Summary: Encase Examen 2

Study material generic cover image
  • This + 400k other summaries
  • A unique study and practice tool
  • Never study anything twice again
  • Get the grades you hope for
  • 100% sure, 100% understanding
PLEASE KNOW!!! There are just 50 flashcards and notes available for this material. This summary might not be complete. Please search similar or other summaries.
Use this summary
Remember faster, study better. Scientifically proven.
Trustpilot Logo

Read the summary and the most important questions on Encase examen 2

  • 1 Encase examen 2

    This is a preview. There are 40 more flashcards available for chapter 1
    Show more cards here

  • Which of the following is true of an EnCase evidence file?A.      It is a bitstream image of the source hard drive that is written to and         contained  within a file or files on a target hard drive.B.     It is a clone or exact copy of the source media.C.     It contains pointers to search hits and other information in the image file.D.     It is identical in all respects to a “dd” image.

    A.

    An EnCase evidence file is a bitstream image of the source media that is written to one or more files on the target drive. Because it contains other metadata relating to case information and file integrity, it is not, per se , a clone. See Chapter 4 for more information.
  • When EnCase creates an evidence file, integrity is maintained by which of the following?A.  Calculating an MD5 and/or SHA1 hash value for the entire bitstream image of the source drive as it is acquiredB. Calculating a CRC value for every 64 sectors copied, if uncompresseC. Calculating an MD5 and/or SHA1 hash of the entire EnCase evidence fileD.  Calculating a CRC value for the entire bitstream image of the source drive as it is acquiredE.Both B and CF.   Both A and B

    F

    By default, a CRC is written for every 64 sectors (32 KB) for an uncompressed evidence file. If compression is used, the compression algorithm is used instead of the CRC for the data block verification. An MD5 and/or SHA1 is calculated only on the data portion or bitstream image of the source drive. If an MD5 and/or SHA1 were calculated over the entire evidence file, it would include metadata that is not part of the image. See Chapter 4 for more information. 
  • Which of the following must be true in order for an EnCase evidence file to verify? A. The acquisition hash must match the verification hash.B. All CRCs calculated for the original bitstream must match those recalculated     against the image data in the evidence file with no errors reported or must     match compression blocks if compression is utilized.C. The acquisition hash must match the hash value of the entire evidence file.D. All of the above are true.E. Only A and B are true.    

    E.

    For an EnCase evidence file to verify, the verification hash must match the acquisition hash, and all CRC values for the original bitstream image must match those that are recalculated from the image with no errors reported. See Chapter 4 for more information.
  • EnCase verifies case information (case number, evidence number, notes, and so on) integrity by which of the following means? (Choose all that apply.)A. An MD5 hash of the entire evidence file B. A CRC value for the entire evidence file C. A CRC value for the case information portion only D. Recalculating a CRC for the case information portion only when an evidence     file is added to a case 

    C en D

    EnCase writes a CRC value for the case information portion only, and when evidence is added to a case, the CRC for the case information portion only is recalculated and compared to the original CRC. They must match. See Chapter 4 for more information. 
  • Which of the following are true about the MD5 acquisition hash applied to the bitstream image when acquired by EnCase? (Choose all that apply.)A. It is a proprietary algorithm to ensure data security of the image.B. It produces a 128-bit value.C. It is an industry-standard algorithm.D. The odds of any two dissimilar files having the same MD5 hash value are one in     2^32 macht

    B en C

    An MD5 hash is an industry-standard algorithm that produces a 128-bit value. The odds of any two dissimilar files having the same hash value are one in 2^128 macht. See Chapter 4 for more information. 
  • Which attributes of an EnCase evidence file can be changed during a reacquisition of that evidence file? (Choose all that apply.) A. Add or remove a password B. Change its compression C. Change the file chunk size D.Change the acquisition notes

    ABC

    You may change all of these attributes except for the acquisition notes, which can’t be changed. See Chapter 4 for more information
    .
  • Which of the following are true about an EnCase evidence file? (Choose all that apply.) A. It can be password protected. B. It contains file integrity metadata. C. It can be compressed. D. There is an MD5 and/or SHA1 hash created for the entire evidence file.

    ABC

    An EnCase evidence file can be compressed or password protected. While it contains file integrity metadata, the MD5 and/or SHA1 is only calculated for the evidence file datastream, not the entire evidence file. In other words, the metadata is not included in the hash calculations. See Chapter 4 for more information.
  • Under which circumstances can an examiner modify data in the EnCase evidence file?A. When a partition is recovered and added B. When cases notes must be modified C. When folders are recovered D. All of the above E . None of the above   

    E.

    Options A, B, and C all involve adding data to the case file but never to the evidence file. See Chapter 4 for more information. 
  • If you created a case (adding an evidence file), saved it, moved the evidence file, and then reopened the case, what behavior can you expect from EnCase? A. EnCase reports a file integrity error. B. EnCase searches for the missing files on the local drives and loads them, and     the case opens. C. EnCase opens the case but does not include the evidence files that were     moved. D. EnCase prompts the user for the path of the missing evidence file.

    D.

    When EnCase can’t locate the evidence file, it will prompt you for the path. See Chapter 5 for more information. 
  • What information is contained in an EnCase 7 case file? (Choose all that apply.) A. Bookmarks with pointers to specific locations in the evidence file B. Search hits with pointers to specific locations in the evidence fileC. Default text stylesD. User-defined partitions E. Notes bookmarks    

    ABDE

    All of these options are contained in the case file except for default text styles, which ship with EnCase. See Chapters 6 and 7 for more information.
PLEASE KNOW!!! There are just 50 flashcards and notes available for this material. This summary might not be complete. Please search similar or other summaries.

To read further, please click:

Read the full summary
This summary +380.000 other summaries A unique study tool A rehearsal system for this summary Studycoaching with videos
  • Higher grades + faster learning
  • Never study anything twice
  • 100% sure, 100% understanding
Discover Study Smart