A30-327 Online Practice Questions and Answers

When previewing a physical drive on a local machine with FTK Imager, which statement is true?

A. FTK Imager can block calls to interrupt 13h and prevent writes to suspect media.

B. FTK Imager can operate from a USB drive, thus preventing writes to suspect media.

C. FTK Imager can operate via a DOS boot disk, thus preventing writes to suspect media.

D. FTK Imager should always be used in conjunction with a hardware write protect device to prevent writes to suspect media.

During the execution of a search warrant, you image a suspect drive using FTK Imager and store the Raw(dd) image files on a portable drive. Later, these files are transferred to a server for storage. How do you verify that the information stored on the server is unaltered?

A. open and view the Summary file

B. load the image into FTK and it automatically performs file verification

C. in FTK Imager, use the Verify Drive/Image function to automatically compare a calculated hash with a stored hash

D. use FTK Imager to create a verification hash and manually compare that value to the value stored in the Summary file

While analyzing unallocated space, you locate what appears to be a 64-bit Windows date and time. Which FTK Imager feature allows you display the information as a date and time?

A. INFO2 Filter

B. Base Converter

C. Metadata Parser

D. Hex Value Interpreter

In which Overview tab container are HTML files classified?

A. Archive container

B. Java Code container

C. Documents container

D. Internet Files container

Which statement is true about Processes to Perform in FTK?

A. Processing options can be chosen only when adding evidence.

B. Processing options can be chosen during or after adding evidence.

C. Processing options can be chosen only after evidence has been added.

D. If processing is not performed while adding evidence, the case must be started again.

Which two options are available in the FTK Report Wizard? (Choose two.)

A. List by File Path

B. List File Properties

C. Include HTML File Listing

D. Include PRTK Output List

In PRTK, which type of attack uses word lists?

A. dictionary attack

B. key space attack

C. brute-force attack

D. rainbow table attack

What is the purpose of the Golden Dictionary?

A. maintains previously created level information

B. maintains previously created profile information

C. maintains a list of the 100 most likely passwords

D. maintains previously recovered passwords

You are attempting to access data from the Protected Storage System Provider (PSSP) area of a registry.

How do you accomplish this using PRTK?

A. You drop the SAM file onto the PRTK interface.

B. You drop the NTUSER.dat file onto the PRTK interface.

C. You use the PSSP Attack Marshal from Registry Viewer.

D. This area can not be accessed with PRTK as it is a registry file.

In FTK, a user may alter the alert or ignore status of individual hash sets within the active KFF. Which utility is used to accomplish this?

A. KFF Alert Editor

B. ADKFF Library Selector

C. Hash Database File Selector

D. Hash Database Recovery Engine