Professional Documents
Culture Documents
A30 327
A30 327
A30 327
Which three items are displayed in FTK Imager for an individual file in the Properties
A. flags
B. filename
C. hash set
D. timestamps
E. item number
Answer: A,B,D
QUESTION NO: 2
In FTK, which search broadening option allows you to find grammatical variations of the word "kill"
such as "killer," "killed," and "killing"?
A. Phonic
B. Synonym
C. Stemming
D. Fuzzy Logic
Answer: C
QUESTION NO: 3
When using FTK Imager to preview a physical drive, which number is assigned to the first logical
volume of an extended partition?
A. 2
B. 3
C. 4
D. 5
Answer: D
QUESTION NO: 4
When previewing a physical drive on a local machine with FTK Imager, which statement is true?
A. FTK Imager can block calls to interrupt 13h and prevent writes to suspect media.
B. FTK Imager can operate from a USB drive, thus preventing writes to suspect media.
C. FTK Imager can operate via a DOS boot disk, thus preventing writes to suspect media.
BrainDumps.com 2
AccessData A30-327 Exam
D. FTK Imager should always be used in conjunction with a hardware write protect device to
prevent writes to suspect media.
Answer: D
QUESTION NO: 5
A. individual files
B. all checked items
C. contents of a folder
D. all currently listed items
Answer: C
QUESTION NO: 6
To obtain protected files on a live machine with FTK Imager, which evidence item should be
added?
A. image file
B. currently booted drive
C. server object settings
D. profile access control list
Answer: B
QUESTION NO: 7
What are three image file formats that can be read by FTK Imager? (Choose three.)
A. E01 files
B. raw (dd) image files
C. SafeBack version 2.2 image files
D. SafeBack version 3.0 image files
E. Symantec Ghost compressed image files
Answer: A,B,C
QUESTION NO: 8
BrainDumps.com 3
AccessData A30-327 Exam
Which statement is true about using FTK Imager to simultaneously create multiple images of a
single source?
A. In the Image Creation Wizard, you should select the Add Additional Drives option.
B. You should use the Create Multiple Images option to create server image objects.
C. You should note the evidence item source signature and add it to the Image View pane.
D. In the Image Creation Wizard, you should add multiple destination jobs from the same
source prior To beginning image creation.
Answer: D
QUESTION NO: 9
FTK Imager allows a user to convert a Raw (dd) image into which two formats? (Choose two.)
A. E01
B. Ghost
C. SMART
D. SafeBack
Answer: A,C
QUESTION NO: 10
You are converting one image file format to another using FTK Imager. Why are the hash
values of the original image and the resulting new image the same?
Answer: D
QUESTION NO: 11
How can you use FTK Imager to obtain registry files from a live system?
BrainDumps.com 4
AccessData A30-327 Exam
Answer: A
QUESTION NO: 12
Which statement is true about using FTK Imager to export a folder and its subfolders?
Answer: A
QUESTION NO: 13
You used FTK Imager to create several hash list files. You view the location where the files
were exported. What is the file extension type for these files?
Answer: D
QUESTION NO: 14
You create two evidence images from the suspect's drive: suspect.E01 and suspect.001. You
want to be able to verify that the image hash values are the same for suspect.E01 and
suspect.001 image files. Which file has the hash value for the Raw (dd) image?
A. suspect.001.txt
B. suspect.E01.txt
C. suspect.001.csv
D. suspect.E01.csv
Answer: A
QUESTION NO: 15
You successfully export and create a file hash list while using FTK Imager. Which three
BrainDumps.com 5
AccessData A30-327 Exam
pieces of information are included in this file? (Choose three.)
A. MD5
B. SHA1
C. filename
D. record date
E. date modified
Answer: A,B,C
QUESTION NO: 16
During the execution of a search warrant, you image a suspect drive using FTK Imager and store
the Raw(dd) image files on a portable drive. Later, these files are transferred to a server for
storage. How do you verify that the information stored on the server is unaltered?
Answer: D
QUESTION NO: 17
Which three items are contained in an Image Summary File using FTK Imager? (Choose
three.)
A. MD5
B. CRC
C. SHA1
D. Sector Count
E. Cluster Count
Answer: A,C,D
QUESTION NO: 18
Which two image formats contain an embedded hash value for file verification? (Choose two.)
