EnCase Prep Questions

Contents
Chapter 1: Computer Hardware......................................................................................................................................1

Chapter 2: File Systems..................................................................................................................................................3
Chapter 3: First Response...............................................................................................................................................6
Chapter 4: Acquiring Digital Evidence...........................................................................................................................9
Chapter 5: EnCase Concepts.........................................................................................................................................12
Chapter 6: EnCase Environment...................................................................................................................................15
Chapter 7: Understanding, Searching For, and Bookmarking Data.............................................................................17
Chapter 8: File Signature Analysis and Hash Analysis.................................................................................................20
Chapter 10: Advanced EnCase......................................................................................................................................25
Chapter 1: Computer Hardware

1. What is the definition of a CPU?
A. The physical computer case that contains all its internal components
B. The computer’s internal hard drive
C. A part of the computer whose function is to perform data processing
D. A part of the computer that stores and manages memory
1. C. A CPU is the central processing unit, which means it’s a microprocessor that
performs data processing, in other words, interprets and executes instructions.
2. What is the BIOS?

A. BIOS stands for Basic Input Output System and is a combination of low-level software and drivers that
function as the interface, intermediary, or layer between a computer’s hardware and its operating system.
B. BIOS stands for Bootstrap Initialization Operating System and is a combination of low-level software and
drivers that function as the interface, intermediary, or layer between a computer’s hardware and its operating
system.
C. BIOS stands for Boot-level Input Output System and is a combination of low-level software and drivers
that function as the interface, intermediary, or layer between a computer’s hardware and its operating system.
D. BIOS stands for Boot Initialization Operating System and is a combination of low-level software and
drivers that function as the interface, intermediary, or layer between a computer’s hardware and its operating
system.
3. What is the definition of POST?

