GD0-110 Certification Exam for EnCE Outside North America Questions and Answers

This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search:

The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. [^a-z]Tom[^a-z]

You are investigating a case involving fraud. You seized a computer from a suspect who stated that the computer is not used by anyone other than himself. The computer has Windows 98 installed on the hard drive. You find the filename C:\downloads\check01.jpg?that EnCase shows as being moved. The starting extent is 0C4057. You find another filename C:\downloads\chk1.dll with the starting extent 0C4057, which EnCase also shows as being moved. In the C:\windows\System folder you find an allocated file named chk1.dll with the starting extent 0C4057. The chk1.dll file is a JPEG image of a counterfeit check. Could this information be used to refute the suspect claim that he never knew it was on the computer?

A sector on a floppy disk is the same size as a sector on a NTFS formatted hard drive.

An evidence file can be moved to another directory without changing the file verification.

A standard Windows 98 boot disk is acceptable for booting a suspect drive.

Search terms are case sensitive by default.

A signature analysis has been run on a case. The result ?*JPEG ?in the signature column means:

To later verify the contents of an evidence file?

Within EnCase, what is purpose of the default export folder?

A personal data assistant was placed in a evidence locker until an examiner has time to examine it. Which of the following areas would require special attention?

How many clusters can a FAT 16 system address?

RAM is used by the computer to:

Which of the following is commonly used to encode e-mail attachments?

What information in a FAT file system directory entry refers to the location of a file on the hard drive?

In the EnCase environment, the term uxternal viewers is best described as:

Assume that an evidence file is added to a case, the case is saved, and the case is closed. What happens if the evidence file is moved, and the case is then opened?

In DOS and Windows, how many bytes are in one FAT directory entry?

Which of the following is found in the FileSignatures.ini configuration file?

Which of the following selections is NOT found in the case file?

Calls to the C:\ volume of the hard drive are not made by DOS when a computer is booted with a standard DOS 6.22 boot disk.

Which of the following selections would be used to keep track of a fragmented file in the FAT file system?