A. E01
BrainDumps.com 6
AccessData A30-327 Exam
B. S01
C. ISO
D. CUE
E. 001 (dd)
Answer: A,B
QUESTION NO: 19
While analyzing unallocated space, you locate what appears to be a 64-bit Windows date and
time. Which FTK Imager feature allows you display the information as a date and time?
A. INFO2 Filter
B. Base Converter
C. Metadata Parser
D. Hex Value Interpreter
Answer: D
QUESTION NO: 20
A. Archive container
B. Java Code container
C. Documents container
D. Internet Files container
Answer: C
QUESTION NO: 21
Answer: D
BrainDumps.com 7
AccessData A30-327 Exam
QUESTION NO: 22
You are using FTK to process e-mail files. In which two areas can E-mail attachments be
Answer: A,B
QUESTION NO: 23
In FTK, which tab provides specific information on the evidence items, file items, file status and file
category?
A. E-mail tab
B. Explore tab
C. Overview tab
D. Graphics tab
Answer: C
QUESTION NO: 24
In FTK, you navigate to the Graphics tab at the Case level and you do not see any graphics. What
should you do to see all graphics in the case?
Answer: A
QUESTION NO: 25
In FTK, which two formats can be used to export an E-mail message? (Choose two.)
A. raw format
B. XML format
C. PDF format
D. HTML format
BrainDumps.com 8
AccessData A30-327 Exam
E. binary format
Answer: A,D
QUESTION NO: 26
In FTK, when you view the Total File Items container (rather than the Actual Files container), why
are there more items than files?
A. Total File Items includes files that are in archive files, while Actual Files does not.
B. Total File Items includes all unfiltered files while Actual Files includes only checked files.
C. Total File Items includes all KFF Ignorables while Actual Files includes only the KFF
Alerts.
D. Total File Items includes files that are in the Graphics and E-Mail tabs, while Actual Files
only includes files in the Graphics tab while excluding attachments in the E-mail tab.
Answer: A
QUESTION NO: 27
Answer: B
QUESTION NO: 28
What are three types of evidence that can be added to a case in FTK? (Choose three.)
A. local drive
B. registry MRU list
C. contents of a folder
D. acquired image of a drive
E. compressed volume files (CVFs)
Answer: A,C,D
QUESTION NO: 29
You want to search for two words within five words of each other. Which search request
BrainDumps.com 9
AccessData A30-327 Exam
would accomplish this function?
Answer: C
QUESTION NO: 30
You need to search for specific data that are located in a Microsoft Word document. You do not
know the exact spelling of this datA. Using the Index Search Options as displayed in the exhibit,
which changes do you make in the Broadening Options and Search Limiting Options containers?
Answer: A
QUESTION NO: 31
You have processed a case in FTK using all the default options. The investigator supplies you
with a list of 400 names in an electronic format. What is the quickest way to search
BrainDumps.com 10
AccessData A30-327 Exam
Answer: D
QUESTION NO: 32
(\d{4}[\- ]){3}\d{4}
A. 000-000-0000
B. ddd-4-3-dddd-4-3
C. 000-00000-000-ABC
D. 0000-0000-0000-0000
Answer: D
QUESTION NO: 33
You examine evidence and flag several graphic images found in different folders. You now want to
bookmark these items into a single bookmark. Which tab in FTK do you use to view only the
flagged thumbnails?
A. Explore tab
B. Graphics tab
C. Overview tab
D. Bookmark tab
Answer: C
QUESTION NO: 34
What change do you make to the file filter shown in the exhibit in order to show only graphics with
a logical size between 500 kilobytes and 10 megabytes?
Answer: D
BrainDumps.com 11
AccessData A30-327 Exam
QUESTION NO: 35
FTK uses Data Carving to find which three file types? (Choose three.)
A. JPEG files
B. Yahoo! Chat Archives
C. WPD (Word Perfect Documents)
D. Enhanced Windows Meta Files (EMF)
E. OLE Archive Files (Office Documents)
Answer: A,D,E
QUESTION NO: 36
You are asked to process a case using FTK and to produce a report that only includes selected
graphics. What allows you to display only flagged graphics?
Answer: C
QUESTION NO: 37
Which two options are available in the FTK Report Wizard? (Choose two.)