A. A set of computer sequences the operating system executes upon a proper shutdown
B. A diagnostic test of the computer’s hardware and software for presence and operability during the boot
sequence prior to running the operating system
C. A diagnostic test of the computer’s software for presence and operability during the boot sequence prior to
running the operating system
D. A diagnostic test of the computer’s hardware for presence and operability during the boot sequence prior to
running the operating system
1|Page
3. D. Power On Self-Test is a diagnostic test of the computer’s hardware, such
as the motherboard, memory, CD-ROM drive, and so forth. POST does not
test the computer’s software.
4. Is the information stored on a computer’s ROM chip lost during a proper shutdown?
A. Yes
B. No
5. Is the information contained on a computer’s RAM chip accessible after a proper shutdown?
A. Yes
B. No
6. Can information stored in the BIOS ever change?
A. Yes
B. No
7. What is the purpose or function of a computer’s ROM chip?
A. Long-term or permanent storage of information and instructions
B. Temporary storage area to run applications
C. Permanent storage area for programs and files
D. A portable storage device
8. Information contained in RAM memory (system’s main memory), which is located on the motherboard, is
_________ .
A. volatile
B. nonvolatile
9. What is the maximum number of drive letters assigned to hard drive(s) partitions on a system?
A. 4
B. 16
C. 24
D. Infinity
10. The smallest area on a drive that data can be written to is a _______, while the smallest area on a drive that a file
can be written to is a ________.
A. bit and byte
B. sector and cluster
C. volume and drive
D. memory and disk
11. The size of a physical hard drive can be determined by which of the following?
A. The cylinder × head × sector
B. The cylinder × head × sector × 512 bytes
C. The total LBA sectors × 512 bytes
D. Adding the total size of partitions
E. Both B and C
2|Page
12. Which is not considered exclusively an output device?
A. Monitor
B. Printer
C. CD-RW drive
D. Speaker
13. The electrical pathway used to transport data from one computer component to another is called what?
A. Bus
B. RAM
C. CMOS
D. BIOS
14. What is the main component of a computer to which essential internal devices such as CPU, memory chips, and
other chipsets are attached?
A. BIOS
B. Motherboard
C. Expansion card
D. Processor
15. IDE, SCSI, and SATA are different types of interfaces describing what device?
A. RAM chips
B. Flash memory
C. CPUs
D. Hard drives
16. What do the terms master, slave, and Cable Select refer to?
A. External SCSI devices
B. Cable types for external hardware
C. Jumper settings for internal hardware such as IDE hard drives and CD drives
D. Jumper settings for internal expansion cards
17. What can you assume about a hard drive that is pinned as CS?
A. It’s an IDE drive.
B. It’s a SATA drive.
C. It’s a SCSI drive.
D. All of the above.
18. What is found at Cylinder 0, Head 0, Sector 1 on a hard drive?
A. Master boot record
B. Master file table
C. Volume boot record
D. Volume boot sector
19. What is the first sector on a volume called?
A. File allocation table
B. Volume boot record or sector
C. Master boot record
D. Volume boot device
3|Page
20. Which of the following is incorrect?
A. The MBR is typically written when the drive is partitioned with FDISK or DISKPART.
B. A file system is a system or method of storing and retrieving data on a computer system that allows for a
hierarchy of directories, subdirectories, and files.
C. The VBR is typically written when the drive is high-level formatted with a utility such as format.
D. The partition table is contained within the MBR and consists of a total of 16 bytes, which describes up to
four partitions using 4 bytes each to do so.
Chapter 2: File Systems
The word “FAT” applies to FAT12, FAT16, and FAT32 file systems, unless exFAT is specifically
mentioned.
1. On a FAT file system, FAT is defined as which of the following?
A. A table consisting of master boot record and logical partitions
B. A table created during the format that the operating system reads to locate data on a drive
C. A table consisting of filenames and file attributes
D. A table consisting of filenames, deleted filenames, and their attributes
2. How does a corrupted sector located in the data area of a hard drive affect the corresponding cluster number on a
FAT in a FAT file system?
A. It does not affect the corresponding cluster number on a FAT; therefore, the rest of the sectors associated
with the assigned cluster can still be written to.
B. It does not affect the corresponding cluster number on a FAT; only the corrupted portion of the sector is
prevented from being written to.
C. It does affect the FAT. The corresponding cluster number is marked as bad; however, only the corrupted
sector within the cluster is prevented from being written to.
D. It does affect the FAT. The corresponding cluster number is marked as bad, and the entire cluster is
prevented from being written to.
3. Which of the following describes a partition table?
A. It is located at cylinder 0, head 0, sector 1.
B. Is located in the master boot record.
C. It keeps track of the partitions on a hard drive.
4. Which selection keeps track of a fragmented file in a FAT (not exFAT) file system?
A. File Allocation Table
B. Directory structure
C. Volume boot record
D. Master file table
5. If the FAT, in a FAT file system, lists cluster number 2749 with a value of 0, what does this mean about this
specific cluster?
A. It is blank and contains no data.
4|Page
B. It is marked as bad and cannot be written to.
C. It is allocated to a file.
D. It is unallocated and is available to store data.
6. Which of the following is true about a volume boot record?
A. It is always located at the first sector of its logical partition.
B. It immediately follows the master boot record.
C. It contains BIOS parameter block and volume boot code.
D. Both A and C.
7. The NTFS file system does which of the following?
A. Supports long filenames
B. Compresses individual files and directories
C. Supports large file sizes in excess of 4 GB
D. All of the above
8. How many clusters can a FAT32 file system manage?
A. 2 × 32 = 64 clusters
B. 232 = 4,294,967,296 clusters
C. 2 × 28 = 56 clusters
D. 228 = 268,435,456 clusters
9. In a FAT file system, the FAT tracks the _____________ while the directory entry tracks the _____________ .
A. The filename and file size
B. The file’s starting cluster and file’s last cluster (EOF)
C. The file’s last cluster (EOF) and file’s starting cluster
D. The file size and file fragmentation
10. How many copies of the FAT does each FAT32 volume maintain in its default configuration?
A. One
B. Two
C. Three
D. Four
11. Which of the following is not true regarding the NTFS file system?
A. Data for very small files can be stored in the MFT itself and is referred to as resident data.
B. Cluster allocation is tracked in the $Bitmap file.
C. Data that is stored in clusters is called nonresident data.
D. Cluster allocation is tracked in the File Allocation Table (FAT).
12. A file’s physical size is which of the following?
A. Always greater than the file’s logical size
B. The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the
last cluster
C. Both A and B
D. None of the above
13. A directory entry in a FAT file system has a logical size of which of the following?
5|Page
A. 0 bytes
B. 8 bytes
C. 16 bytes
D. One sector
14. Each directory entry in a FAT file system is ____ bytes in length.
A. 0
B. 8
C. 16
D. 32
15. By default, what color does EnCase use to display directory entries within a directory structure?
A. Black
B. Red
C. Gray
D. Yellow
16. What is the area between the end of a file’s logical size and the file’s physical size called?
A. Unused disk area
B. Unallocated clusters
C. Unallocated sectors
D. Slack space
17. What three things occur when a file is created in a FAT32 file system?
A. The directory entry for the file is created, the FAT assigns the necessary clusters to the file, and the file’s
data is filled in to the assigned clusters.
B. The filename is entered in to the FAT, the directory structure assigns the number of clusters, and the file’s
data is filled in to the assigned clusters.
C. The directory entry for the file is created, the number of clusters is assigned by the directory structure, and
the file’s data is filled in to the FAT.
D. The directory structure maintains the amount of clusters needed, the filename is recorded in the FAT, and
the file’s data is filled in to the assigned clusters.
18. How does EnCase recover a deleted file in a FAT file system?
A. It reads the deleted filename in the FAT and searches for the file by its starting cluster number and logical
size.
B. It reads the deleted filename in the directory entry and searches for the corresponding filename in
unallocated clusters.
C. It obtains the deleted file’s starting cluster number and size from the directory entry to obtain the data’s
starting location and number of clusters required.
D. It obtains the deleted file’s starting cluster number and size from the FAT to locate the starting location and
amount of clusters needed.
19. What does EnCase do when a deleted file’s starting cluster number is assigned to another file?
A. EnCase reads the entire existing data as belonging to the deleted file.
B. EnCase reads the amount of data only from the existing file that is associated with the deleted file.
C. EnCase marks the deleted file as being overwritten.
D. EnCase does not display a deleted filename when the data has been overwritten.
6|Page
20. Which of the following is not true regarding the exFAT file system?
A. Cluster allocation is tracked in the File Allocation Table (FAT).
B. When a file is deleted, the corresponding entries in the File Allocation Table (FAT) are reset or zeroed out.
C. Cluster allocation is tracked in an allocation bitmap.
D. An entry in the FAT of 00 00 00 00 means that the FAT is not tracking allocation for this file.
Chapter 3: First Response

