amandarackham
Test por , creado hace más de 1 año

EnCase computer security fundimentals quiz

738
0
0
amandarackham
Creado por amandarackham hace más de 9 años
Cerrar

EnCase

Pregunta 1 de 20

1

You are a computer forensic examiner tasked with determining what evidence is on a seized computer. On what part of the computer system will you find data of evidentiary value?

Selecciona una de las siguientes respuestas posibles:

  • Microprocessor or CPU

  • USB controller

  • Hard drive

  • PCI expansion slots

Explicación

Pregunta 2 de 20

1

You are a computer forensic examiner explaining how computers store and access the data you recovered during your examination. The evidence is a log file and was recovered as an artifact of user activity on the ___________, which was stored on the ____________, contained within a _____________ on the media.

Selecciona una de las siguientes respuestas posibles:

  • Partition, operating system, file system.

  • Operating system, file system, partition.

  • File system, operating system, hard drive.

  • Operating system, partition, file system.

Explicación

Pregunta 3 de 20

1

You are a computer forensic examiner investigating a seized computer. You recovered a document
containing potential evidence. EnCase reports the file system on the forensic image of the
hard drive is FAT (File Allocation Table). What information about the document file can be
found in the FAT on the media? (Choose all that apply.)

Selecciona una o más de las siguientes respuestas posibles:

  • Name of the file

  • Date and time stamps of the file

  • Starting cluster of the file

  • Fragmentation of the file

  • Ownership of the file

Explicación

Pregunta 4 de 20

1

You are a computer forensic examiner investigating media on a seized computer. You recovered
a document containing potential evidence. EnCase reports the file system on the forensic image
of the hard drive is NTFS (New Technology File System). What information about the document
file can be found in the NTFS master file table on the media? (Choose all that apply.)

Selecciona una o más de las siguientes respuestas posibles:

  • Name of the file

  • Date and time stamps of the file

  • Starting cluster of the file

  • Fragmentation of the file

  • Ownership of the file

Explicación

Pregunta 5 de 20

1

You are preparing to lead a team to serve a search warrant on a business suspected of committing
large-scale consumer fraud. Ideally, you would you assign which tasks to search team members?
(Choose all that apply.)

Selecciona una o más de las siguientes respuestas posibles:

  • Photographer

  • Search and seizure specialists

  • Recorder

  • Digital evidence search and seizure specialists

Explicación

Pregunta 6 de 20

1

You are a computer forensic examiner at a scene and have determined you will seize a Linux
server, which according to your source of information, contains the database records for the
company under investigation for fraud. What is the best practice for “taking down” the server
for collection?

Selecciona una de las siguientes respuestas posibles:

  • Photograph the screen and note any running programs or messages, etc., and use the normal
    shutdown procedure.

  • Photograph the screen and note any running programs or messages, etc., and pull the plug
    from the wall.

  • Photograph the screen and note any running programs or messages, etc., and pull the plug
    from the rear of the computer.

  • Photograph the screen and note any running programs or messages, etc., and ask the user at
    the scene to shut down the server.

Explicación

Pregunta 7 de 20

1

You are a computer forensic examiner at a scene and are authorized to only seize media that can be
determined to have evidence related to the investigation. What options do you have to determine
whether evidence is present before seizure and a full forensic examination? (Choose all that apply.)

Selecciona una o más de las siguientes respuestas posibles:

  • Use a DOS boot floppy or CD to boot the machine and browse through the directory for
    evidence.

  • Use an EnCase boot floppy or CD to boot the machine into Linux and use LinEn to preview
    the hard drive through a crossover cable with EnCase for Windows

  • Remove the subject hard drive from the machine and preview the hard drive in EnCase for
    Windows with a hardware write blocker like FastBloc.

  • Use an EnCase boot floppy or CD to boot the machine into DOS and use EnCase for DOS
    to preview the hard drive through a crossover cable with EnCase for Windows.

Explicación

Pregunta 8 de 20

1

You are a computer forensic examiner at a scene and have determined you will need to image
a hard drive in a workstation while onsite. What are your options for creating a forensically
sound image of the hard drive? (Choose all that apply.)

Selecciona una o más de las siguientes respuestas posibles:

  • Use a DOS boot floppy or CD to boot the machine and use EnCase for DOS to image the
    subject hard drive to a second hard drive attached to the machine.

  • Use an EnCase boot floppy or CD to boot the machine into DOS and use EnCase for DOS
    to image the subject hard drive to a second hard drive attached to the machine.

  • Remove the subject hard drive from the machine and image the hard drive in EnCase for
    Windows with a hardware write blocker like FastBloc.

