A.  

It is deleted as well.

B.  

Nothing.

C.  

The FAT entries for that file are marked as allocated.

D.  

The FAT entries for that file are marked as available.

A.  

True

B.  

False

A.  

Record the location that the computer was recovered from.

B.  

Record the identity of the person(s) involved in the seizure.

C.  

Record the date and time the computer was seized.

D.  

Record nothing to avoid inaccuracies that might jeopardize the use of the evidence.

A.  

An entire computer box, not including the monitor and other attached peripheral devices.

B.  

A motherboard with all required devices connected.

C.  

A Central Programming Unit.

D.  

A chip that would be considered the brain of a computer, which is installed on a motherboard.

A.  

800.555.1212

B.  

8005551212

C.  

800-555 1212

D.  

(800) 555-1212

A.  

The boot sector is located on the hard drive.

B.  

The power On Self-Test.

C.  

The floppy drive is checked for a diskette.

D.  

The BIOS on an add-in card is executed.

A.  

The File Allocation Table

B.  

The directory entry for the fragmented file

C.  

The partition table of extents

D.  

All of the above

A.  

The open case file

B.  

The configuration .ini files

C.  

The evidence files

D.  

All of the above

A.  

True

B.  

False

A.  

Storing information that is specific to a particular case.

B.  

Storing information that will be available to EnCase each time it is opened, regardless of the active case(s).

C.  

Storing pointers to acquired evidence.

D.  

Storing the results of a signature analysis.

A.  

C:\Windows\Users

B.  

C:\Personnel Folders

C.  

C:\Documents and Settings

D.  

C:\WINNT\Profiles

A.  

32 bit

B.  

64 bit

C.  

128 bit

D.  

256 bit

A.  

File fragmentation

B.  

Every addressable cluster on the partition

C.  

Clusters marked as bad

D.  

All of the above.

A.  

1

B.  

5

C.  

10

D.  

any number of

A.  

No. All file segments must be put back together.

B.  

Yes. Any segment of an evidence file can be verified through re-computing and comparing the CRCs, even if it is on a CD.

C.  

No. EnCase cannot verify files on CDs.

D.  

No. Archived files are compressed and cannot be verified until un-archived.

A.  

True

B.  

False

A.  

True

B.  

False

A.  

Stomp

B.  

Tomato

C.  

Tom

D.  

Toms

A.  

Conduct a physical search of the hard drive and bookmark any evidence.

B.  

Use the add Partition feature to rebuild the partition and then examine the system.

C.  

Use the recovered Deleted Partitions feature and then examine the system.

D.  

EnCase will not see a drive that has been fdisked.

A.  

Credit

B.  

Card

C.  

Credit Card

D.  

credit card

A.  

The video caching information

B.  

The port assigned to the serial port

C.  

The date and time

D.  

The boot sequence

A.  

A global setting that can be changed.

B.  

A case-specific setting that can be changed.

C.  

A global setting that cannot be changed.

D.  

A case-specific setting that cannot be changed.

A.  

That there is a cross-linked file.

B.  

That cluster 10 is used and the file continues in cluster number 55.

C.  

The cluster number 55 is the end of an allocated file.

D.  

That the file starts in cluster number 55 and continues to cluster number 10.

A.  

The case file

B.  

The configuration Bookmarks.ini file

C.  

The evidence file

D.  

All of the above

A.  

A group of hash libraries organized by category.

B.  

A table of file headers and extensions.

C.  

A group of hash values that can be added to the hash library.

D.  

Both a and b.

A.  

500 MB

B.  

1000 MB

C.  

1500 MB

D.  

2000 MB

E.  

There is no limit.