1. What is the first consideration when responding to a scene?
A. Your safety
B. The safety of others
C. The preservation of evidence
D. Documentation
2. What are some variables regarding a facility that you should consider prior to responding to a scene?
A. What type of structure is it?
B. How large is the structure?
C. What are the hours of operation?
D. Is there a helpful person present to aid in your task?
E. All of the above.
3. What are some variables regarding items to be seized that you should consider prior to responding to a scene?
A. Location(s) of computers
B. Type of operating system
C. Workstations or mainframes
D. System-critical or auxiliary machine
E. All of the above
4. Generally speaking, if you encounter a desktop computer running Windows 7, how should you take down the
machine?
A. Shut down using Windows 7.
B. Shut down by pulling the power cord from the outlet.
C. Shut down by pulling the plug from the computer box.
5. Generally speaking, if you encounter a computer running Windows 2008 Server, how should you take down the
machine?
A. Shut down using its operating system.
6. Generally speaking, if you encounter a Unix/Linux machine, how should you take down the machine?
A. Shut down using its operating system.
7|Page
7. When unplugging a desktop computer, from where is it best to pull the plug?
A. The back of the computer
B. The wall outlet
C. A or B
8. What is the best method to shut down a notebook computer?
A. Unplug from the back of the computer.
B. Unplug from the wall.
C. Remove the battery.
D. Both A and C.
9. Generally speaking, if you encounter a Macintosh computer, how should you take down the machine?
A. Shut down using the operating system.
10. Which selection displays the incorrect method for shutting down a computer?
A. DOS: Pull the plug.
B. Windows 7: Pull the plug.
C. Windows XP: Pull the plug.
D. Linux: Pull the plug.
11. When shutting down a computer, what information is typically lost?
A. Data in RAM memory
B. Running processes
C. Current network connections
D. Current logged-in users
E. All of the above
12. Which of the following is not acceptable for “bagging” a computer workstation?
A. Large paper bag.
B. Brown wrapping paper.
C. Plastic garbage bag.
D. Large antistatic plastic bag.
E. All of the above are acceptable for bagging a workstation.
13. In which circumstance is pulling the plug to shut down a computer system considered the best practice?
A. When the OS is Linux/Unix
B. When the OS is Windows 7 and known to be running a large business database application
C. When the OS is Windows (NT/2000/2003/2008) Server
D. When Mac OS X Server is running as a web server
E. None of the above
14. How is the chain of custody maintained?
A. By bagging evidence and sealing it to protect it from contamination or tampering
B. By documenting what, when, where, how, and by whom evidence was seized
8|Page
C. By documenting in a log the circumstances under which evidence was removed from the evidence control
room
D. By documenting the circumstances under which evidence was subjected to analysis
E. All of the above
15. It is always safe to pull the plug on a Windows 7 Enterprise operating system.
A. True
B. False
16. On a production Linux/Unix server, you must generally be which user to shut down the system?
A. sysadmin
B. administrator
C. root
D. system
17. When would it be acceptable to navigate through a live system?
A. To observe the operating system to determine the proper shutdown process
B. To document currently opened files (if Enterprise/FIM edition is not available)
C. To detect mounted encryption
D. To access virtual storage facility (if search warrant permits; some are very specific about physical location)
E. All of the above
18. A console prompt that displayed backslashes (\) as part of its display would most likely be which of the
following?
A. Red Hat Linux operating system
B. Unix operating system
C. Linux or Unix operating system logged in as root
D. MS-DOS
19. When called to a large office complex with numerous networked machines, it is always a good idea to request
the assistance of the network administrator.
A. True
B. False
20. Subsequent to a search warrant where evidence is seized, what items should be left behind?
A. Copy of the affidavit
B. Copy of the search warrant
C. List of items seized
D. A and B
E. B and C
Chapter 4: Acquiring Digital Evidence

1. When acquiring a hard drive using a Linux boot disk with LinEn, what would be the cause of EnCase (LinEn) not
detecting partition information?
A. The drive has been FDisked and the partition(s) removed.
B. The partition(s) are not recognized by Linux.
C. Both A and B.
9|Page
D. None of the above.
2. LinEn contains a write blocker that protects the target media from being altered.
A. True
B. False
3. As a good forensic practice, why would it be a good idea to wipe a forensic drive before reusing it?
A. Chain-of-custody
B. Cross-contamination
C. Different file and operating systems
D. Chain of evidence
E. No need to wipe
4. If the number of sectors reported by EnCase does not match the number reported by the manufacturer for the
drive, what should you do?
A. Suspect HPA.
B. Suspect DCO.
C. Use Tableau or FastBloc SE to access the sectors protected by HPA or DCO.
D. Boot with LinEn in Linux.
5. When acquiring digital evidence, why shouldn’t the evidence be left unattended in an unsecured location?
A. Cross-contamination
B. Storage
C. Chain-of-custody
D. Not an issue
6. Which describes an HPA? (Choose all that apply.)
A. Stands for Host Protected Area
B. Is not normally seen by the BIOS
C. Is not normally seen through Direct ATA access
D. Was introduced in the ATA-6 specification
7. Which describes a DCO?
A. Was introduced in the ATA-6 specification.
B. Stands for Device Configuration Overlay.
C. Is not normally seen by the BIOS.
D. It may contain hidden data, which can be seen by switching to the Direct ATA mode in EnCase for DOS.
8. At which user level must the examiner function when using LinEn?
A. Administrator
B. Admin
C. Root
D. Any user
9. Reacquiring an image and adding compression will change the MD5 value of the acquisition hash.
10 | P a g e
A. True
B. False
10. When reacquiring an image, you can change the name of the evidence.
A. True
B. False
11. Which of the following should you do when creating a storage volume to hold an EnCase evidence file that will
be created with LinEn? (Choose all that apply.)
A. Format the volume with the FAT file system.
B. Give the volume a unique label to identify it.
C. Wipe the volume before formatting to conform to best practices, and avoid claims of cross-contamination.
D. Create a directory to contain the evidence file.
E. Format the volume with the NTFS file system.
F. All of the above.
12. In Linux, what describes hdb2? (Choose all that apply.)
A. Refers to the primary master
B. Refers to the primary slave
C. Refers to hard drive number 2
D. Refers to the second partition
E. Refers to the secondary master
13. In Linux, what describes sdb? (Choose all that apply.)
A. Refers to an IDE device
B. Refers to a SCSI device
C. Refers to a USB device
D. Refers to a FireWire device
14. When acquiring USB flash memory, you could write-protect it by doing what?
A. Engaging the write-protect switch, if equipped
B. Modifying the registry in Windows XP SP2 (or higher) to make USB read-only
C. Using ENBD/ENBCD USB DOS drivers and having EnCase for DOS “lock” the Flash media
D. Using LinEn in Linux with automount of file system disabled
E. Using FastBloc SE to write block USB, FireWire, SCSI drives
F. All of the above
15. Which are true with regard to EnCase Portable? (Choose all that apply.)
A. Storage media must be prepared using the Portable Management tool before it can be used by EnCase
Portable.
B. If booting using the EnCase Portable Boot CD to boot, the EnCase Portable dongle must also be connected
so that the license can be accessed.
C. The EnCase Portable can triage and collect evidence in a forensically sound manner from live machines or
to do so in a boot mode.
D. The EnCase Portable can be configured with custom tasks created by the examiner using the Portable
Management tool.
16. LinEn can be run under both Windows and DOS operating systems.
A. True
11 | P a g e
B. False
17. When using LinEn, the level of support for USB, FireWire, and SCSI devices is determined by what?
A. The drivers built into LinEn
B. The drivers provided with the ENBCD
C. The distribution of Linux being used
D. A and B
18. How should CDs be acquired using EnCase?
A. DOS
B. Windows
19. Select all that are true about EE and FIM.
A. They can acquire or preview a system live without shutting it down.
B. They can capture live system-state volatile data using the Snapshot feature.
C. With EE, the SAFE is on a separate PC, administered by the keymaster.
D. With FIM, the SAFE is on the examiner’s PC and the keymaster and the examiner are the same person.
E. FIM can be licensed to private individuals.
20. Which of the following are true? (Choose all that apply.)
A. LinEn contains no write-blocking capability. Rather, write blocking is achieved by disabling the automount
feature within the host Linux operating system.
B. LinEn contains its own onboard write-blocking drivers and therefore can be safely run on any version of
Linux.
C. LinEn can format drives to both NTFS and FAT formats.
D. Before using a target drive onto which to write evidence files, LinEn must be used to unlock the target
drive and render it writable.
E. LinEn can format drives to EXT2 or EXT3 format.
Chapter 5: EnCase Concepts

