Acquiring Digital Evidence - Review Questions

20 important questions on Acquiring Digital Evidence - Review Questions

When acquiring a hard drive in the DOS mode, what would be the cause of EnCase not detecting partition information?

A. Drive has been FDisked and partition(s) removed.
B. Partition(s) are not recognized by DOS.
C. Both A and B.
D. None of the above.

C. When partitions have been removed or if partitions are not recognized
    by DOS, EnCase still recognizes the physical drive and acquires it as such.

A standard DOS 6.22 boot disk does not make calls to the C:\ volume of a
hard drive when the diskette is booted.

A. True
B. False

B. False. A standard DOS 6.22 boot disk accesses the C:\ volume of a hard drive,
    thus causing changes to date/time stamps to certain files.

As a good forensic practice, why would it be a good idea to wipe a forensic
drive before reusing it?

A. Chain-of-custody
B. Cross-contamination
C. Different file and operating systems
D. Chain of evidence
E. No need to wipe

B. Although EnCase only examines the contents within the evidence files,
   it is still good forensic practice to wipe/sterilize each hard drive prior
   to reusing it to eliminate the argument of possible cross-contamination.
  • Higher grades + faster learning
  • Never study anything twice
  • 100% sure, 100% understanding
Discover Study Smart

If the number of sectors reported by EnCase does not match the
number reported  by the manufacturer for the drive, what should you do?

A. Suspect HPA
B. Suspect DCO
C. Boot with EnCase for DOS and switch to Direct ATA access
D. Boot with LinEn in Linux
E. All of the above

E. You should suspect an HPA or a DCO. Booting with LinEn or booting with
    EnCase for DOS with Direct ATA access should enable you to see all sectors.

When acquiring digital evidence, why shouldn’t the evidence be left
unattended in an unsecured location?

A. Cross-contamination
B. Storage
C. Chain-of-custody
D. Not an issue

C. Digital evidence must be treated like any other evidence, whereas
    a chain of custody must be established to account for everyone who
     has access  to the property.

Which describes an HPA? (Choose all that are correct.)

A. Stands for Host Protected Area
B. Is not normally seen by the BIOS
C. Is not normally seen through Direct ATA access
D. Was introduced in the ATA-6 specification

A and B

HPA stands for Host Protected Area and is not normally seen by
the BIOS. It was introduced in the ATA-4 specification, not ATA-6,
and is seen when directly accessed via the Direct ATA mode.

Which describes a DCO?

A. Was introduced in the ATA-6 specification
B. Stands for Device Configuration Overlay
C. Is not normally seen by the BIOS
D. It may contain hidden data, which can be seen by switching to the
     Direct ATA mode in EnCase for DOS
E. All of the above

E. All are correct statements with regard to DCO.

What system files are changed or in any way modified by EnCase when
creating an EnCase boot disk?

A. IO.SYS
B. COMMAND.COM
C. DRVSPACE.BIN
D. All of the above
E. None of the above

D. EnCase will modify IO.SYS and COMMAND.COM to redirect any calls
    from C: to A:. If DRVSPACE.BIN is present, it will be deleted.

Reacquiring an image and adding compression will change the
MD5 value of the acquisition hash.

A. True
B. False

False. When reacquiring an image, the MD5 of the original data stream
remains the same despite the compression applied.

When reacquiring an image, you can change the name of the evidence.

A. True
B. False

False. When reacquiring, you can change the compression, you can add or remove a password, you can change the file segment size, you can change the block and error granularity sizes, or you can change the start and stop sectors. Other properties can’t be changed.

Which of the following should you do when creating a storage volume to
hold an EnCase evidence file that will be created with EnCase for
DOS or LinEn? (Choose all that are correct.)

A. Format the volume with the FAT file system.
B. Give the volume a unique label to identify it.
C. Wipe the volume before formatting to conform to best practices and avoid
     claims of cross-contamination.
D. Create a directory to contain the evidence file.
E. Format the volume with the NTFS file system.
F. All of the above.


A, B, C, D.

This is a case where you have to choose several correct answers, and
there will be questions like this on the examination!

All are correct except for E, therefore making F also incorrect. DOS can’t read or write to NTFS. Linux can read NTFS, but can’t reliably write to it. 12. B and D. Here, hdb2 refers to the second partition of the primary slave.

In Linux, what describes hdb2? (Choose all that are correct.)

A. Refers to the primary master
B. Refers to the primary slave
C. Refers to hard drive number 2
D. Refers to the second partition
E. Refers to the secondary master

B and D.

Here, hdb2 refers to the second partition of the primary slave.

In Linux, what describes sdb? (Choose all that are correct.)

A. Refers to an IDE device
B. Refers to a SCSI device
C. Refers to a USB device
D. Refers to a FireWire device

B, C, and D.

Linux will name an IDE device, normally, with hda, hdb, hdc,
or hdd, to denote their position on the ATA controller
(primary master, primary slave, secondary master, secondary slave,
respectively). sdb is the second SCSI device, and since Linux calls
USB or FireWire devices SCSI devices, any of the three (B, C, or D)
could be represented by sdb.

When acquiring USB flash memory, you should write-protect it by:

A. Engaging the write-protect switch, if equipped
B. Modifying the Registry in XP SP2 (or higher) to make USB read-only
C. Using ENBD/ENBCD USB DOS drivers and having EnCase for DOS “Lock”
   the flash media
D. Using LinEn in Linux with auto-mount of file system disabled
E. All of the above

E. All are methods of write-protecting USB devices, some arguably better than
   others, but methods nevertheless.

Which type or types of cables can be used in a network cable acquisition?

A. Standard network patch cable
B. CAT-6 network cable
C. Network crossover cable
D. Standard network patch cable used with a crossover adaptor

C and D. A and B are references to standard network cables with no crossover
               capability. To connect directly between two computers, a network
               crossover cable must be used, or you can use a regular cable with a
               crossover adapter, which achieves the same effect.

Should zip/Jaz disks be acquired with EnCase in DOS or Windows?

A. DOS
B. Windows

A. Zip and Jaz disks should be acquired by EnCase in the DOS mode
    using the guest.exe command.

How can a floppy disk be acquired by EnCase?

A. DOS mode
B. Windows mode
C. Both modes

C. Floppy disks can be acquired using both methods. Be sure to
      write-protect floppy disks before inserting them into the drive.

How should CDs be acquired using EnCase?

A. DOS
B. Windows

B. CDs can be safely acquired in the Windows environment.

Select all that are true about EE and FIM.

A. They can acquire or preview a system live without shutting it down.
B. They can capture live system-state volatile data using the Snapshot
   feature.
C. With EE, the SAFE is on a separate PC, administered by the keymaster.
D. With FIM, the SAFE is on the examiner’s PC and the keymaster and the
   examiner are the same person.
E. FIM can be licensed to private individuals.

A, B, C, D.

A FIM can only be licensed to law enforcement or military customers. All other statements are correct.

How does an EnCase boot disk differ from a DOS 6.22 disk?

A. EnCase boot disk adds the EnCase executable, EN.EXE.
B. EnCase boot disk switches all calls from C:\ to A:\.
C. Both A and B.
D. None of the above.

C. An EnCase boot disk changes all calls to the C:\ volume to the A:\ volume
     and removes unnecessary files. It also adds the EN.EXE file so EnCase
     can run in the DOS version.

The question on the page originate from the summary of the following study material:

  • A unique study and practice tool
  • Never study anything twice again
  • Get the grades you hope for
  • 100% sure, 100% understanding
Remember faster, study better. Scientifically proven.
Trustpilot Logo