Black Friday Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

GD0-110 Questions and Answers

Question # 6

The FAT in the File Allocation Table file system keeps track of:

A.

File fragmentation

B.

Every addressable cluster on the partition

C.

Clusters marked as bad

D.

All of the above.

Full Access
Question # 7

This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search:

A.

Will not find it because the letters of the keyword are not contiguous.

B.

Will not find it unless File slack is checked on the search dialog box.

C.

Will find it because EnCase performs a logical search.

D.

Will not find it because EnCase performs a physical search only.

Full Access
Question # 8

ROM is an acronym for:

A.

Read Only Memory

B.

Random Open Memory

C.

Relative Open Memory

D.

Read Open Memory

Full Access
Question # 9

Which of the following selections would be used to keep track of a fragmented file in the FAT file system?

A.

The File Allocation Table

B.

The directory entry for the fragmented file

C.

The partition table of extents

D.

All of the above

Full Access
Question # 10

GREP terms are automatically recognized as GREP by EnCase.

A.

True

B.

False

Full Access
Question # 11

Pressing the power button on a computer that is running could have which of the following results?

A.

The operating system will shut down normally.

B.

The computer will instantly shut off.

C.

The computer will go into stand-by mode.

D.

Nothing will happen.

E.

All of the above could happen.

Full Access
Question # 12

If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later changed?

A.

EnCase will detect the error when that area of the evidence file is accessed by the user.

B.

EnCase detect the error if the evidence file is manually re-verified.

C.

EnCase will allow the examiner to continue to access the rest of the evidence file that has not been changed.

D.

All of the above.

Full Access
Question # 13

A hash library would most accurately be described as:

A.

A file containing hash values from one or more selected hash sets.

B.

A master table of file headers and extensions.

C.

A list of the all the MD5 hash values used to verify the evidence files.

D.

Both a and b.

Full Access
Question # 14

The Unicode system can address ____ characters?

A.

256

B.

1024

C.

16,384

D.

65,536

Full Access
Question # 15

How does EnCase verify that the case information (Case Number, Evidence Number, Investigator Name, etc) in an evidence file has not been damaged or changed, after the evidence file has been written?

A.

The .case file writes a CRC value for the case information and verifies it when the case is opened.

B.

EnCase does not verify the case information and case information can be changed by the user as it becomes necessary.

C.

EnCase writes a CRC value of the case information and verifies the CRC value when the evidence is added to a case.

D.

EnCase writes an MD5 hash value for the entire evidence file, which includes the case information, and verifies the MD5 hash when the evidence is added to a case.

Full Access
Question # 16

Assume that MyNote.txt has been deleted. The FAT file system directory entry for that file has been overwritten. The data for MyNote.txt is now:

A.

Allocated

B.

Overwritten

C.

Unallocated

D.

Cross-linked

Full Access
Question # 17

EnCase can make an image of a USB flash drive.

A.

True

B.

False

Full Access
Question # 18

You are working in a computer forensic lab. A law enforcement investigator brings you a computer and a valid search warrant. You have legal authority to search the computer. The investigator hands you a piece of paper that has three printed checks on it. All three checks have the same check and account number. You image the suspect's computer and open the evidence file with EnCase. You perform a text search for the account number and check number. Nothing returns on the search results. You perform a text search for all other information found on the printed checks and there is still nothing returned in the search results. You run a signature analysis and check the gallery. You cannot locate any graphical copies of the printed checks in the gallery. At this point, is it safe to say that the checks are not located on the suspect computer?

A.

No. The images could be in an image format not viewable inside EnCase.

B.

No. The images could be located a compressed file.

C.

No. The images could be embedded in a document.

D.

No. The images could be in unallocated clusters.

E.

All of the above.

Full Access
Question # 19

What files are reconfigured or deleted by EnCase during the creation of an EnCase boot disk?

A.

command.com

B.

io.sys

C.

drvspace.bin

D.

autoexec.bat

Full Access
Question # 20

When a file is deleted in the FAT file system, what happens to the FAT?

A.

It is deleted as well.

B.

Nothing.

C.

The FAT entries for that file are marked as allocated.

D.

The FAT entries for that file are marked as available.

Full Access
Question # 21

For an EnCase evidence file acquired with a hash value to pass verification, which of the following must be true?

A.

The CRC values and the MD5 hash value both must verify.

B.

The MD5 hash value must verify.

C.

Either the CRC or MD5 hash values must verify.

D.

The CRC values must verify.

Full Access
Question # 22

A signature analysis has been run on a case. The result ?*JPEG ?in the signature column means:

A.

The file signature is unknown and the file extension is JPEG.

B.

The file signature is unknown and the header is a JPEG.

C.

The file signature is a JPEG signature and the file extension is incorrect.

D.

None of the above.

Full Access
Question # 23

Consider the following path in a FAT file system: C:\My Documents\My Pictures\Bikes. Where does the directory bikes receive its name?

A.

From the My Pictures directory

B.

From itself

C.

From the root directory c:\

D.

From the My Documents directory

Full Access
Question # 24

Select the appropriate name for the highlighted area of the binary numbers.

A.

Word

B.

Nibble

C.

Bit

D.

Dword

E.

Byte

Full Access
Question # 25

To undelete a file in the FAT file system, EnCase obtains the starting extent from the:

A.

FAT

B.

File header

C.

Operating system

D.

Directory entry

Full Access
Question # 26

A CPU is:

A.

An entire computer box, not including the monitor and other attached peripheral devices.

B.

A motherboard with all required devices connected.

C.

A Central Programming Unit.

D.

A chip that would be considered the brain of a computer, which is installed on a motherboard.

Full Access