1. The EnCase evidence file is best described as follows:
A. A mirror image of the source device written to a hard drive
B. A sector-by-sector image of the source device written to corresponding sectors of a secondary hard drive
C. A bitstream image of a source device written to the corresponding sectors of a secondary hard drive
D. A bitstream image of a source device written to a file or several file segments
2. How does EnCase verify the contents of an evidence file, using the default settings?
A. EnCase writes an MD5 and/or SHA-1 hash value for every 32 sectors copied.
B. EnCase writes an MD5 and/or SHA-1 value for every 64 sectors copied.
C. EnCase writes a CRC value for every 32 sectors copied.
D. EnCase writes a CRC value for every 64 sectors copied.
3. What is the smallest file size that an EnCase evidence file can be saved as?
A. 64 sectors
B. 512 sectors
C. 1 MB
12 | P a g e
D. 30 MB
E. 640 MB
4. What is the largest file segment size that an EnCase evidence file can be saved as?
A. 640 MB
B. 1 GB
C. 2 GB
D. 8,796,093,018,112 MB
E. No maximum limit
5. How does EnCase verify that the evidence file contains an exact copy of the source device?
A. By comparing the MD5 hash value (alternatively SHA-1 or both) of the source device to the MD5 hash
value (alternatively SHA-1 or both) of the data stored in the evidence file
B. By comparing the CRC value of the source device to the CRC of the data stored in the evidence file
C. By comparing the MD5 hash value (alternatively SHA-1 or both) of the source device to the MD5 hash
value (alternatively SHA-1 or both) of the entire evidence file
D. By comparing the CRC value of the source device to the CRC value of the entire evidence file
6. How does EnCase verify that the case information—such as case number, evidence number, notes, and so on—in
an evidence file has not been damaged or altered after the evidence file has been written?
A. The case file writes a CRC value for the case information and verifies it when the case is opened.
B. EnCase does not verify the case information, because it can be changed at any time.
C. EnCase writes a CRC value for the case information and verifies the CRC value when the evidence is
added to a case.
D. EnCase writes an MD5 value of the case information and verifies the MD5 value when the evidence is
added to a case.
7. For an EnCase evidence file to successfully pass the file verification process, which of the following must be
true?
A. The MD5 hash value (alternatively SHA-1 or both) must verify.
B. The CRC values and the MD5 hash value (alternatively SHA-1 or both) both must verify.
C. Either the CRC or MD5 hash values (alternatively SHA-1 or both) must verify.
D. The CRC values must verify.
8. The MD5 hash algorithm produces a _____ value.
A. 32-bit
B. 64-bit
C. 128-bit
D. 256-bit
9. Regarding the EnCase backup process (EnCase 7.04 and newer), which are the following are true?
A. The case file backup is stored with a .cbak extension.
B. By default, the backup frequency is every 30 minutes after completion of the previous backup.
C. The evidence cache and the case folder are backed up, except for EnCase evidence files and
the Tempand Export folders.
D. All of the above are correct.
E. Only B and C are correct.
13 | P a g e
10. If an evidence file has been added to a case and completely verified, what happens if the data area within the
evidence file is later altered?
A. EnCase will detect the error when that area of the evidence file is accessed by the user.
B. EnCase will detect the error only if the evidence file is manually reverified.
C. EnCase will allow the examiner to continue to access the rest of the evidence file that has not been
changed, but will not allow access to the corrupted or changed block.
11. Which of the following aspects of the EnCase evidence file can be changed during a reacquisition of the
evidence file?
A. Investigator’s name
B. Evidence number
C. Notes
D. Evidence file size
E. All of the above
12. An evidence file was archived onto five CD-ROMs with the third file segment on disc 3. Can the contents of the
third file segment be verified by itself while still on the CD-ROM?
A. No. All evidence file segments must be put back together.
B. Yes. Any evidence file segment can be verified independently by comparing the CRC values.
13. Will EnCase allow a user to write data into an acquired evidence file?
A. Yes, when adding notes or comments to bookmarks.
B. Yes, when adding search results.
C. A and B.
D. No, data cannot be added to the evidence file after the acquisition is made.
14. All investigators using EnCase should run tests on the evidence file acquisition and verification process to do
which of the following?
A. To further the investigator’s understanding of the evidence file
B. To give more weight to the investigator’s testimony in court
C. To verify that all hardware and software is functioning properly
D. All of the above
15. When a noncompressed evidence file is reacquired with compression, the acquisition and verification hash
values for the evidence file will remain the same for both files.
A. True
B. False
16. The Ex01 evidence file format consists of three parts, which are the Ev2 Header, Data, and CRC record block.
A. True
B. False
17. The EnCase evidence file’s logical filename can be changed without affecting the verification of the acquired
evidence.
A. True
B. False
18. An evidence file can be moved to another directory without changing the file verification.
A. True
14 | P a g e
B. False
19. What happens when EnCase attempts to reopen a case once the evidence file has been moved?
A. EnCase reports that the file’s integrity has been compromised and renders the file useless.
B. EnCase reports a different hash value for the evidence file.
C. EnCase prompts for the location of the evidence file.
D. EnCase opens the case, excluding the moved evidence file.
20. During reacquisition, you can change which of the following? (Choose all that apply.)
A. Block size and error granularity
B. Add or remove a password
C. Investigator’s name
D. Compression
E. File segment size
Chapter 6: EnCase Environment

