it down with the start menu.

Question 9

An EnCase evidence file of a hard drive ________ be restored to another hard drive of equal or greater size.

Options:

A.

can

B.

cannot

Question 10

A hash set would most accurately be described as:

Options:

A.

A group of hash libraries organized by category.

B.

A group of hash values that can be added to the hash library.

C.

A table of file headers and extensions.

D.

Botha and b.

Question 11

To later verify the contents of an evidence file 7RODWHUYHULI\WKHFRQWHQWVRIDQHYLGHQFHILOH

Options:

A.

EnCase writes a CRC value for every 64 sectors copied.

B.

EnCase writes a CRC value for every 128 sectors copied.

C.

EnCase writes an MD5 hash value every 64 sectors copied.

D.

EnCase writes an MD5 hash value for every 32 sectors copied.

Question 12

Pressing the power button on a computer that is running could have which of the following results?

Options:

A.

The computer will instantly shut off.

B.

The computer will go into stand-by mode.

C.

Nothing will happen.

D.

All of the above could happen.

E.

The operating system will shut down normally.

Question 13

The default export folder remains the same for all cases.

Options:

A.

True

B.

False

Question 14

The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Bob@ [a-z]+.com

Options:

A.

Bob@New zealand.com

B.

Bob@My-Email.com

C.

Bob@America.com

D.

Bob@a-z.com

Question 15

Assume that MyNote.txt was allocated to clusters 5, 9, and 11. Cluster 6, 7, and 8 belong to MyResume.doc. Both files have been deleted and the directory entry in the FAT file system for MyResume.doc has been overwritten. What clusters would EnCase use to undelete MyNote.txt?

Options:

A.

5,9,11

B.

5,6,7

C.

7,8,9

D.

6,7,8

Question 16

Which is the proper formula for determining the size in bytes of a hard drive that uses cylinders (C), heads (H), and sectors (S) geometry?

Options:

A.

C X H + S

B.

C X H X S + 512

C.

C X H X S X 512

D.

C X H X S

Question 17

You are conducting an investigation and have encountered a computer that is running in the field. The operating system is Windows XP. A software program is currently running and is visible on the screen. You should:

Options:

A.

Navigate through the program and see what the program is all about, then pull the plug.

B.

Pull the plug from the back of the computer.

C.

Photograph the screen and pull the plug from the back of the computer.

D.

Pull the plug from the wall.

Question 18

EnCase can build a hash set of a selected group of files.

Options:

A.

True

B.

False

Question 19

A SCSI host adapter would most likely perform which of the following tasks?

Options:

A.

Configure the motherboard settings to the BIOS.

B.

Set up the connection of IDE hard drives.

C.

Make SCSI hard drives and other SCSI devices accessible to the operating system.

D.

None of the above.

Question 20

In Windows 98 and ME, Internet based e-mail, such as Hotmail, will most likely be recovered in the _____________________ folder.

Options:

A.

C:\Windows\Online\Applications\email

B.

C:\Windows\Temporary Internet files

C.

C:\Windows\History\Email

D.

C:\Windows\Temp

Question 21

When a file is deleted in the FAT or NTFS file systems, what happens to the data on the hard drive?

Options:

A.

Nothing

B.

It is moved to a special area.

C.

It is overwritten with zeroes.

D.

The file header is marked with a Sigma so the file is not recognized by the operating system.

Question 22

The boot partition table found at the beginning of a hard drive is located in what sector?

Options:

A.

Volume boot sector

B.

Master boot record

C.

Master file table

D.

Volume boot record

Question 23

In Unicode, one printed character is composed of ____ bytes of data.

Options:

A.

8

B.

4

C.

2

D.

1

Question 24

If cluster number 10 in the FAT contains the number 55, this means:

Options:

A.

That cluster 10 is used and the file continues in cluster number 55.

B.

That the file starts in cluster number 55 and continues to cluster number 10.

C.

That there is a cross-linked file.

D.

The cluster number 55 is the end of an allocated file.

Question 25

You are examining a hard drive that has Windows XP installed as the operating system. You see a file that has a date and time in the deleted column. Where does that date and time come from?

Options:

A.

Directory Entry

B.

Master File Table

C.

Info2 file

D.

Inode Table

Question 26

How are the results of a signature analysis examined?

Options:

A.

By sorting on the category column in the Table view. By sorting on the category column in the Table view.

B.

By sorting on the signature column in the Table view. By sorting on the signature column in the Table view.

C.

By sorting on the hash sets column in the Table view. By sorting on the hash sets column in the Table view.

D.

By sorting on the hash library column in the Table view. By sorting on the hash library column in the Table view.

Load More GD0-100 Questions
Demo: 26 questions
Total 176 questions
Get GD0-100 Full Access Download GD0-100 PDF