An evidence file was archived onto five CD-Rom disks with the third file segment on disk number three. Can the contents of the third file segment be verified by itself while still on the CD?
You are working in a computer forensic lab. A law enforcement investigator brings you a computer and a valid search warrant. You have legal authority to search the computer. The investigator hands you a piece of paper that has three printed checks on it. All three checks have the same check and account number. You image the suspect's computer and open the evidence file with EnCase. You perform a text search for the account number and check number. Nothing returns on the search results. You perform a text search for all other information found on the printed checks and there is still nothing returned in the search results. You run a signature analysis and check the gallery. You cannot locate any graphical copies of the printed checks in the gallery. At this point, is it safe to say that the checks are not located on the suspect computer?
Changing the filename of a file will change the hash value of the file.
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Bob@[a-z]+.com
By default, what color does EnCase use for slack?
The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Jan 1 st , 2?0?00
The term signature and header as they relate to a signature analysis are:
The EnCase case file can be best described as:
In Windows, the file MyNote.txt is deleted from C Drive and is automatically sent to the recycle Bin. The long filename was MyNote.txt and the short filename was MYNOTE.TXT. When viewing the recycle Bin with EnCase, how will the long filename and short filename appear?
When does the POST operation occur?
The boot partition table found at the beginning of a hard drive is located in what sector?
A physical file size is:
In the EnCase environment, the term uxternal viewers is best described as:
If cluster #3552 entry in the FAT table contains a value of this would mean:
When can an evidence file containing a NTFS partition be logically restored to a FAT 32 partition?
Select the appropriate name for the highlighted area of the binary numbers.
To later verify the contents of an evidence file?
You are investigating a case involving fraud. You seized a computer from a suspect who stated that the computer is not used by anyone other than himself. The computer has Windows 98 installed on the hard drive. You find the filename C:\downloads\check01.jpg?that EnCase shows as being moved. The starting extent is 0C4057. You find another filename C:\downloads\chk1.dll with the starting extent 0C4057, which EnCase also shows as being moved. In the C:\windows\System folder you find an allocated file named chk1.dll with the starting extent 0C4057. The chk1.dll file is a JPEG image of a counterfeit check. Could this information be used to refute the suspect claim that he never knew it was on the computer?
The temporary folder of a case cannot be changed once it has been set.
GREP terms are automatically recognized as GREP by EnCase.
EnCase marks a file as overwritten when _____________ has been allocated to another file.
To generate an MD5 hash value for a file, EnCase:
A standard DOS 6.22 boot disk is acceptable for booting a suspect drive.
A logical file would be best described as:
You are at an incident scene and determine that a computer contains evidence as described in the search warrant. When you seize the computer, you should:
When a non-compressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence will remain the same for both files.