Advanced EnCase - Review Questions Chapter (Advanced EnCase)
19 important questions on Advanced EnCase - Review Questions Chapter (Advanced EnCase)
1. How many sector(s) on a hard drive are reserved for the master boot record (MBR)?
A. 1
B. 4
C. 16
D. 63
E. 62
D. The first 63 sectors of a hard drive are reserved for the MBR even though its contents are contained in the very first sector.
2. The very first sector of a formatted hard drive that contains an operating system is referred to as which of the following?
A. Absolute sector 0
B. Boot sector
C. Containing the master boot record (MBR)
D. All of the above
3. How many logical partitions does the partition table in the master boot record allow for a physical drive?
A. 1
B. 2
C. 4
D. 24
- Higher grades + faster learning
- Never study anything twice
- 100% sure, 100% understanding
For my 1st exam I got a C. Then, I started looking for ways to learn better and I came across Study Smart. Since then I have scored a A+, A, A- and another A. I highly recommend it to everyone who wants to hear it. I am so happy with it!!
I was struggling to finish all my first-year subjects for 3 years. Then I discovered Study Smart, which helped me to finish all of them within 3 months.
Because of StudySmart, things are going well in many ways. Before, I always had study stress and no time for anything. Now I feel calm and confident (because of the program). I used to score a B, now I usually score an A or A+.
Hey Chris, I really want to thank you very much for developing the platform, I usually got around C for my exams, now I scored an A+, an A and a A- !!
Since using Study Smart, my average has increased significantly. I even completed a statistics course with a A+ while I'm bad at statistics. I took on extra courses this year, because of Study Smart. Thanks so much!
Ever since I started studying with StudySmart I passed all my exams !!! No more re-sits!! At first, I was happy with a pass and now I only get good grades. Many thanks!
I aced all the courses I studied with Study Smart. For law, I first scored a D, and now an A! I’m 100% sure that I’ll pass all the courses I study with Study Smart.
I always thought I studied well. My grades were fine. I could never have imagined that applying these study skills would have such a huge and direct impact on my grades, my speed and the pleasure I have in learning.
For the first time, I finally feel totally confident about the way I learn. I have the perfect overview and make great progress in terms of speed and the grades I get. Thanks, Chris!
I immediately started to enjoy learning again, and my grades soared. All of a sudden, everything went better. I highly recommend Study Smart to all students..
Being able to create my materials online made the process of studying so much smoother and quicker. I no longer have to spend a huge amount of my time on creating my summaries.
At first, my notes were a mess. Now I use Study Smart to take my notes in a perfectly structured way. It helps me to save a lot of time and do other things I enjoy.
Students that study with Study Smart get better grades. The system applies all the learning methods in such a way that both well-performing students and students who struggle perform much better.
Hi Chris, I would like to thank you very much. Last year I scored C on a course, and this year I got an A+ thanks to your method! Thank you very much!
The largest effect is that my child is more enthusiastic about school! Every parent wants their children to be happy at school, Study Smart made it happen.
In high school, I failed several exams, and that has really changed now. I actually needed this tool very much back then. Since I started studying with StudySmart, I haven't had any D's. My average score is now an A and those are results I would have never had in the past
With my old method, I passed only 3 out of 8 courses. Since I started taking my notes digitally in Study Smart, I have passed all my courses on the first try. For me, StudySmart takes away the stress of wondering if I will pass or not.
Thanks to StudySmart, I passed all my exams, and with better grades than before! On top of that, I have mastered a very good study method now, which I am confident will help me earn my degree.
5. If a hard drive has been fdisked, EnCase can still recover the deleted partition(s), if you point to the _________ and select Add Partition from the Partition menu.
A. master boot record
B. volume boot record
C. partition table
D. unallocated space
B. Encase can still recover deleted partitions if you point to the first sector of the partition, which is the volume boot record, and select the Add Partition command from the Partition menu.
6. In an NTFS partition, where is the backup copy of the volume boot record (VBR) stored?
A. In the partition table.
B. Immediately after the VBR.
C. The last sector of the partition.
D. An NTFS partition does not store a backup of the VBR.
C. When a hard drive is formatted with an NTFS partition, a backup of the VBR is stored in the last sector of the partition.
7. EnCase can mount a compound file, which can then be viewed in a hierarchical format. Select an example of a compound file.
