Which of the following would most likely be an add-in card?

A. Anything plugged into socket 7

B. A motherboard

C. A video card that is connected to the motherboard in the AGP slot

D. The board that connects to the power supply

RAM is an acronym for:

A. Random Addressable Memory

B. Relative Addressable Memory

C. Relative Address Memory

D. Random Access Memory

What are the EnCase configuration .ini files used for?

A. Storing information that will be available to EnCase each time it is opened, regardless of the active case(s).

B. Storing the results of a signature analysis.

C. Storing pointers to acquired evidence.

D. Storing information that is specific to a particular case.

This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search:

A. Will find it because EnCase performs a logical search.

B. Will not find it unless file slack is checked on the search dialog box. Will not find it unless file slack is checked on the search dialog box.

C. Will not find it because EnCase performs a physical search only.

D. Will not find it because the letters of the keyword are not contiguous.

You are investigating a case involving fraud. You seized a computer from a suspect who stated that the computer is not used by anyone other than himself. The computer has Windows 98 installed on the hard drive. You find the filename C:\downloads\check01.jpg that EnCase shows as being moved. The starting extent is 0C4057. You find another filename :\downloads\chk1.dll with the starting extent 0C4057, which EnCase also shows as being moved. In the C:\Windows \System folder you find an allocated file named chk1.dll with the starting extent 0C4057. The chk1.dll file is a JPEG image of a counterfeit check. What can be deduced from your findings?

A. The presence and location of the files is strong evidence the suspect committed the crime.

B. The presence and location of the files is not strong evidence the suspect committed the crime.

Which of the following selections is NOT found in the case file?

A. Signature analysis results

B. Search results

C. Pointers to evidence files

D. External viewers

How are the results of a signature analysis examined?

A. By sorting on the signature column in the table view.

B. By sorting on the hash library column in the table view.

C. By sorting on the hash sets column in the table view

D. By sorting on the category column in the table view.

You are examining a hard drive that has Windows XP installed as the operating system. You see a file that has a date and time in the eletedcolumn. Where does that date and time come from ? Where does that date and time come from?

A. Directory Entry

B. Info2 file

C. Inode Table

D. Master File Table

Assume that an evidence file is added to a case, the case is saved, and the case is closed. What happens if the evidence file is moved, and the case is then opened?

A. EnCase reports that the file integrity has been compromised and renders the file useless.

B. EnCase asks for the location of the evidence file the next time the case is opened.

C. EnCase reports a different hash value for the evidence file.

D. EnCase opens the case, excluding the moved evidence.

A logical file would be best described as:

A. A file including only RAM slack.

B. The data from the beginning of the starting cluster to the length of the file.

C. A file including any RAM and disk slack.

D. The data taken from the starting cluster to the end of the last cluster that is occupied by the file.