1. In the EnCase Windows environment, must an examiner first create a new case before adding a device to
examine?
A. Yes
B. No
2. When EnCase 7 is used to create a new case, which files are created automatically in the case folder under the
folder bearing the name of the case?
A. Evidence, Export, Temp, and Index folders
B. Export, Temp, and Index folders
C. Email, Export, Tags, and Temp
D. Evidence, Email, Tags, and Temp
3. From the EnCase 7 Home screen, which of the following cannot be carried out?
A. Opening a case
B. Creating a new case
C. Opening options
D. Generating a encryption key
4. When creating a new case, the Case Options dialog box prompts for which of the following?
A. Name (case name)
B. Examiner name
C. Base case folder path
D. Primary evidence cache path
E. All of the above
5. What determines the action that will result when a user double-clicks a file within EnCase?
A. The settings in the TEXTSTYLES.INI file
B. The settings in the FILETYPES.INI file
15 | P a g e
C. The settings in the FILESIGNATURES.INI file
D. The settings in the VIEWERS.INI file
6. In the EnCase environment, the term external viewers is best described as which of the following?
A. Internal programs that are copied out of an evidence file
B. External programs loaded in the evidence file to open specific file types
C. External programs that are associated with EnCase to open specific file types
D. External viewers used to open a file that has been copied out of an evidence file
7. Where is the list of external viewers kept within EnCase?
A. The settings in the TEXTSTYLES.INI file
B. The settings in the FILETYPES.INI file
C. The settings in the EXTERNALVIEWERS.CFG file
D. The settings in the VIEWERS.INI file
8. When EnCase sends a file to an external viewer, to which folder does it send the file?
A. Scratch
B. Export
C. Temp
9. How is the Disk view launched?
A. By simply switching to the Disk view tab on the Table pane
B. By launching it from the Device menu
C. By right-clicking the device and choosing Open With Disk Viewer
10. Which of the following is true about the Gallery view?
A. Files that are determined to be images by their file extension will be displayed.
B. Files that are determined to be images based on file signature analysis will be displayed after the EnCase
evidence processor has been run.
C. Files displayed in the Gallery view are determined by where you place the focus in the Tree pane or where
you activate the Set-Included Folders feature.
11. True or false? The right-side menu is a collection of the menus and tools found on its toolbar.
A. True
B. False
12. True or false? The results of conditions and filters are seen immediately in the Table pane of the Evidence tab
Entries view.
A. True
B. False
13. How do you access the setting to adjust how often a backup file (.cbak) is saved?
A. Select Tools > Options > Case Options.
B. Select View > Options > Case Options.
C. Select Tools > Options > Global.
D. Select View > Options > Global.
16 | P a g e
14. What is the maximum number of columns that can be sorted simultaneously in the Table view tab?
A. Two
B. Three
C. Six
D. 28 (maximum number of tabs)
15. How would a user reverse-sort on a column in the Table view?
A. Hold down the Ctrl key, and double-click the selected column header.
B. Right-click the selected column, select Sort, and select either Sort Ascending or Sort Descending.
C. Both A and B.
16. How can you hide a column in the Table view?
A. Place the cursor on the selected column, and press Ctrl+H.
B. Place cursor on the selected column, open Columns menu on the toolbar, and select Hide.
C. Place cursor on the selected column, open the right-side menu, open the Columns submenu, and select
Hide.
D. Open the right-side menu, open the Columns submenu, select Show Columns, and uncheck the desired
fields to be hidden.
17. What does the Gallery view tab use to determine graphics files?
A. Header or file signature
B. File extension
C. Filename
D. File size
18. Will the EnCase Gallery view display a .jpeg file if its file extension was renamed to .txt?
A. No, because EnCase will treat it as a text file
B. Yes, because the Gallery view looks at a file’s header information and not the file extension
C. Yes, but only if a signature analysis is performed to correct the File Category to Picture based on its file
header information
D. Yes, but only after a hash analysis is performed to determine the file’s true identity
19. How would a user change the default colors and text fonts within EnCase?
A. The user cannot change the default colors and fonts settings.
B. The user can change the default colors and fonts settings by right-clicking the selected items and scrolling
down to Change Colors and Fonts.
C. The user can change the default colors and fonts settings by clicking the View tab on the menu bar and
selecting the Colors tab or Fonts tab.
D. The user can change default colors and fonts settings by clicking the Tools tab on the menu bar, selecting
Options, and selecting the Colors tab or Fonts tab.
20. An EnCase user will always know the exact location of the selected data in the evidence file by looking at which
of the following?
A. Navigation Data on status bar
B. Dixon box
C. Disk view
D. Hex view
17 | P a g e
Chapter 7: Understanding, Searching For, and Bookmarking Data
1. Computers use a numbering system with only two digits, 0 and 1. This system is referred to as which of the
following?
A. Hexadecimal
B. ASCII
C. Binary
D. FAT
2. A bit can have a binary value of which of the following?
A. 0 or 1
B. 0–9
C. 0–9 and A–F
D. On or Off
3. A byte consists of ___ bits.
A. 2
B. 4
C. 8
D. 16
4. If 1 bit can have two unique possibilities, 2 bits can have four unique possibilities, and 3 bits can have eight
unique possibilities. This is known as the power of 2. How many unique possibilities are there in 8 bits (2 8)?
A. 16
B. 64
C. 128
D. 256
5. When the letter A is represented as 41h, it is displayed in which of the following?
A. Hexadecimal
B. ASCII
C. Binary
D. Decimal
6. What is the decimal integer value for the binary code 0000-1001?
A. 7
B. 9
C. 11
D. 1001
7. Select all of the following that depict a Dword value.
A. 0000 0001
B. 0001
C. FF 00 10 AF
D. 0000 0000 0000 0000 0000 0000 0000 0001
8. How many characters can be addressed by the 7-bit ASCII character table? 16-bit Unicode?
A. 64 and 256
B. 128 and 256
18 | P a g e
C. 64 and 65,536
D. 128 and 65,536
9. Which of the following are untrue with regard to the EnCase Evidence Processor?
A. A device must be acquired first before processing or be acquired as a requisite first step within the EnCase
Evidence Processor.
B. A live device can be subjected to normal processing by the EnCase Evidence Processor and does not have
to be acquired first.
C. Items marked with red flags denote items that are not applicable to the file system being processed.
D. Items marked with red flags denote items that must be run during the first or initial run of the EnCase
Evidence Processor and can’t be run in any subsequent run thereafter.
E. A raw keyword search can be conducted during processing by the EnCase Evidence Processor.
10. When performing a keyword search in Windows, EnCase searches which of the following?
A. The logical files
B. The physical disk in unallocated clusters and other unused disk areas
C. Both A and B
11. By default, search terms are case sensitive.
A. True
B. False
12. By selecting the Unicode box for a raw search, EnCase searches for both ASCII and Unicode formats.
A. True
B. False
13. With regard to a search using EnCase in the Windows environment, can EnCase find a word or phrase that is
fragmented or spans in noncontiguous clusters?
A. No, because the letters are located in noncontiguous clusters.
B. No, EnCase performs a physical search only.
C. No, unless the File Slack option is deselected in the dialog box before the search.
D. Yes, EnCase performs both physical and logical searches.
14. Which of the following would be a raw search hit for the His keyword?
A. this
B. His
C. history
D. Bill_Chisholm@gmail.com
E. All of the above
15. Which of the following would be a search hit for the following GREP expression?
[^a-z]Liz[^a-z]
A. Elizabeth
B. Lizzy
C. Liz1
16. Which of the following would be a search hit for the following GREP expression?
19 | P a g e
[\x00-\x07]\x00\x00\x00…
A. 00 00 00 01 A0 EE F1
B. 06 00 00 00 A0 EE F1
C. 0A 00 00 00 A0 EE F1
D. 08 00 00 00 A0 EE F1
17. Which of the following would be a search hit for the following index search expression?
<c>Saddam npre/3 Hussein
A. Saddam Alfonso Adolph Cano Hitler Hussein
B. saddam alfonso adolph cano hitler hussein
C. Saddam Alfonso Hussein Adolph Cano Hitler
D. saddam alfonso hussein adolph cano hitler
E. Hussein Hitler Cano Adolph Alfonso Saddam
F. None of the above
18. Which of the following will not be a search hit for the following GREP expression?
[^#]123[ \-]45[ \-]6789[^#]
A. A1234567890
B. A123 45-6789
C. A123-45-6789
D. A123 45 6789
19. A sweep or highlight of a specific range of text is referred to as which of the following?
A. Table view bookmark
B. Single item bookmark
C. Highlighted data bookmark
D. Notable file bookmark
E. Notes bookmark
20. Which of the following is not correct regarding EnCase 7 index searches?
A. Before searching, the index must first be created using the Create Index EnScript.
B. Before searching, the index must first be created using the EnCase Evidence Processor.
C. All queries are case insensitive regardless of any switches or settings, because that is the nature of all
indexed searches.
D. By default, queries are case insensitive but can be configured to be case sensitive.
E. A query for any word in the noise file will not return any items as all words in the noise file are ignored and
excluded from the index.
Chapter 8: File Signature Analysis and Hash Analysis