A. Registry file (that is, .dat)
B. Email file (that is, .edb, .nsf, .pst, .dbx)
C. Compressed file (that is, .zip)
D. Thumbs.dbE. All of the above
8. Windows 7 contains two master keys in its registry. They are HKEY_LOCAL_MACHINE and which of the following?
A. HKEY_USERS
B. HKEY_CLASSES_ROOT
C. HKEY_CURRENT_USER
D. HKEY_CURRENT_CONFIG
A. The other master key is HKEY_USERS. The other choices are derived keys that are linked to keys within the two master keys.
9. In Windows 7, information about a specific user’s preference is stored in the NTUSER.DAT file. This compound file can be found where?
A. C:\
B. C:\WINDOWS
C. C:\Users\username
D. C:\Documents and Settings\All Users\Application Data
C. Each time a profile or username is created, the NTUSER.DAT file is also created for the specific profile. This compound file is stored locally in the root of C:\Users\%USERNAMES%.
10. In an NTFS file system, the date and time stamps recorded in the registry are stored where?
A. Local time based on the BIOS settings
B. GMT and converted based on the system’s time zone settings
11. EnScript is a proprietary programming language and application programming interface (API) developed by Guidance Software, designed to function properly only within the EnCase environment.
A. True
B. False
A. True - Since EnScript is a proprietary programming language, it is designed to function properly only in the EnCase environment.
12. Since EnScript is a proprietary programming language developed by Guidance Software, EnScripts can be created by and obtained only from Guidance Software.
A. True
B. False
B. False - Although EnScript was developed by Guidance Software, anyone with computer programming skills and knowledge of the programming language can develop their own EnScripts.
13. Filters are a type of EnScript that “filters” a case for certain file properties such as file
types, dates, and hash categories. Like EnScripts, filters can also be changed or created by a user.
A. True
B. False
14. Select the type of email that EnCase 6 is not capable of recovering.
A. Microsoft Outlook
B. AOL
C. Microsoft Outlook Express
D. Lotus Notes and Microsoft Exchange Server
E. None of the above
15. Which method is used to view the contents of a compound file that contains emails such as a PST file in EnCase 7?
A. Select View File Structure from the Entries options.
B. Run Find Email from within the EnCase Evidence Processor.
C. Both A and B.
D. None of the above.
C. EnCase 7 allows the user to view the contents of compound files containing emails either by selecting View File Structure or by running Find Email from within the EnCase Evidence Processor. While both will allow viewing the compound file, per se, only the later method will send the output to the Records view.
16. EnCase 7 cannot process web-based email such as MSN Hotmail or Yahoo! Mail because the information can be found only on the mail servers.
A. True
B. False
B. False, Contents of web-based emails may reside in areas such as Temporary Internet History, cache (pagefile.sys), hiberfil.sys, and unallocated clusters. Using the web mail finder option from the File Carver, EnCase can locate web mail fragments.
17. The EnCase Decryption Suite (EDS) will not decrypt Microsoft’s Encrypting File System (EFS) on the ___________ operating system.
A. Windows 2000 Professional and Server
B. Windows XP Professional
C. Windows 2003 Server
D. Windows 7 Home Edition
D. Microsoft Windows 7 Home Edition does not include the EFS feature nor does it support BitLocker.
18. At which levels can the VFS module mount objects in the Windows environment?
A. The case level
B. The disk or device level
C. The volume level
D. The folder level
E. All of the above
19. The Physical Disk Emulator (PDE) module is similar to the Virtual File System (VFS); the module can mount a piece of media that is accessible in the Windows environment. Select the type(s) of media that the Physical Disk Emulator cannot mount.
A. Cases
B. Folders
C. Volumes
D. Both A and B
E. Physical disks
20. The Virtual File System (VFS) module mounts data as _______, while the Physical Disk Emulator (PDE) module mounts data as _______.
A. network share, emulated disk
B. emulated disk, network share
C. virtual drive, physical drive
D. virtual file, physical disk
A. When a user selects the VFS module, EnCase will prompt the user with a Mount As Network Share dialog box. When a user selects the PDE module, EnCase will prompt the user with a Mount As Emulated Disk dialog box.
The question on the page originate from the summary of the following study material:
- A unique study and practice tool
- Never study anything twice again
- Get the grades you hope for
- 100% sure, 100% understanding
