What are the EnCase configuration .ini files used for?
A. Storing information that will be available to EnCase each time it is opened, regardless of the active case(s).
B. Storing the results of a signature analysis.
C. Storing pointers to acquired evidence.
D. Storing information that is specific to a particular case.
In the EnCase environment, the term xternal viewers?is best described as: In the EnCase environment, the term ?xternal viewers?is best described as:
A. Programs that are exported out of an evidence file.
B. Programsthat are associated with EnCase to open specific file types.
C. Any program that will work with EnCase.
D. Any program that is loaded on the lab hard drive.
What information in a FAT file system directory entry refers to the location of a file on the hard drive?
A. The starting cluster
B. The fragmentation settings
C. The file attributes
D. The file size
Select the appropriate name for the highlighted area of the binary numbers.
A. Nibble
B. Byte
C. Dword
D. Bit
E. Word
Bookmarks are stored in which of the following files?
A. All of the above
B. The case file
C. The evidence file
D. The configuration Bookmarks.ini file
To undelete a file in the FAT file system, EnCase computes the number of the file will use based on the file .
A. Clusters; file size
B. Sectors; file size
C. Clusters; starting extent
D. Sectors; starting extent
In Windows 98 and ME, Internet based e-mail, such as Hotmail, will most likely be recovered in the folder.
A. C:\Windows\Online\Applications\email
B. C:\Windows\Temp
C. C:\Windows\Temporary Internet files
D. C:\Windows\History\Email
How does EnCase verify that the evidence file contains an exact copy of the suspect hard drive?
A. By means of a CRC value of the suspect hard drive compared to a CRC value of the data stored in the evidence file. By means of a CRC value of the suspect hard drive compared to a CRC value of the data stored in the evidence file.
B. By means of a CRC value of the evidence file itself.
C. By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of the data stored in the evidence file. By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of the data stored in the evidence file.
D. By means of an MD5 hash value of the evidence file itself.
The first sector on a hard drive is called the:
A. Volume boot record
B. Volume boot sector
C. Master boot record
D. Master file table
A sector on a hard drive contains how many bytes?
A. 2048
B. 1024
C. 4096
D. 512