Summary: Encase Examen 1

Read the summary and the most important questions on Encase Examen 1

• 1 Encase Examen 1

  This is a preview. There are 41 more flashcards available for chapter 1
  Show more cards here

• There is a setup program contained within the BIOS that accesses data stored in CMOS (RTC/NVRAM). Among other data, two particular settings are of special interest to the computer forensics examiner. Which ones are they?A. RAM size and hard drive capacity B. System date/time and boot order (sequence) C. System date/time and hard drive capacity D. IDE settings and boot order (sequence)

  B. System date/time and boot order (sequence)
  
  The examiner accesses the setup program to determine the system time (comparing it with a known standard) and the boot sequence so as to control the boot order if booting from the suspect’s machine is necessary. See Chapters 1 and 4 for more information.  

• Which of the following are true of a motherboard? (Choose all that apply.) A. It is the main circuit board that has sockets or slots for the CPU, RAM,    and add-in cards. B. It is a term used to describe any circuit board housed within the computer     case. C. It may have onboard video, SATA controllers, and audio. D. It receives power from a separate power supply.

  A, C, D
  
  The motherboard is the main circuit board in a computer with sockets or slots for CPUs, RAM, and add-in cards. A motherboard may come with integrated audio, Ethernet, SATA, or video. A separate power supply is required to power the motherboard. See Chapter 1 for more information.

• What does the acronym RAM stand for?A. Random Addressable MemoryB. Random Access Memory C. Relative Addressable Memory D. None of the above

  B
  
  RAM stands for Random Access Memory. At the time it evolved, the term random access  was used to differentiate it from tape memory, which was linear access and much slower. See Chapter 1 for more information.   

• What does a computer use RAM for?A. Permanent memory storage that persists after the computer is powered     down B. Temporary storage of data that persists only when the computer is     powered on C. Permanent storage of system time and other settings requiring storage after     the system is powered down D. None of the above

  B
  
  RAM is volatile memory that persists only while the machine is powered on. It is used to temporarily store data for processing only while the system is running. See Chapter 1 for more information.

• Of the steps or processes listed here, which occurs first when a PC computer system is first powered on? A. The first device in the boot sequence is booted.B. The available drives are searched for an operating system. C. POST occurs. D. None of the above.

  C
  
  Before carrying out any of the boot process, the system first undergoes a system check, called POST, which means Power On Self-Test. See Chapter 1 for more information.   

• In a FAT file system, what does the file allocation table track? (Choose all that apply.)A. Logical size of the file B. Cluster size C. File fragmentation D. Cluster usage of all addressable clusters in the partition

  C, D
  
  A file allocation table tracks cluster usage for all clusters, including which clusters are marked as bad. It also tracks fragmentation. See Chapter 2 for more information.

• What field name or attribute of a FAT directory entry describes the location where a file begins on a logical volume? A. The Cluster or Data Run field B. The Begin File At Sector field C. The Starting Cluster field D. The Starting Sector field

  C
  
  Of the fields listed, only Starting Cluster is a valid field in a FAT directory entry. The starting cluster field points to the cluster number where the file begins. The file allocation table is then used to link together any other clusters containing data associated with any particular file. See Chapter 2 for more information.

• By default, how many file allocation table entries are located on a FAT16 or FAT32 file system that has been formatted with Windows? A. 1 B. 2 C. 3 D. 4

  B
  
  By default, Windows will create two file allocation tables: FAT1 and FAT2. Although it’s quite rare, a file system can be configured to have only one file allocation table. See Chapter 2 for more information.   

• In the file allocation table, if cluster number 36,345 contained a value of 36,346, what would this mean? A. The file ends in cluster 36,346. B. The file ends in cluster 36,345. C. The file is fragmented, and the next segment of the file is located in cluster     36,346. D. The next segment of the file is located in cluster 36,346. E. None of the above.

  D
  
  We lack information about where the file ends or if it is fragmented. All that you can conclude from the information given is that the next segment of data for the file found in cluster 36,345 is located in the contiguous cluster 36,346. See Chapter 2 for more information.   

• A partition is formatted so that it contains 16 sectors per cluster. A file named myfile.txt has a logical size of 26,000 bytes. How many clusters will be used by this file? A. 1B. 2C. 3D. 4

  D
  
  A cluster will hold 8,192 bytes of data (16 sectors times 512 bytes per sector). A file size of 26,000 bytes will require 3.174 clusters to hold the data (26,000 bytes divided by 8,192 bytes per cluster). Since you must allocate whole clusters, this file will require four clusters to contain the file. See Chapter 2 for more information.