Acquiring Digital Evidence - Review Questions
20 important questions on Acquiring Digital Evidence - Review Questions
When acquiring a hard drive in the DOS mode, what would be the cause of EnCase not detecting partition information?
A. Drive has been FDisked and partition(s) removed.
B. Partition(s) are not recognized by DOS.
C. Both A and B.
D. None of the above.
by DOS, EnCase still recognizes the physical drive and acquires it as such.
A standard DOS 6.22 boot disk does not make calls to the C:\ volume of a
hard drive when the diskette is booted.
A. True
B. False
thus causing changes to date/time stamps to certain files.
As a good forensic practice, why would it be a good idea to wipe a forensic
drive before reusing it?
A. Chain-of-custody
B. Cross-contamination
C. Different file and operating systems
D. Chain of evidence
E. No need to wipe
it is still good forensic practice to wipe/sterilize each hard drive prior
to reusing it to eliminate the argument of possible cross-contamination.
- Higher grades + faster learning
- Never study anything twice
- 100% sure, 100% understanding
If the number of sectors reported by EnCase does not match the
number reported by the manufacturer for the drive, what should you do?
A. Suspect HPA
B. Suspect DCO
C. Boot with EnCase for DOS and switch to Direct ATA access
D. Boot with LinEn in Linux
E. All of the above
EnCase for DOS with Direct ATA access should enable you to see all sectors.
When acquiring digital evidence, why shouldn’t the evidence be left
unattended in an unsecured location?
A. Cross-contamination
B. Storage
C. Chain-of-custody
D. Not an issue
a chain of custody must be established to account for everyone who
has access to the property.
Which describes an HPA? (Choose all that are correct.)
A. Stands for Host Protected Area
B. Is not normally seen by the BIOS
C. Is not normally seen through Direct ATA access
D. Was introduced in the ATA-6 specification
HPA stands for Host Protected Area and is not normally seen by
the BIOS. It was introduced in the ATA-4 specification, not ATA-6,
and is seen when directly accessed via the Direct ATA mode.
Which describes a DCO?
A. Was introduced in the ATA-6 specification
B. Stands for Device Configuration Overlay
C. Is not normally seen by the BIOS
D. It may contain hidden data, which can be seen by switching to the
Direct ATA mode in EnCase for DOS
E. All of the above
What system files are changed or in any way modified by EnCase when
creating an EnCase boot disk?
A. IO.SYS
B. COMMAND.COM
C. DRVSPACE.BIN
D. All of the above
E. None of the above
from C: to A:. If DRVSPACE.BIN is present, it will be deleted.
Reacquiring an image and adding compression will change the
MD5 value of the acquisition hash.
A. True
B. False
remains the same despite the compression applied.
When reacquiring an image, you can change the name of the evidence.
A. True
B. False
Which of the following should you do when creating a storage volume to
hold an EnCase evidence file that will be created with EnCase for
DOS or LinEn? (Choose all that are correct.)
A. Format the volume with the FAT file system.
B. Give the volume a unique label to identify it.
C. Wipe the volume before formatting to conform to best practices and avoid
claims of cross-contamination.
D. Create a directory to contain the evidence file.
E. Format the volume with the NTFS file system.
F. All of the above.
A, B, C, D.
This is a case where you have to choose several correct answers, and
there will be questions like this on the examination!
All are correct except for E, therefore making F also incorrect. DOS can’t read or write to NTFS. Linux can read NTFS, but can’t reliably write to it. 12. B and D. Here, hdb2 refers to the second partition of the primary slave.
In Linux, what describes hdb2? (Choose all that are correct.)
A. Refers to the primary master
B. Refers to the primary slave
C. Refers to hard drive number 2
D. Refers to the second partition
E. Refers to the secondary master
Here, hdb2 refers to the second partition of the primary slave.
In Linux, what describes sdb? (Choose all that are correct.)
A. Refers to an IDE device
B. Refers to a SCSI device
C. Refers to a USB device
D. Refers to a FireWire device
Linux will name an IDE device, normally, with hda, hdb, hdc,
or hdd, to denote their position on the ATA controller
(primary master, primary slave, secondary master, secondary slave,
respectively). sdb is the second SCSI device, and since Linux calls
USB or FireWire devices SCSI devices, any of the three (B, C, or D)
could be represented by sdb.
When acquiring USB flash memory, you should write-protect it by:
A. Engaging the write-protect switch, if equipped
B. Modifying the Registry in XP SP2 (or higher) to make USB read-only
C. Using ENBD/ENBCD USB DOS drivers and having EnCase for DOS “Lock”
the flash media
D. Using LinEn in Linux with auto-mount of file system disabled
E. All of the above
others, but methods nevertheless.
Which type or types of cables can be used in a network cable acquisition?
A. Standard network patch cable
B. CAT-6 network cable
C. Network crossover cable
D. Standard network patch cable used with a crossover adaptor
capability. To connect directly between two computers, a network
crossover cable must be used, or you can use a regular cable with a
crossover adapter, which achieves the same effect.
Should zip/Jaz disks be acquired with EnCase in DOS or Windows?
A. DOS
B. Windows
using the guest.exe command.
How can a floppy disk be acquired by EnCase?
A. DOS mode
B. Windows mode
C. Both modes
write-protect floppy disks before inserting them into the drive.
How should CDs be acquired using EnCase?
A. DOS
B. Windows
Select all that are true about EE and FIM.
A. They can acquire or preview a system live without shutting it down.
B. They can capture live system-state volatile data using the Snapshot
feature.
C. With EE, the SAFE is on a separate PC, administered by the keymaster.
D. With FIM, the SAFE is on the examiner’s PC and the keymaster and the
examiner are the same person.
E. FIM can be licensed to private individuals.
A FIM can only be licensed to law enforcement or military customers. All other statements are correct.
How does an EnCase boot disk differ from a DOS 6.22 disk?
A. EnCase boot disk adds the EnCase executable, EN.EXE.
B. EnCase boot disk switches all calls from C:\ to A:\.
C. Both A and B.
D. None of the above.
and removes unnecessary files. It also adds the EN.EXE file so EnCase
can run in the DOS version.
The question on the page originate from the summary of the following study material:
- A unique study and practice tool
- Never study anything twice again
- Get the grades you hope for
- 100% sure, 100% understanding