1. When running a signature analysis, EnCase will do which of the following?
A. Compare a file’s header to its hash value.
B. Compare a file’s header to its file signature.
C. Compare a file’s hash value to its file extension.
D. Compare a file’s header to its file extension.
20 | P a g e
2. A file header is which of the following?
A. A unique set of characters at the beginning of a file that identifies the file type.
B. A unique set of characters following the filename that identifies the file type.
C. A 128-bit value that is unique to a specific file based on its data.
D. Synonymous with file extension.
3. The Windows operating system uses a filename’s ______________ to associate files with the proper applications.
A. signature
B. MD5 hash value
C. extension
D. metadata
4. Unix (including Linux) operating systems use a file’s ______________ to associate file types to specific
applications.
A. metadata
B. header
C. extension
D. hash value
5. The Mac OS X operating system uses which of the following file information to associate a file to a specific
application?
A. The “user defined” setting
B. Filename extension
C. Metadata (creator code)
D. All of the above
6. Information regarding a file’s header information and extension is saved by EnCase 7 in the _______________
file.
A. FileTypes.ini
B. FileExtensions.ini
C. FileInformation.ini
D. FileHeader.ini
7. When a file’s signature is unknown and a valid file extension exists, EnCase will display the following result after
a signature analysis is performed.
A. Alias (Signature Mismatch)
B. Bad Signature
C. Unknown
D. Match
8. When a file’s signature is known and the file extension does not match, EnCase will display the following result
after a signature analysis is performed.
B. Bad Signature
C. Unknown
D. Match
9. When a file’s signature is known and the file extension matches, EnCase will display the following result after a
signature analysis is performed.
21 | P a g e
B. Bad Signature
C. Unknown
D. Match
10. When a file’s signature and extension are not recognized, EnCase will display the following result after a
signature analysis is performed.
B. Bad Signature
C. Unknown
D. Match
11. Can a file with a unique header share multiple file extensions?
A. Yes
B. No
12. A user can manually add new file headers and extensions by doing which of the following?
A. Manually inputting the data in the FileSignatures.ini file
B. Right-clicking the file and choosing Add File Signature
C. Choosing the File Types view, right-clicking, and selecting New in the appropriate folder
D. Adding a new file header and extension and then choosing Create Hash Set
13. Select the correct answer that completes the following statement: An MD5 hash _________________.
A. is a 128-bit value
B. has odds of one in 2128 that two dissimilar files will share the same value
C. is not determined by the filename
D. All of the above
14. EnCase can create a hash value for the following.
A. Physical devices
B. Logical volumes
C. Files or groups of files
D. All of the above
15. With EnCase 7, how many hash libraries can be applied at one time to any case?
A. One
B. Two
C. Three
D. No limit to the number that can be applied
16. Will changing a file’s name affect the file’s MD5 or SHA1 hash value?
A. Yes
B. No
17. Usually a hash value found in a hash set named Windows 7 would be reported in the Hash Category column as
which of the following?
A. Known
B. Notable
C. Evidentiary
22 | P a g e
D. Nonevidentiary
18. With regard to hash categories, evidentiary files or files of interest are categorized as which of the following?
A. Known
B. Notable
C. Evidentiary
D. Nonevidentiary
19. An MD5 or SHA1 hash of a specific media generated by EnCase will yield the same hash value as an
independent third-party MD5 or SHA1 hashing utility.
A. True
B. False
20. A hash _______ is comprised of hash _______ , which is comprised of hash _______.
A. set(s), library(ies), value(s)
B. value(s), sets(s), library(ies)
C. library(ies), set(s), value(s)
D. set(s), values(s), library(ies)
Chapter 9: Windows Operating System Artifacts

