Summary: Encase Examen 2
- This + 400k other summaries
- A unique study and practice tool
- Never study anything twice again
- Get the grades you hope for
- 100% sure, 100% understanding
Read the summary and the most important questions on Encase examen 2
-
1 Encase examen 2
This is a preview. There are 40 more flashcards available for chapter 1
Show more cards here -
Which of the following is true of an EnCase evidence file?A. It is a bitstream image of the source hard drive that is written to and contained within a file or files on a target hard drive.B. It is a clone or exact copy of the source media.C. It contains pointers to search hits and other information in the image file.D. It is identical in all respects to a “dd” image.
A.
An EnCase evidence file is a bitstream image of the source media that is written to one or more files on the target drive. Because it contains other metadata relating to case information and file integrity, it is not, per se , a clone. See Chapter 4 for more information. -
When EnCase creates an evidence file, integrity is maintained by which of the following?A. Calculating an MD5 and/or SHA1 hash value for the entire bitstream image of the source drive as it is acquiredB. Calculating a CRC value for every 64 sectors copied, if uncompresseC. Calculating an MD5 and/or SHA1 hash of the entire EnCase evidence fileD. Calculating a CRC value for the entire bitstream image of the source drive as it is acquiredE.Both B and CF. Both A and B
F
By default, a CRC is written for every 64 sectors (32 KB) for an uncompressed evidence file. If compression is used, the compression algorithm is used instead of the CRC for the data block verification. An MD5 and/or SHA1 is calculated only on the data portion or bitstream image of the source drive. If an MD5 and/or SHA1 were calculated over the entire evidence file, it would include metadata that is not part of the image. See Chapter 4 for more information. -
Which of the following must be true in order for an EnCase evidence file to verify? A. The acquisition hash must match the verification hash.B. All CRCs calculated for the original bitstream must match those recalculated against the image data in the evidence file with no errors reported or must match compression blocks if compression is utilized.C. The acquisition hash must match the hash value of the entire evidence file.D. All of the above are true.E. Only A and B are true.
E.
For an EnCase evidence file to verify, the verification hash must match the acquisition hash, and all CRC values for the original bitstream image must match those that are recalculated from the image with no errors reported. See Chapter 4 for more information. -
EnCase verifies case information (case number, evidence number, notes, and so on) integrity by which of the following means? (Choose all that apply.)A. An MD5 hash of the entire evidence file B. A CRC value for the entire evidence file C. A CRC value for the case information portion only D. Recalculating a CRC for the case information portion only when an evidence file is added to a case
C en D
EnCase writes a CRC value for the case information portion only, and when evidence is added to a case, the CRC for the case information portion only is recalculated and compared to the original CRC. They must match. See Chapter 4 for more information. -
Which of the following are true about the MD5 acquisition hash applied to the bitstream image when acquired by EnCase? (Choose all that apply.)A. It is a proprietary algorithm to ensure data security of the image.B. It produces a 128-bit value.C. It is an industry-standard algorithm.D. The odds of any two dissimilar files having the same MD5 hash value are one in 2^32 macht
B en C
An MD5 hash is an industry-standard algorithm that produces a 128-bit value. The odds of any two dissimilar files having the same hash value are one in 2^128 macht. See Chapter 4 for more information. -
Which attributes of an EnCase evidence file can be changed during a reacquisition of that evidence file? (Choose all that apply.) A. Add or remove a password B. Change its compression C. Change the file chunk size D.Change the acquisition notes
ABC
You may change all of these attributes except for the acquisition notes, which can’t be changed. See Chapter 4 for more information. -
Which of the following are true about an EnCase evidence file? (Choose all that apply.) A. It can be password protected. B. It contains file integrity metadata. C. It can be compressed. D. There is an MD5 and/or SHA1 hash created for the entire evidence file.