Answer: A,B
QUESTION NO: 38
Using the FTK Report Wizard, which two options are available in the List by File Path
BrainDumps.com 12
AccessData A30-327 Exam
D. Include Registry Viewer Reports
Answer: B,C
QUESTION NO: 39
Using the FTK Report Wizard, which two options are available in the Bookmarks - A
Answer: D,E
QUESTION NO: 40
A. highlight the data and select the Hex Value Interpreter tab
B. highlight the data, right-click on the highlighted data and select the Show Hex Interpreter
Window
C. select the Hex Value Interpreter tab, highlight the data, right-click on the data to initiate the
Hex Interpreter
D. right-click on the data area and select the Show Hex Interpreter Window and highlight the
data you want to interpret
Answer: B
QUESTION NO: 41
Which data in the Registry can the Registry Viewer translate for the user? (Choose three.)
Answer: B,C,E
BrainDumps.com 13
AccessData A30-327 Exam
QUESTION NO: 42
What are two functions of the Summary Report in Registry Viewer? (Choose two.)
Answer: A,B
QUESTION NO: 43
When using Registry Viewer to view a key with 20 values, what option can be used to display only
5 of the 20 values in a report?
A. Report
B. Special Reports
C. Summary Report
D. Add to Report With Children
Answer: C
QUESTION NO: 44
You view a registry file in Registry Viewer. You want to create a report, which includes items that
you have marked "Add to Report." Which Registry Viewer option accomplishes this task?
A. Common Areas
B. Generate Report
C. Define Summary Report
D. Manage Summary Reports
Answer: B
QUESTION NO: 45
Which Registry Viewer function would allow you to automatically document multiple
A. Add to Report
BrainDumps.com 14
AccessData A30-327 Exam
B. Export User List
C. Add to Report with Children
D. Summary Report with Wildcard
Answer: D
QUESTION NO: 46
A. dictionary attack
B. key space attack
C. brute-force attack
D. rainbow table attack
Answer: A
QUESTION NO: 47
Answer: D
QUESTION NO: 48
A. Art of War
B. Entropy Test
C. Advanced EFS Attack
D. Primary Dictionary Attack
Answer: A
QUESTION NO: 49
You are attempting to access data from the Protected Storage System Provider (PSSP) area of a
BrainDumps.com 15
AccessData A30-327 Exam
registry. How do you accomplish this using PRTK?
Answer: B
QUESTION NO: 50
When using PRTK to attack encrypted files exported from a case, which statement is true?
A. PRTK will request the user access control list from FTK.
B. PRTK will generate temporary copies of decrypted files for printing.
C. FTK will stop all active jobs to allow PRTK to decrypt the exported files.
D. File hash values will change when they are saved in their decrypted format.
E. Additional interoperability between PRTK and NTAccess becomes available when files
begin decrypting.
Answer: D
QUESTION NO: 51
In FTK, a user may alter the alert or ignore status of individual hash sets within the active
Answer: A
QUESTION NO: 52
After creating a case, the Encrypted Files container lists EFS files. However, no decrypted
sub- items are present. All other necessary components for EFS decryption are present in the
case. Which two files must be used to recover the EFS password for use in FTK? (Choose two.)
A. SAM
B. system
BrainDumps.com 16
AccessData A30-327 Exam
C. SECURITY
D. Master Key
E. FEK Certificate
Answer: A,B
QUESTION NO: 53
Answer: A,C
QUESTION NO: 54
When decrypting EFS files in a case, you receive the result shown in the exhibit. What is the most
plausible explanation for this result?
Answer: B
QUESTION NO: 55
Which two Registry Viewer operations can be conducted from FTK? (Choose two.)
Answer: B,D
BrainDumps.com 17
AccessData A30-327 Exam
QUESTION NO: 56
A. FTK
B. DNA
C. PRTK
D. Registry Viewer
Answer: A
QUESTION NO: 57
Into which two categories can an imported hash set be assigned? (Choose two.)
A. alert
B. ignore
C. contraband
D. system files
Answer: A,B
QUESTION NO: 58
What happens when a duplicate hash value is imported into a KFF database?
Answer: A
QUESTION NO: 59
You currently store alternate hash libraries on a remote server. Where do you configure FTK to
access these files rather than the default library, ADKFFLibrary.hdb?
A. Preferences
B. User Options
C. Analysis Tools
D. Import KFF Hashes
BrainDumps.com 18
AccessData A30-327 Exam
Answer: A
QUESTION NO: 60
A. ftk.exe
B. case.ini
C. case.dat
D. isobuster.dll
Answer: C
Explanation:
BrainDumps.com 19