If a floppy diskette is in the ?drive, the computer will always boot to that drive before any other device. If a floppy diskette is in the drive, the computer will always boot to that drive before any other device.
A. False
B. True
What files are reconfigured or deleted by EnCase during the creation of an EnCase boot disk?
A. command.com
B. autoexec.bat
C. drvspace.bin
D. io.sys
A sector on a floppy disk is the same size as a sector on a NTFS formatted hard drive.
A. False
B. True
When undeleting a file in the FAT file system, EnCase will check the _____________ to see if it has already been overwritten.
A. data on the hard drive
B. deletion table
C. directory entry
D. FAT
You are at an incident scene and determine that a computer contains evidence as described in the search warrant. When you seize the computer, you should:
A. Record nothing to avoid inaccuracies that might jeopardize the use of the evidence.
B. Record the location that the computer was recovered from.
C. Record the identity of the person(s) involved in the seizure.
D. Record the date and time the computer was seized.
An EnCase evidence file of a hard drive ________ be restored to another hard drive of equal or greater size.
A. can
B. cannot
If a hash analysis is run on a case, EnCase:
A. Will compute a hash value of the evidence file and begin a verification process.
B. Will generate a hash set for every file in the case.
C. Will compare the hash value of the files in the case to the hash library.
D. Will create a hash set to the user specifications. Will create a hash set to the user?specifications.
You are examining a hard drive that has Windows XP installed as the operating system. You see a file that has a date and time in the deleted column. Where does that date and time come from?
A. Directory Entry
B. Master File Table
C. Info2 file
D. Inode Table
To generate an MD5 hash value for a file, EnCase:
A. Computes the hash value including the logical file and filename.
B. Computes the hash value including the physical file and filename.
C. Computes the hash value based on the logical file.
D. Computes the hash value based on the physical file.
Within EnCase for Windows, the search process is:
A. None of the above
B. both a and b
C. a search of the physical disk in unallocated clusters and other unused disk areas
D. a search of the logical files