ABC
An EnCase evidence file can be compressed or password protected. While it contains file integrity metadata, the MD5 and/or SHA1 is only calculated for the evidence file datastream, not the entire evidence file. In other words, the metadata is not included in the hash calculations. See Chapter 4 for more information. -
Under which circumstances can an examiner modify data in the EnCase evidence file?A. When a partition is recovered and added B. When cases notes must be modified C. When folders are recovered D. All of the above E . None of the above
E.
Options A, B, and C all involve adding data to the case file but never to the evidence file. See Chapter 4 for more information. -
If you created a case (adding an evidence file), saved it, moved the evidence file, and then reopened the case, what behavior can you expect from EnCase? A. EnCase reports a file integrity error. B. EnCase searches for the missing files on the local drives and loads them, and the case opens. C. EnCase opens the case but does not include the evidence files that were moved. D. EnCase prompts the user for the path of the missing evidence file.
D.
When EnCase can’t locate the evidence file, it will prompt you for the path. See Chapter 5 for more information. -
What information is contained in an EnCase 7 case file? (Choose all that apply.) A. Bookmarks with pointers to specific locations in the evidence file B. Search hits with pointers to specific locations in the evidence fileC. Default text stylesD. User-defined partitions E. Notes bookmarks
ABDE
All of these options are contained in the case file except for default text styles, which ship with EnCase. See Chapters 6 and 7 for more information.
- Higher grades + faster learning
- Never study anything twice
- 100% sure, 100% understanding
For my 1st exam I got a C. Then, I started looking for ways to learn better and I came across Study Smart. Since then I have scored a A+, A, A- and another A. I highly recommend it to everyone who wants to hear it. I am so happy with it!!
I was struggling to finish all my first-year subjects for 3 years. Then I discovered Study Smart, which helped me to finish all of them within 3 months.
Because of StudySmart, things are going well in many ways. Before, I always had study stress and no time for anything. Now I feel calm and confident (because of the program). I used to score a B, now I usually score an A or A+.
Hey Chris, I really want to thank you very much for developing the platform, I usually got around C for my exams, now I scored an A+, an A and a A- !!
Since using Study Smart, my average has increased significantly. I even completed a statistics course with a A+ while I'm bad at statistics. I took on extra courses this year, because of Study Smart. Thanks so much!
Ever since I started studying with StudySmart I passed all my exams !!! No more re-sits!! At first, I was happy with a pass and now I only get good grades. Many thanks!
I aced all the courses I studied with Study Smart. For law, I first scored a D, and now an A! I’m 100% sure that I’ll pass all the courses I study with Study Smart.
I always thought I studied well. My grades were fine. I could never have imagined that applying these study skills would have such a huge and direct impact on my grades, my speed and the pleasure I have in learning.
For the first time, I finally feel totally confident about the way I learn. I have the perfect overview and make great progress in terms of speed and the grades I get. Thanks, Chris!
I immediately started to enjoy learning again, and my grades soared. All of a sudden, everything went better. I highly recommend Study Smart to all students..
Being able to create my materials online made the process of studying so much smoother and quicker. I no longer have to spend a huge amount of my time on creating my summaries.
At first, my notes were a mess. Now I use Study Smart to take my notes in a perfectly structured way. It helps me to save a lot of time and do other things I enjoy.
Students that study with Study Smart get better grades. The system applies all the learning methods in such a way that both well-performing students and students who struggle perform much better.
Hi Chris, I would like to thank you very much. Last year I scored C on a course, and this year I got an A+ thanks to your method! Thank you very much!
The largest effect is that my child is more enthusiastic about school! Every parent wants their children to be happy at school, Study Smart made it happen.
In high school, I failed several exams, and that has really changed now. I actually needed this tool very much back then. Since I started studying with StudySmart, I haven't had any D's. My average score is now an A and those are results I would have never had in the past
With my old method, I passed only 3 out of 8 courses. Since I started taking my notes digitally in Study Smart, I have passed all my courses on the first try. For me, StudySmart takes away the stress of wondering if I will pass or not.
Thanks to StudySmart, I passed all my exams, and with better grades than before! On top of that, I have mastered a very good study method now, which I am confident will help me earn my degree.
