GD0-100 Certification Exam For ENCE North America Questions and Answers

A compressed zip file.

A graphics file attached to an e-mail message.

A compound e-mail attachment.

A file format used in the printing process by Windows.

8

4

6

2

Directory Entry

Master File Table

Info2 file

Inode Table

The .SHD file

The .SPL file

Neither a or b

Both a and b

True

False

The user utilizes a text editor.

The case information cannot be changed in an evidence file, without causing the verification feature to report an error.

The user utilizes the case information editor within EnCase.

The evidence file is reacquired.

Computes the hash value including the logical file and filename.

Computes the hash value including the physical file and filename.

Computes the hash value based on the logical file.

Computes the hash value based on the physical file.

False

True

a search of the physical disk in unallocated clusters and other unused disk areas

a search of the logical files

None of the above

both a and b

The file signature is unknown and the header is a JPEG.

The file signature is a JPEG signature and the file extension is incorrect.

The file signature is unknown and the file extension is JPEG.

None of the above.

Both a and b

The partition scheme is not recognized by DOS.

Neither a or b

There are no partitions present.

The cluster is unallocated

The cluster is the end of a file

The cluster is allocated

The cluster is marked bad

The only drive on the computer.

The primary of two drives connected to one cable.

Whenever another drive is on the same cable and is pinned as a slave.

A SCSI drive is not pinned as a master.

Test the technique on simulated evidence in a controlled environment to confirm that the results are consistent.

Be trained in the employment of the technique.

Botha and b.

Neithera or b.

5

1

any number of

10

C:\Windows\History

C:\Windows\Start menu\Documents

C:\Windows\Documents

C:\Windows\Recent

It is zeroed out.

The first character of the directory entry is marked with a hex 00.

It is wiped from the directory.

The first character of the directory entry is marked with a hex E5.

Programs that are exported out of an evidence file.

Any program that will work with EnCase.

Any program that is loaded on the lab hard drive.

Programsthat are associated with EnCase to open specific file types.

False

True

The data taken from the starting cluster to the end of the last cluster that is occupied by the file.

A file including any RAM and disk slack.

A file including only RAM slack.

The data from the beginning of the starting cluster to the length of the file.

That cluster 10 is used and the file continues in cluster number 55.

That the file starts in cluster number 55 and continues to cluster number 10.

That there is a cross-linked file.

The cluster number 55 is the end of an allocated file.

Will compute a hash value of the evidence file and begin a verification process.

Will generate a hash set for every file in the case.

Will compare the hash value of the files in the case to the hash library.

Will create a hash set to the user specifications. Will create a hash set to the user?specifications.

True

False