Acquiring Digital Evidence - Review Questions
20 important questions on Acquiring Digital Evidence - Review Questions
When acquiring a hard drive in the DOS mode, what would be the cause of EnCase not detecting partition information?
A. Drive has been FDisked and partition(s) removed.
B. Partition(s) are not recognized by DOS.
C. Both A and B.
D. None of the above.
by DOS, EnCase still recognizes the physical drive and acquires it as such.
A standard DOS 6.22 boot disk does not make calls to the C:\ volume of a
hard drive when the diskette is booted.
A. True
B. False
thus causing changes to date/time stamps to certain files.
As a good forensic practice, why would it be a good idea to wipe a forensic
drive before reusing it?
A. Chain-of-custody
B. Cross-contamination
C. Different file and operating systems
D. Chain of evidence
E. No need to wipe
it is still good forensic practice to wipe/sterilize each hard drive prior
to reusing it to eliminate the argument of possible cross-contamination.
- Higher grades + faster learning
- Never study anything twice
- 100% sure, 100% understanding
For my 1st exam I got a C. Then, I started looking for ways to learn better and I came across Study Smart. Since then I have scored a A+, A, A- and another A. I highly recommend it to everyone who wants to hear it. I am so happy with it!!
I was struggling to finish all my first-year subjects for 3 years. Then I discovered Study Smart, which helped me to finish all of them within 3 months.
Because of StudySmart, things are going well in many ways. Before, I always had study stress and no time for anything. Now I feel calm and confident (because of the program). I used to score a B, now I usually score an A or A+.
Hey Chris, I really want to thank you very much for developing the platform, I usually got around C for my exams, now I scored an A+, an A and a A- !!
Since using Study Smart, my average has increased significantly. I even completed a statistics course with a A+ while I'm bad at statistics. I took on extra courses this year, because of Study Smart. Thanks so much!
Ever since I started studying with StudySmart I passed all my exams !!! No more re-sits!! At first, I was happy with a pass and now I only get good grades. Many thanks!
I aced all the courses I studied with Study Smart. For law, I first scored a D, and now an A! I’m 100% sure that I’ll pass all the courses I study with Study Smart.
I always thought I studied well. My grades were fine. I could never have imagined that applying these study skills would have such a huge and direct impact on my grades, my speed and the pleasure I have in learning.
For the first time, I finally feel totally confident about the way I learn. I have the perfect overview and make great progress in terms of speed and the grades I get. Thanks, Chris!
I immediately started to enjoy learning again, and my grades soared. All of a sudden, everything went better. I highly recommend Study Smart to all students..
Being able to create my materials online made the process of studying so much smoother and quicker. I no longer have to spend a huge amount of my time on creating my summaries.
At first, my notes were a mess. Now I use Study Smart to take my notes in a perfectly structured way. It helps me to save a lot of time and do other things I enjoy.
Students that study with Study Smart get better grades. The system applies all the learning methods in such a way that both well-performing students and students who struggle perform much better.
Hi Chris, I would like to thank you very much. Last year I scored C on a course, and this year I got an A+ thanks to your method! Thank you very much!
The largest effect is that my child is more enthusiastic about school! Every parent wants their children to be happy at school, Study Smart made it happen.
In high school, I failed several exams, and that has really changed now. I actually needed this tool very much back then. Since I started studying with StudySmart, I haven't had any D's. My average score is now an A and those are results I would have never had in the past
With my old method, I passed only 3 out of 8 courses. Since I started taking my notes digitally in Study Smart, I have passed all my courses on the first try. For me, StudySmart takes away the stress of wondering if I will pass or not.
Thanks to StudySmart, I passed all my exams, and with better grades than before! On top of that, I have mastered a very good study method now, which I am confident will help me earn my degree.
If the number of sectors reported by EnCase does not match the
number reported by the manufacturer for the drive, what should you do?
A. Suspect HPA
B. Suspect DCO
C. Boot with EnCase for DOS and switch to Direct ATA access
D. Boot with LinEn in Linux
E. All of the above
EnCase for DOS with Direct ATA access should enable you to see all sectors.
When acquiring digital evidence, why shouldn’t the evidence be left
unattended in an unsecured location?
A. Cross-contamination
B. Storage
C. Chain-of-custody
D. Not an issue
a chain of custody must be established to account for everyone who
has access to the property.
Which describes an HPA? (Choose all that are correct.)
