EnCase Concepts - Review Questions
17 important questions on EnCase Concepts - Review Questions
The EnCase evidence file is best described as:
A. A mirror image of the source device written to a hard drive
B. A sector-by-sector image of the source device written to corresponding
sectors of a secondarhard drive
C. A bitstream image of a source device written to the corresponding sectors
of a secondary hard drive
D. A bitstream image of a source device written to a file or several file segments
hard drive, CD-ROM, or floppy disk written to a file (.E01) or several file
segments (.E02, .E03, etc.).
How does EnCase verify the contents of an evidence file?
A. EnCase writes an MD5 hash value for every 32 sectors copied.
B. EnCase writes an MD5 value for every 64 sectors copied.
C. EnCase writes a CRC value for every 32 sectors copied.
D. EnCase writes a CRC value for every 64 sectors copied.
the block size has been modified, the CRC frequency will be adjusted
accordingly.
What is the smallest file size that an EnCase evidence file can be saved as?
A. 64 sectors
B. 512 sectors
C. 1MB
D. 2MB
E. 640MB
- Higher grades + faster learning
- Never study anything twice
- 100% sure, 100% understanding
What is the largest file segment size that an EnCase evidence file can be saved as?
A. 640MB
B. 1GB
C. 2GB
D. No maximum limit
For an EnCase evidence file to successfully pass the file verification process,
which of the following must be true?
A. The MD5 hash value must verify.
B. The CRC values and the MD5 hash value both must verify.
C. Either the CRC or MD5 hash values must verify.
D. The CRC values must verify.
EnCase verifies both the CRC and MD5 hash values.
The MD5 hash algorithm is ___ hexadecimal characters in length.
A. 16
B. 32
C. 64
D. 128
If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later altered?
A. EnCase will detect the error when that area of the evidence file is accessed
by the user.
B. EnCase will detect the error if the evidence file is manually reverified.
C. EnCase will allow the examiner to continue to access the rest of the evidence
file that has not been changed.
D. All of the above.
unaffected areas of the evidence file.
Which of the following aspects of the EnCase evidence file can be changed
during a reacquire of the evidence file?
A. Investigator’s name
B. Evidence number
C. Notes
D. Evidence file size
E. All of the above
An evidence file was archived onto five CD-ROMs with the third file segment
on disc number 3. Can the contents of the third file segment be verified
by itself while still on the CD-ROM?
A. No. All evidence file segments must be put back together.
B. Yes. Any evidence file segment can be verified independently by comparing
the CRC values.
CRC values of the data blocks.
Will EnCase allow a user to write data into an acquired evidence file?
A. Yes, when adding notes or comments to bookmarks.
B. Yes, when adding search results.
C. A and B.
D. No, data cannot be added to the evidence file after the acquisition is made.
All investigators using EnCase should run tests on the evidence file
acquisition and verification process to:
A. Further the investigator’s understanding of the evidence file
B. Give more weight to the investigator’s testimony in court
C. Verify that all hardware and software is functioning properly
D. All of the above
to better understand how the tool performs and to verify that
it is functioning properly.
When a noncompressed evidence file is reacquired with compression, the
acquisition and verification hash values for the evidence file will remain
the same for both files.
A. True
B. False
Search hit results and bookmarks are stored in the evidence file.
A. True
B. False
The EnCase evidence file’s logical file name can be changed without affecting
the verification of the acquired evidence.
A. True
B. False
affecting the verification of the acquired evidence.
An evidence file can be moved to another directory without changing the file
verification.
A. True
B. False
What happens when EnCase attempts to reopen a case once the evidence file has been moved?
A. EnCase reports that the file’s integrity has been compromised and renders
the file useless.
B. EnCase reports a different hash value for the evidence file.
C. EnCase prompts for the location of the evidence file.
D. EnCase opens the case, excluding the moved evidence file.
will prompt for the new location of the evidence file.
During reacquisition, you may change which of the following? (Select all that are correct.)
A. Block size and Error granularity
B. Add or remove a password
C. Investigator’s name
D. Compression
E. File segment size
The question on the page originate from the summary of the following study material:
- A unique study and practice tool
- Never study anything twice again
- Get the grades you hope for
- 100% sure, 100% understanding