  • Use an EnCase boot floppy or CD to boot the machine into DOS and use EnCase for DOS
    to image the hard drive through a crossover cable with EnCase for Windows.

Explicación

Pregunta 9 de 20

1

You are a computer forensic examiner and have imaged a hard drive on site. Before you leave
the scene, you want to ensure the image completely verifies as an exact forensic duplicate of the
original. To verify the EnCase evidence file containing the image, you should:

Selecciona una o más de las siguientes respuestas posibles:

  • Use a hex editor to compare a sample of sectors in the EnCase evidence file with that of the
    original.

  • Load the EnCase evidence files into EnCase for Windows, and after the verification is more
    than halfway completed, cancel the verification and spot-check the results for errors.

  • Load the EnCase evidence files into EnCase for DOS and verify the hash of those files.

  • Load the EnCase evidence files into EnCase for Windows, allow the verification process to
    finish, and then check the results for complete verification.

Explicación

Pregunta 10 de 20

1

You are a computer forensic examiner and need to verify the integrity of an EnCase evidence file.
To completely verify the file’s integrity, which of the following must be true?

Selecciona una o más de las siguientes respuestas posibles:

  • The MD5 hash value must verify.

  • The CRC values and the MD5 hash value both must verify.

  • Either the CRC or MD5 hash values must verify.

  • The CRC values must verify.

Explicación

Pregunta 11 de 20

1

You are a computer forensic examiner and need to determine what files are contained within a
folder called Business documents. What EnCase pane will you use to view the names of the files
in the folder?

Selecciona una o más de las siguientes respuestas posibles:

  • Tree pane

  • Table pane

  • View pane

  • Filter pane

Explicación

Pregunta 12 de 20

1

You are a computer forensic examiner and need to view the contents of a file contained within a
folder called Business documents. What EnCase pane will you use to view the contents of the file?

Selecciona una o más de las siguientes respuestas posibles:

  • Tree pane

  • Table pane

  • View pane

  • Filter pane

Explicación

Pregunta 13 de 20

1

You are a computer forensic examiner and are viewing a file in an EnCase evidence file. With
your cursor, you have selected one character in the file. What binary term is used for the amount
of data that represents a single character?

Selecciona una o más de las siguientes respuestas posibles:

  • A bit

  • A nibble

  • A byte

  • A word

Explicación

Pregunta 14 de 20

1

You are a computer forensic examiner and need to search for the name of a suspect in an EnCase evidence
file. You enter the name of the suspect into the EnCase keyword interface as John Doe. What
search hits will be found with this search term with the default settings? (Choose all that apply.)

Selecciona una o más de las siguientes respuestas posibles:

  • John Doe

  • John D.

  • john doe

  • John.Doe

Explicación

Pregunta 15 de 20

1

You are a computer forensic examiner and need to determine if any Microsoft Office documents
have been renamed with image extensions to obscure their presence. What EnCase process
would you use to find such files?

Selecciona una o más de las siguientes respuestas posibles:

  • File signature analysis

  • Recover Folders feature

  • File content search

  • File hash analysis

Explicación

Pregunta 16 de 20

1

You are a computer forensic examiner and want to reduce the number of files required for examination
by identifying and filtering out known good or system files. What EnCase process would
you use to identify such files?

Selecciona una o más de las siguientes respuestas posibles:

  • File signature analysis

  • Recover Folders feature

  • File content search

  • File hash analysis

Explicación

Pregunta 17 de 20

1

You are a computer forensic examiner and want to determine if a user has opened or doubleclicked
a file. What folder would you look in for an operating system artifact for this user activity?

Selecciona una o más de las siguientes respuestas posibles:

  • Temp

  • Recent

  • Cookies

  • Desktop

Explicación

Pregunta 18 de 20

1

You are a computer forensic examiner and want to determine when a user deleted a file contained
in the Recycle Bin. In what file is the date and time information about the file deletion
contained?

Selecciona una o más de las siguientes respuestas posibles:

  • Index.dat

  • Link file

  • INFO2

  • Deleted.ini

Explicación

Pregunta 19 de 20

1

You are a computer forensic examiner and want to determine how many times a program was
executed. Where would you find information?

Selecciona una o más de las siguientes respuestas posibles:

  • Temp folder

  • Registry

  • Recycle Bin

  • Program Files

Explicación

Pregunta 20 de 20

1

You are a computer forensic examiner and want to examine any e-mail sent and received by the
user of the computer system under investigation. What e-mail formats are supported by EnCase?
(Choose all that apply.)

Selecciona una o más de las siguientes respuestas posibles:

  • Outlook

  • Outlook Express

  • America Online

  • Hotmail

  • Yahoo!

  • Mozilla Thunderbird

Explicación

Anterior
Siguiente