Black Friday Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

Examstrust Logo
examstrust mcafee
  1. Home
  2. Guidance Software
  3. EnCE
  4. GD0-100 - Certification Exam For ENCE North America

Guidance Software GD0-100 Certification Exam For ENCE North America Exam Practice Test

Page: 1 / 18
Total 176 questions
Get GD0-100 Full Access Download GD0-100 PDF

Certification Exam For ENCE North America Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$37.5  $124.99
Add to Cart

PDF + Testing Engine

  • Product Type: PDF + Testing Engine
$52.5  $174.99
Add to Cart

PDF Study Guide

  • Product Type: PDF Study Guide
$33  $109.99
Add to Cart
Question 1

4 bits allows what number of possibilities?

Options:

A.

16

B.

4

C.

2

D.

8

Question 2

You are investigating a case of child pornography on a hard drive containing Windows XP. In the :\Documents and Settings\Bad You are investigating a case of child pornography on a hard drive containing Windows XP. In the C:\Documents and Settings\Bad Guy\Local Settings\Temporary Internet Files folder you find three images

of child pornography. You find no other copies of the images on the suspect hard drive, and you find no other copies of the filenames. What can be deduced from your findings?

Options:

A.

The presence and location of the images is not strong evidence of possession.

B.

The presence and location of the images is strong evidence of possession.

C.

The presence and location of the images proves the images were intentionally downloaded.

D.

Both a and c

Question 3

You are assigned to assist with the search and seizure of several computers. The magistrate ordered that the computers cannot be seized unless they are found to contain any one of ten previously identified images. You currently have the ten images in JPG format. Using the EnCase methodology, how would you best handle this situation?

Options:

A.

UseFastBloc or a network/parallel port cable to preview the hard drives. Go to the Gallery view and search for the previously identified images.

B.

UseFastBloc or a network/parallel port cable to acquire forensic images of the hard drives, then search the evidence files for the previously identified images.

C.

UseFastBloc or a network/parallel port cable to preview the hard drives. Conduct a hash analysis of the files on the hard drives, using a hash library containing the hash values of the previously identified images.

D.

Use an EnCase DOS boot disk to conduct a text search for child porn. Use an EnCase DOS boot disk to conduct a text search for child porn?

Question 4

RAM is an acronym for:

Options:

A.

Random Addressable Memory

B.

Relative Addressable Memory

C.

Random Access Memory

D.

Relative Address Memory

Question 5

A FAT directory has as a logical size of:

Options:

A.

0 bytes

B.

One cluster

C.

128 bytes

D.

64 bytes

Question 6

A case file can contain ____ hard drive images?

Options:

A.

5

B.

1

C.

any number of

D.

10

Question 7

By default, what color does EnCase use for the contents of a logical file

Options:

A.

Red

B.

Red on black

C.

Black

D.

Black on red

Question 8

You are examining a hard drive that has Windows XP installed as the operating system. You see a file that has a date and time in the deleted column. Where does that date and time come from?

Options:

A.

Directory Entry

B.

Master File Table

C.

Info2 file

D.

Inode Table

Question 9

Which of the following aspects of the EnCase evidence file can be changed during a reacquire of the evidence file?

Options:

A.

The evidence number

B.

The acquisition notes

C.

The investigator name

D.

None of the above

Question 10

The EnCase signature analysis is used to perform which of the following actions?

Options:

A.

Analyzing the relationship of a file signature to its file extension.Analyzing the relationship of a file signature to its file extension.

B.

Analyzing the relationship of a file signature to its file header.Analyzing the relationship of a file signature to its file header.

C.

Analyzing the relationship of a file signature to a list of hash sets.Analyzing the relationship of a file signature to a list of hash sets.

D.

Analyzing the relationship of a file signature to its computed MD5 hash value.Analyzing the relationship of a file signature to its computed MD5 hash value.

Question 11

Hash libraries are commonly used to:

Options:

A.

Compare a file header to a file extension.

B.

Identify files that are already known to the user.

C.

Compare one hash set with another hash set.

D.

Verify the evidence file.

Question 12

A hash library would most accurately be described as:

Options:

A.

A master table of file headers and extensions.

B.

A file containing hash values from one or more selected hash sets.

C.

Botha and b.

D.

A list of the all the MD5 hash values used to verify the evidence files.

Question 13

A file extension and signature can be manually added by:

Options:

A.

Using the new library feature under hash libraries.

B.

Right-clicking on a file and selecting dd.?

C.

Using the new set feature under hash sets.

D.

Using the new file signature feature under file signatures.

Question 14

During the power-up sequence, which of the following happens first?

Options:

A.

The boot sector is located on the hard drive.

B.

Theower On Self-Test.? 7KH ? RZHU2Q6HOI7HVW

C.

The floppy drive is checked for a diskette.

D.

The BIOS on an add-in card is executed.

Question 15

RAM is tested during which phase of the power-up sequence?

Options:

A.

Pre-POST

B.

After POST

C.

During POST

D.

None of the above.

Question 16

In Unicode, one printed character is composed of ____ bytes of data.

Options:

A.

8

B.

4

C.

2

D.

1

Question 17

When a file is deleted in the FAT file system, what happens to the FAT?

Options:

A.

The FAT entries for that file are marked as allocated.

B.

Nothing.

C.

It is deleted as well.

D.

The FAT entries for that file are marked as available.

Question 18

The EnCase evidence file is best described as:

Options:

A.

A clone of the source hard drive.

B.

A sector-by-sector copy of the source hard drive written to the corresponding sectors of the target hard drive.

C.

A bit stream image of the source hard drive written to a file, or several file segments.

D.

A bit stream image of the source hard drive written to the corresponding sectors of the target hard drive.

Question 19

When a file is deleted in the FAT file system, what happens to the filename?

Options:

A.

It is zeroed out.

B.

The first character of the directory entry is marked with a hex 00.

C.

It is wiped from the directory.

D.

The first character of the directory entry is marked with a hex E5.

Question 20

Bookmarks are stored in which of the following files?

Options:

A.

The case file

B.

The evidence file

C.

The configuration Bookmarks.ini file

D.

All of the above

Question 21

Searches and bookmarks are stored in the evidence file.

Options:

A.

False

B.

True

Question 22

A sector on a hard drive contains how many bytes?

Options:

A.

2048

B.

4096

C.

1024

D.

512

Question 23

When handling computer evidence, an investigator should:

Options:

A.

Make any changes to the evidence that will further the investigation.

B.

Avoid making any changes to the original evidence.

C.

Both a and b

D.

Neither a or b

Question 24

The EnCase methodology dictates that the lab drive for evidence have a __________ prior to making an image.

Options:

A.

FAT 16 partition

B.

NTFS partition

C.

unique volume label

D.

bare, unused partition

Question 25

Before utilizing an analysis technique on computer evidence, the investigator should:

Options:

A.

Test the technique on simulated evidence in a controlled environment to confirm that the results are consistent.

B.

Be trained in the employment of the technique.

C.

Botha and b.

D.

Neithera or b.

Question 26

A hard drive has 8 sectors per cluster. File Mystuff.doc has a logical file size of 13,000 bytes. How many clusters will be used by Mystuff.doc?

Options:

A.

4

B.

1

C.

2

D.

3

Load More GD0-100 Questions
Page: 1 / 18
Total 176 questions
Get GD0-100 Full Access Download GD0-100 PDF