Which two image formats contain an embedded hash value for file verification? (Choose two.)

A. E01

B. S01

C. ISO

D. CUE

E. 001 (dd)

In which Overview tab container are HTML files classified?

A. Archive container

B. Java Code container

C. Documents container

D. Internet Files container

When adding data to FTK, which statement about DriveFreeSpace is true?

A. DriveFreeSpace is merged with deleted files.

B. DriveFreeSpace is segmented into 10 megabyte items.

C. DriveFreeSpace is truncated, based on the size of the case.dat file.

D. DriveFreeSpace is classified with file slack items in the Overview tab.

You are using FTK to process e-mail files. In which two areas can E-mail attachments be located? (Choose two.)

A. the E-mail tab

B. the From E-mail container in the Overview tab

C. the Evidence Items container in the Overview tab

D. the E-mail Messages container in the Overview tab

In FTK, when you view the Total File Items container (rather than the Actual Files container), why are there more items than files?

A. Total File Items includes files that are in archive files, while Actual Files does not.

B. Total File Items includes all unfiltered files while Actual Files includes only checked files.

C. Total File Items includes all KFFIgnorables while Actual Files includes only the KFF Alerts.

D. Total File Items includes files that are in the Graphics and E-Mail tabs, while Actual Files only includes files in the Graphics tab while excluding attachments in the E-mail tab.

You have processed a case in FTK using all the default options. The investigator supplies you with a list of 400 names in an electronic format. What is the quickest way to search unallocated space for all of these names?

A. build adtSearch string with all 400 names

B. create a Regular Expression with all the names

C. make an imported text file of the names in Live Search

D. use an imported text file containing the names in Indexed Search

FTK uses Data Carving to find which three file types? (Choose three.)

A. JPEG files

B. Yahoo! Chat Archives

C. WPD (Word Perfect Documents)

D. Enhanced WindowsMeta Files (EMF)

E. OLE Archive Files (Office Documents)

In FTK, a user may alter the alert or ignore status of individual hash sets within the active KFF. Which utility is used to accomplish this?

A. KFF Alert Editor

B. ADKFF Library Selector

C. Hash Database File Selector

D. Hash Database Recovery Engine

After creating a case, the Encrypted Files container lists EFS files. However, no decrypted sub- items are present. All other necessary components for EFS decryption are present in the case. Which two files must be used to recover the EFS password for use in FTK? (Choose two.)

A. SAM

B. system

C. SECURITY

D. Master Key

E. FEK Certificate

What happens when a duplicate hash value is imported into a KFF database?

A. It will not be accepted.

B. It will be marked as a duplicate.

C. The database will be corrupted.

D. The database will hide the duplicate.