Black Friday Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

Examstrust Logo
examstrust mcafee
  1. Home
  2. Guidance Software
  3. EnCE
  4. GD0-110 - Certification Exam for EnCE Outside North America

Guidance Software GD0-110 Certification Exam for EnCE Outside North America Exam Practice Test

Page: 1 / 17
Total 174 questions
Get GD0-110 Full Access Download GD0-110 PDF

Certification Exam for EnCE Outside North America Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$37.5  $124.99
Add to Cart

PDF + Testing Engine

  • Product Type: PDF + Testing Engine
$52.5  $174.99
Add to Cart

PDF Study Guide

  • Product Type: PDF Study Guide
$33  $109.99
Add to Cart
Question 1

A suspect typed a file on his computer and saved it to a floppy diskette. The filename was MyNote.txt. You receive the floppy and the suspect's computer. The suspect denies that the floppy disk belongs to him. You search the suspect's computer and locate only the filename within a .LNK file. The .LNK file is located in the folder C:\Windows\Recent. How you would use the .LNK file to establish a connection between the file on the floppy diskette and the suspect computer?

Options:

A.

The dates and time of the file found in the .LNK file, at file offset 28

B.

The full path of the file, found in the .LNK file

C.

The file signature found in the .LNK file

D.

Both a and b

Question 2

The boot partition table found at the beginning of a hard drive is located in what sector?

Options:

A.

Volume boot record

B.

Master boot record

C.

Master file table

D.

Volume boot sector

Question 3

Search terms are stored in what .ini configuration file?

Options:

A.

FileTypes.ini

B.

FileSignatures.ini

C.

Keywords.ini

D.

TextStyle.ini

Question 4

You are at an incident scene and determine that a computer contains evidence as described in the search warrant. When you seize the computer, you should:

Options:

A.

Record the location that the computer was recovered from.

B.

Record the identity of the person(s) involved in the seizure.

C.

Record the date and time the computer was seized.

D.

Record nothing to avoid inaccuracies that might jeopardize the use of the evidence.

Question 5

Which of the following selections is NOT found in the case file?

Options:

A.

External viewers

B.

Pointers to evidence files

C.

Signature analysis results

D.

Search results

Question 6

Which of the following statements is more accurate?

Options:

A.

The Recycle Bin increases the chance of locating the existence of a file on a computer.

B.

The Recycle Bin reduces the chance of locating the existence of a file on a computer.

Question 7

How are the results of a signature analysis examined?

Options:

A.

By sorting on the signature column in the table view.

B.

By sorting on the hash library column in the table view.

C.

By sorting on the hash sets column in the table view

D.

By sorting on the category column in the table view.

Question 8

A CPU is:

Options:

A.

An entire computer box, not including the monitor and other attached peripheral devices.

B.

A motherboard with all required devices connected.

C.

A Central Programming Unit.

D.

A chip that would be considered the brain of a computer, which is installed on a motherboard.

Question 9

This question addresses the EnCase for Windows search process. If a target word is located in the unallocated space, and the word is fragmented between clusters 10 and 15, the search:

Options:

A.

Will not find it because the letters of the keyword are not contiguous.

B.

Will not find it unless ile fslack is checked on the search dialog box.

C.

Will find it because EnCase performs a logical search.

D.

Will not find it because EnCase performs a physical search only.

Question 10

When an EnCase user double-clicks on a valid .jpg file, that file is:

Options:

A.

Copied to the EnCase specified temp folder and opened by an associated program.

B.

Copied to the default export folder and opened by an associated program.

C.

Opened by EnCase.

D.

Renamed to JPG_0001.jpg and copied to the default export folder.

Question 11

When Unicode is selected for a search keyword, EnCase:

Options:

A.

Will only find the keyword if it is Unicode.

B.

Will find the keyword if it is either Unicode or ASCII.

C.

Unicode is not a search option for EnCase.

D.

None of the above.

Question 12

The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Jan 1 st , 2?0?00

Options:

A.

Jan 1st, 1900

B.

Jan 1st, 2000

C.

Jan 1st, 2001

D.

Jan 1st, 2100

Question 13

Before utilizing an analysis technique on computer evidence, the investigator should:

Options:

A.

Be trained in the employment of the technique.

B.

Test the technique on simulated evidence in a controlled environment to confirm that the results are consistent.

C.

Both a and b.

D.

Neither a or b.

Question 14

How many clusters can a FAT 16 system address?

Options:

A.

4,096

B.

65,536

C.

268,435,456

D.

4,294,967,296

Question 15

A SCSI drive is pinned as a master when it is:

Options:

A.

The only drive on the computer.

B.

The primary of two drives connected to one cable.

C.

A SCSI drive is not pinned as a master.

D.

Whenever another drive is on the same cable and is pinned as a slave.

Question 16

4 bits allows what number of possibilities?

Options:

A.

2

B.

4

C.

8

D.

16

Question 17

In Windows, the file MyNote.txt is deleted from C Drive and is automatically sent to the recycle Bin. The long filename was MyNote.txt and the short filename was MYNOTE.TXT. When viewing the recycle Bin with EnCase, how will the long filename and short filename appear?

Options:

A.

MyNote.del, DC0.del

B.

MyNote.txt, CD0.txt

C.

MyNote.txt, DC0.txt

D.

MyNote.del, DC1.del

Question 18

The end of a logical file to the end of the cluster that the file ends in is called:

Options:

A.

Unallocated space

B.

Allocated space

C.

Available space

D.

Slack

Question 19

The default export folder remains the same for all cases.

Options:

A.

True

B.

False

Question 20

Select the appropriate name for the highlighted area of the binary numbers.

Options:

A.

Word

B.

Nibble

C.

Bit

D.

Dword

E.

Byte

Question 21

A physical file size is:

Options:

A.

The total size in bytes of a logical file.

B.

The total size in sectors of an allocated file.

C.

The total size of all the clusters used by the file measured in bytes.

D.

The total size of the file including the ram slack in bytes.

Question 22

Which of the following aspects of the EnCase evidence file can be changed during a reacquire of the evidence file?

Options:

A.

The investigator name

B.

The evidence number

C.

The acquisition notes

D.

None of the above

Question 23

If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later changed?

Options:

A.

EnCase will detect the error when that area of the evidence file is accessed by the user.

B.

EnCase detect the error if the evidence file is manually re-verified.

C.

EnCase will allow the examiner to continue to access the rest of the evidence file that has not been changed.

D.

All of the above.

Question 24

All investigators using EnCase should run tests on the evidence file acquisition and verification process to:

Options:

A.

Further the investigator understanding of the evidence file.

B.

Give more weight to the investigator testimony in court.

C.

Insure that the investigator is using the proper method of acquisition.

D.

All of the above.

Question 25

Search terms are case sensitive by default.

Options:

A.

True

B.

False

Question 26

The following keyword was typed in exactly as shown. Choose the answer(s) that would result. All search criteria have default settings. Speed and Meth

Options:

A.

Speed

B.

Meth

C.

Speed and Meth

D.

Meth Speed

Load More GD0-110 Questions
Page: 1 / 17
Total 174 questions
Get GD0-110 Full Access Download GD0-110 PDF