1. An operating system artifact can be defined as which of the following?
A. Information specific to a user’s preference
B. Information about the computer’s general settings
C. Information stored about a user’s activities on the computer
D. Information used to simplify a user’s experience
E. All of the above
2. A FAT file system stores date and time stamps in _______ , whereas the NTFS file system stores date and time
stamps in _______ .
A. DOS directory, local time
B. Zulu time, GMT
C. Local time, GMT
D. SYSTEM.DAT, NTUSER.DAT
3. Where does Windows store the time zone offset?
A. BIOS
B. Registry
C. INFO2 file
D. DOS directory or MFT
4. In Windows 7, the date and time of when a file was sent to the Recycle Bin can be found where?
A. INFO2 file
B. Original filename’s last access date
C. DOS directory or MFT
D. $I index file
5. When a text file is sent a pre–Windows Vista Recycle Bin, Windows changes the short filename of the deleted
file to DC0.txt in the Recycle Bin. Select the best choice that explains the deleted filename.
23 | P a g e
A. D=DOS, C=character, 0=index number, file extension remains the same
B. D=DOS, C=drive letter, 0=index number, file extension remains the same
C. D=deleted, C=character, 0=index number, file extension remains the same
D. D=deleted, C=drive letter, 0=index number, file extension remains the same
6. When a document is opened, a link file bearing the document’s filename is created in the ____________ folder.
A. Shortcut
B. Recent
C. Temp
D. History
7. Link files are shortcuts or pointers to actual items. These actual items can be what?
A. Programs
B. Documents
C. Folders
D. Devices
E. All of the above
8. In NTFS, information unique to a specific user is stored in the ____________ file.
A. USER.DAT
B. NTUSER.DAT
C. SYSTEM.DAT
9. In Windows XP, Windows Vista, or Window 7, by default, how many recently opened documents are displayed
in the My Recent Documents or Recent Items folder?
A. 4
B. 12
C. 15
D. Unlimited
10. Most of a user’s desktop items on a Windows 7 operating system would be located in the
________________________ directory.
A. C:\WINDOWS\Desktop
B. C:\WinNT\Desktop
C. C:\WINDOWS\System32\config\Desktop
D. C:\Users\%User%\Desktop
11. Because this file will hold the contents of RAM when the machine is powered off, the ____________ file will be
the approximate size of the system RAM and will be in the root directory.
A. hiberfil.sys
B. WIN386.SWP
C. PAGEFILE.SYS
D. NTUSER.DAT
12. Where can you find evidence of web-based email such as from MSN Hotmail or Google Gmail on a Windows
system?
A. In Temporary Internet Files under Local Settings in the user’s profile
24 | P a g e
B. In Unallocated Clusters
C. In the pagefile.sys file
D. In the hiberfil.sys file
E. All of the above
13. Filenames with the .url extension that direct web browsers to a specific website are normally located in which
folder?
A. Favorites folder
B. Cookies folder
C. Send To folder
D. History folder
14. Data about Internet cookies such as URL names, date and time stamps, and pointers to the actual location of the
cookie is stored where?
A. INFO2 file
B. index.dat file
C. EMF file
D. pagefile.sys file
15. On a Windows 98 machine, which folder is the swap or page file contained in?
A. WIN386.SWP
B. pagefile.sys
C. swapfile.sys
D. page.swp
16. When you are examining evidence that has been sent to a printer, which file contains an image of the actual print
job?
A. The Enhanced Metafile (EMF)
B. The shadow file
C. The spool file
D. The RAW file
17. The two modes for printing in Windows are ____________ and ____________ .
A. spooled, shadowed
B. spooled, direct
C. spooled, EM
D. EMF, RAW
18. Although the Windows operating system removed the EMF file upon a successful print job, the examiner may
still recover the file as a result of a search on its unique header information in areas such as Unallocated Clusters or
the swap file.
A. True
B. False
19. The index.dat files are system files that store information about other files. They track date and time stamps, file
locations, and name changes. Select the folder that does not contain an index.dat file.
A. Cookies
B. History
C. Recycle Bin
25 | P a g e
D. Temporary Internet Files
20. The Temporary Internet Files directory contains which of the following?
A. Web page files that are cached or saved for possible later reuse
B. An index.dat file that serves as a database for the management of the cached files
C. Web mail artifacts
D. All of the above
Chapter 10: Advanced EnCase