A. Stands for Host Protected Area
B. Is not normally seen by the BIOS
C. Is not normally seen through Direct ATA access
D. Was introduced in the ATA-6 specification
HPA stands for Host Protected Area and is not normally seen by
the BIOS. It was introduced in the ATA-4 specification, not ATA-6,
and is seen when directly accessed via the Direct ATA mode.
Which describes a DCO?
A. Was introduced in the ATA-6 specification
B. Stands for Device Configuration Overlay
C. Is not normally seen by the BIOS
D. It may contain hidden data, which can be seen by switching to the
Direct ATA mode in EnCase for DOS
E. All of the above
What system files are changed or in any way modified by EnCase when
creating an EnCase boot disk?
A. IO.SYS
B. COMMAND.COM
C. DRVSPACE.BIN
D. All of the above
E. None of the above
from C: to A:. If DRVSPACE.BIN is present, it will be deleted.
Reacquiring an image and adding compression will change the
MD5 value of the acquisition hash.
A. True
B. False
remains the same despite the compression applied.
When reacquiring an image, you can change the name of the evidence.
A. True
B. False
Which of the following should you do when creating a storage volume to
hold an EnCase evidence file that will be created with EnCase for
DOS or LinEn? (Choose all that are correct.)
A. Format the volume with the FAT file system.
B. Give the volume a unique label to identify it.
C. Wipe the volume before formatting to conform to best practices and avoid
claims of cross-contamination.
D. Create a directory to contain the evidence file.
E. Format the volume with the NTFS file system.
F. All of the above.
A, B, C, D.
This is a case where you have to choose several correct answers, and
there will be questions like this on the examination!
All are correct except for E, therefore making F also incorrect. DOS can’t read or write to NTFS. Linux can read NTFS, but can’t reliably write to it. 12. B and D. Here, hdb2 refers to the second partition of the primary slave.
In Linux, what describes hdb2? (Choose all that are correct.)
A. Refers to the primary master
B. Refers to the primary slave
C. Refers to hard drive number 2
D. Refers to the second partition
E. Refers to the secondary master
Here, hdb2 refers to the second partition of the primary slave.
In Linux, what describes sdb? (Choose all that are correct.)
A. Refers to an IDE device
B. Refers to a SCSI device
C. Refers to a USB device
D. Refers to a FireWire device
Linux will name an IDE device, normally, with hda, hdb, hdc,
or hdd, to denote their position on the ATA controller
(primary master, primary slave, secondary master, secondary slave,
respectively). sdb is the second SCSI device, and since Linux calls
USB or FireWire devices SCSI devices, any of the three (B, C, or D)
could be represented by sdb.
When acquiring USB flash memory, you should write-protect it by:
A. Engaging the write-protect switch, if equipped
B. Modifying the Registry in XP SP2 (or higher) to make USB read-only
C. Using ENBD/ENBCD USB DOS drivers and having EnCase for DOS “Lock”
the flash media
D. Using LinEn in Linux with auto-mount of file system disabled
E. All of the above
others, but methods nevertheless.
Which type or types of cables can be used in a network cable acquisition?
A. Standard network patch cable
B. CAT-6 network cable
C. Network crossover cable
D. Standard network patch cable used with a crossover adaptor
capability. To connect directly between two computers, a network
crossover cable must be used, or you can use a regular cable with a
crossover adapter, which achieves the same effect.
Should zip/Jaz disks be acquired with EnCase in DOS or Windows?
A. DOS
B. Windows
using the guest.exe command.
How can a floppy disk be acquired by EnCase?
A. DOS mode
B. Windows mode
C. Both modes
write-protect floppy disks before inserting them into the drive.
How should CDs be acquired using EnCase?
A. DOS
B. Windows
Select all that are true about EE and FIM.
A. They can acquire or preview a system live without shutting it down.
B. They can capture live system-state volatile data using the Snapshot
feature.
C. With EE, the SAFE is on a separate PC, administered by the keymaster.
D. With FIM, the SAFE is on the examiner’s PC and the keymaster and the
examiner are the same person.
E. FIM can be licensed to private individuals.
A FIM can only be licensed to law enforcement or military customers. All other statements are correct.
How does an EnCase boot disk differ from a DOS 6.22 disk?
A. EnCase boot disk adds the EnCase executable, EN.EXE.
B. EnCase boot disk switches all calls from C:\ to A:\.
C. Both A and B.
D. None of the above.
and removes unnecessary files. It also adds the EN.EXE file so EnCase
can run in the DOS version.
The question on the page originate from the summary of the following study material:
- A unique study and practice tool
- Never study anything twice again
- Get the grades you hope for
- 100% sure, 100% understanding
