A physical file size is:

A. The total size in sectors of an allocated file.

B. The total size of all the clusters used by the file measured in bytes.

C. The total size in bytes of a logical file.

D. The total size of the file including the ram slack in bytes.

EnCase is able to read and examine which of the following file systems?

A. NTFS

B. EXT3

C. FAT

D. HFS

When a file is deleted in the FAT file system, what happens to the FAT?

A. The FAT entries for that file are marked as allocated.

B. Nothing.

C. It is deleted as well.

D. The FAT entries for that file are marked as available.

To generate an MD5 hash value for a file, EnCase:

A. Computes the hash value including the logical file and filename.

B. Computes the hash value including the physical file and filename.

C. Computes the hash value based on the logical file.

D. Computes the hash value based on the physical file.

When a file is deleted in the FAT file system, what happens to the filename?

A. It is zeroed out.

B. The first character of the directory entry is marked with a hex 00.

C. It is wiped from the directory.

D. The first character of the directory entry is marked with a hex E5.

The results of a hash analysis on an evidence file that has been added to a case will be stored in which of the following files?

A. The evidence file

B. All of the above

C. The case file

D. The configuration HashAnalysis.ini file

Assume that MyNote.txt was allocated to clusters 5, 9, and 11. Cluster 6, 7, and 8 belong to MyResume.doc. Both files have been deleted and the directory entry in the FAT file system for MyResume.doc has been overwritten. What clusters would EnCase use to undelete MyNote.txt?

A. 5,9,11

B. 5,6,7

C. 7,8,9

D. 6,7,8

In DOS acquisition mode, if a physical drive is detected, but no partition information is displayed, what would be the cause:

A. Both a and b

B. The partition scheme is not recognized by DOS.

C. Neither a or b

D. There are no partitions present.

What information should be obtained from the BIOS during computer forensic investigations?

A. The video caching information

B. The date and time

C. The port assigned to the serial port

D. The boot sequence

The acronym ASCII stands for:

A. American Standard Communication Information Index

B. American Standard Code for Information Interchange

C. Accepted Standard Code for Information Interchange

D. Accepted Standard Communication Information Index