1. How many sector(s) on a hard drive are reserved for the master boot record (MBR)?
A. 1
B. 4
C. 16
D. 62
E. 63
2. The very first sector of a formatted hard drive that contains an operating system is referred to as which of the
following?
A. Absolute sector 0
B. Boot sector
C. Containing the master boot record (MBR)
D. All of the above
3. How many logical partitions does the partition table in the master boot record allow for a physical drive?
A. 1
B. 2
C. 4
D. 24
4. The very first sector of a partition is referred to as which of the following?
A. Master boot record
B. Physical sector 0
C. Active primary partition
D. Volume boot record
5. If a hard drive has been fdisked, EnCase can still recover the deleted partition(s), if you point to the _________
and select Add Partition from the Partition menu.
A. master boot record
B. volume boot record
C. partition table
D. unallocated space
6. In an NTFS partition, where is the backup copy of the volume boot record (VBR) stored?
A. In the partition table.
B. Immediately after the VBR.
C. The last sector of the partition.
26 | P a g e
D. An NTFS partition does not store a backup of the VBR.
7. EnCase can mount a compound file, which can then be viewed in a hierarchical format. Select an example of a
compound file.
A. Registry file (that is, .dat)
B. Email file (that is, .edb, .nsf, .pst, .dbx)
C. Compressed file (that is, .zip)
D. Thumbs.db
E. All of the above
8. Windows 7 contains two master keys in its registry. They are HKEY_LOCAL_MACHINE and which of the
following?
A. HKEY_USERS
B. HKEY_CLASSES_ROOT
C. HKEY_CURRENT_USER
D. HKEY_CURRENT_CONFIG
9. In Windows 7, information about a specific user’s preference is stored in the NTUSER.DAT file. This compound
file can be found where?
A. C:\
B. C:\WINDOWS\
C. C:\Users\username
D. C:\Documents and Settings\All Users\Application Data
10. In an NTFS file system, the date and time stamps recorded in the registry are stored where?
A. Local time based on the BIOS settings
B. GMT and converted based on the system’s time zone settings
11. EnScript is a proprietary programming language and application programming interface (API) developed by
Guidance Software, designed to function properly only within the EnCase environment.
A. True
B. False
12. Since EnScript is a proprietary programming language developed by Guidance Software, EnScripts can be
created by and obtained only from Guidance Software.
A. True
B. False
13. Filters are a type of EnScript that “filters” a case for certain file properties such as file types, dates, and hash
categories. Like EnScripts, filters can also be changed or created by a user.
A. True
B. False
14. Select the type of email that EnCase 6 is not capable of recovering.
A. Microsoft Outlook
B. AOL
C. Microsoft Outlook Express
D. Lotus Notes and Microsoft Exchange Server
27 | P a g e
15. Which method is used to view the contents of a compound file that contains emails such as a PST file in EnCase
7?
A. Select View File Structure from the Entries options.
B. Run Find Email from within the EnCase Evidence Processor.
C. Both A and B.
D. None of the above.
16. EnCase 7 cannot process web-based email such as MSN Hotmail or Yahoo! Mail because the information can be
found only on the mail servers.
A. True
B. False
17. The EnCase Decryption Suite (EDS) will not decrypt Microsoft’s Encrypting File System (EFS) on the
___________ operating system.
A. Windows 2000 Professional and Server
B. Windows XP Professional
C. Windows 2003 Server
D. Windows 7 Home Edition
18. At which levels can the VFS module mount objects in the Windows environment?
A. The case level
B. The disk or device level
C. The volume level
D. The folder level
E. All of the above
19. The Physical Disk Emulator (PDE) module is similar to the Virtual File System (VFS); the module can mount a
piece of media that is accessible in the Windows environment. Select the type(s) of media that the Physical Disk
Emulator cannot mount.
A. Cases
B. Folders
C. Volumes
D. Physical disks
E. Both A and B
20. The Virtual File System (VFS) module mounts data as _______, while the Physical Disk Emulator (PDE)
module mounts data as _______.
A. network share, emulated disk
B. emulated disk, network share
C. virtual drive, physical drive
D. virtual file, physical disk
1.Using good forensics practices, when seizing a computer at a

business running Windows 2000 Server you should:
a. Shut it down normally,
28 | P a g e
b. Pull the plug from the wall
c. Pull the plug from the back of the computer
d. press the power button and hold it in.
2.
29 | P a g e

EnCase Prep Questions

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EnCase Prep Questions

Uploaded by

Copyright:

Available Formats

Contents

Chapter 1: Computer Hardware......................................................................................................................................1

Chapter 1: Computer Hardware

2. What is the BIOS?

3. What is the definition of POST?

Chapter 2: File Systems

Chapter 3: First Response

Chapter 4: Acquiring Digital Evidence

Chapter 5: EnCase Concepts

Chapter 6: EnCase Environment

Chapter 8: File Signature Analysis and Hash Analysis

Chapter 9: Windows Operating System Artifacts

Chapter 10: Advanced EnCase

1.Using good forensics practices, when seizing a computer at a

a. Shut it down normally,

You might also like