GD0-110 Sample Questions Answers

The following keyword was typed in exactly as shown. Choose the answer(s) that would be found. All search criteria have default settings. Tom

Select the appropriate name for the highlighted area of the binary numbers.

When a drive letter is assigned to a logical volume, that information is temporarily written the volume boot record on the hard drive.

The EnCase case file can be best described as:

A sector on a hard drive contains how many bytes?

A file extension and signature can be manually added by:

Search terms are case sensitive by default.

The EnCase default export folder is:

In Windows 2000 and XP, which of the following directories contain user personal folders?

4 bits allows what number of possibilities?

A standard Windows 98 boot disk is acceptable for booting a suspect drive.

An evidence file was archived onto five CD-Rom disks with the third file segment on disk number three. Can the contents of the third file segment be verified by itself while still on the CD?

How many clusters can a FAT 16 system address?

The default export folder remains the same for all cases.

The end of a logical file to the end of the cluster that the file ends in is called:

During the power-up sequence, which of the following happens first?

If cluster number 10 in the FAT contains the number 55, this means:

Select the appropriate name for the highlighted area of the binary numbers.

By default, what color does EnCase use for the contents of a logical file?

To undelete a file in the FAT file system, EnCase obtains the starting extent from the:

Assume that MyNote.txt has been deleted. The FAT file system directory entry for that file has been overwritten. The data for MyNote.txt is now:

When an EnCase user double-clicks on a file within EnCase what determines the action that will result?

EnCase can build a hash set of a selected group of files.

When a document is printed using EMF in Windows, what file(s) are generated in the spooling process?

You are investigating a case involving fraud. You seized a computer from a suspect who stated that the computer is not used by anyone other than himself. The computer has Windows 98 installed on the hard drive. You find the filename C:\downloads\check01.jpg?that EnCase shows as being moved. The starting extent is 0C4057. You find another filename C:\downloads\chk1.dll with the starting extent 0C4057, which EnCase also shows as being moved. In the C:\windows\System folder you find an allocated file named chk1.dll with the starting extent 0C4057. The chk1.dll file is a JPEG image of a counterfeit check. Could this information be used to refute the suspect claim that he never knew it was on the computer?

When a file is deleted in the FAT file system, what happens to the FAT?

The Unicode system can address ____ characters?

A signature analysis has been run on a case. The result !Bad Signature means:

A personal data assistant was placed in a evidence locker until an examiner has time to examine it. Which of the following areas would require special attention?

The term signature and header as they relate to a signature analysis are:

You are conducting an investigation and have encountered a computer that is running in the field. The operating system is Windows XP. A software program is currently running and is visible on the screen. You should:

A hash library would most accurately be described as:

The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. [^a-z]Tom[^a-z]

A sector on a floppy disk is the same size as a sector on a NTFS formatted hard drive.

Which of the following is commonly used to encode e-mail attachments?

You are investigating a case involving fraud. You seized a computer from a suspect who stated that the computer is not used by anyone other than himself. The computer has Windows 98 installed on the hard drive. You find the filename C:\downloads\check01.jpg that EnCase shows as being moved. The starting extent is 0C4057. You find another filename :\downloads\chk1.dll with the starting extent 0C4057, which EnCase also shows as being moved. In the C:\Windows\System folder you find an allocated file named chk1.dll with the starting extent 0C4057. The chk1.dll file is a JPEG image of a counterfeit check. What can be deduced from your findings?

Assume that an evidence file is added to a case, the case is saved, and the case is closed. What happens if the evidence file is moved, and the case is then opened?

Select the appropriate name for the highlighted area of the binary numbers.

Using good forensic practices, when seizing a computer at a business running Windows 2000 Server you should:

If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later changed?

A hard drive was imaged using EnCase. The original drive was placed into evidence. The restore feature was used to make a copy of the original hard drive. EnCase verifies the restored copy using:

How does EnCase verify that the evidence file contains an exact copy of the suspect hard drive?

The MD5 hash algorithm produces a _____ number.

Which of the following statements is more accurate?

The BIOS chip on an IBM clone computer is most commonly located on:

Which of the following selections is NOT found in the case file?

Before utilizing an analysis technique on computer evidence, the investigator should:

If a floppy diskette is in the a drive, the computer will always boot to that drive before any other device.

What information in a FAT file system directory entry refers to the location of a file on the hard drive?