CertsTopics Logo

Labour Day Special - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: top65certs

Guidance Software GD0-110 Dumps

Page: 1 / 7
Total 174 questions
Get GD0-110 Full Access Download GD0-110 PDF

Certification Exam for EnCE Outside North America Questions and Answers

Question 1

The signature table data is found in which of the following files?

Options:

A.

The case file

B.

The configuration FileSignatures.ini file

C.

The evidence file

D.

All of the above

Question 2

A file extension and signature can be manually added by:

Options:

A.

Using the new set feature under hash sets.

B.

Using the new file signature feature under file signatures.

C.

Using the new library feature under hash libraries.

D.

Right-clicking on a file and selecting add.

Question 3

When does the POST operation occur?

Options:

A.

When the power button to a computer is turned on.

B.

After a computer begins to boot from a device.

C.

When Windows starts up.

D.

When SCSI devices are configured.

Question 4

Which of the following would be a true statement about the function of the BIOS?

Options:

A.

The BIOS is responsible for swapping out memory pages when RAM fills up.

B.

The BIOS is responsible for checking and configuring the system after the power is turned on.

C.

The BIOS integrates compressed executable files with memory addresses for faster execution.

D.

Both a and c.

Question 5

During the power-up sequence, which of the following happens first?

Options:

A.

The boot sector is located on the hard drive.

B.

The power On Self-Test.

C.

The floppy drive is checked for a diskette.

D.

The BIOS on an add-in card is executed.

Question 6

Which of the following aspects of the EnCase evidence file can be changed during a reacquire of the evidence file?

Options:

A.

The investigator name

B.

The evidence number

C.

The acquisition notes

D.

None of the above

Question 7

The end of a logical file to the end of the cluster that the file ends in is called:

Options:

A.

Unallocated space

B.

Allocated space

C.

Available space

D.

Slack

Question 8

All investigators using EnCase should run tests on the evidence file acquisition and verification process to:

Options:

A.

Further the investigator understanding of the evidence file.

B.

Give more weight to the investigator testimony in court.

C.

Insure that the investigator is using the proper method of acquisition.

D.

All of the above.

Question 9

In Windows 98 and ME, Internet based e-mail, such as Hotmail, will most likely be recovered in the _____________________ folder.

Options:

A.

C:\Windows\Temp

B.

C:\Windows\Temporary Internet files

C.

C:\Windows\History\Email

D.

C:\Windows\Online\Applications\email

Question 10

Hash libraries are commonly used to:

Options:

A.

Identify files that are already known to the user.

B.

Compare one hash set with another hash set.

C.

Verify the evidence file.

D.

Compare a file header to a file extension.

Question 11

For an EnCase evidence file acquired with a hash value to pass verification, which of the following must be true?

Options:

A.

The CRC values and the MD5 hash value both must verify.

B.

The MD5 hash value must verify.

C.

Either the CRC or MD5 hash values must verify.

D.

The CRC values must verify.

Question 12

A sector on a floppy disk is the same size as a sector on a NTFS formatted hard drive.

Options:

A.

True

B.

False

Question 13

Which of the following would most likely be an add-in card?

Options:

A.

A motherboard

B.

The board that connects to the power supply

C.

A video card that is connected to the motherboard in the AGP slot

D.

Anything plugged into socket 7

Question 14

How many partitions can be found in the boot partition table found at the beginning of the drive?

Options:

A.

2

B.

4

C.

6

D.

8

Question 15

The EnCase evidence file logical filename can be changed without affecting the verification of the acquired evidence.

Options:

A.

True

B.

False

Question 16

An Enhanced Metafile would best be described as:

Options:

A.

A file format used in the printing process by Windows.

B.

A compound e-mail attachment.

C.

A compressed zip file.

D.

A graphics file attached to an e-mail message.

Question 17

How many copies of the FAT are located on a FAT 32, Windows 98-formatted partition?

Options:

A.

1

B.

2

C.

3

D.

4

Question 18

The EnCase case file can be best described as:

Options:

A.

The file that runs EnCase for Windows.

B.

A file contain configuration settings for cases.

C.

A file that contains information specific to one case.

D.

None of the above.

Question 19

Two allocated files can occupy one cluster, as long as they can both fit within the allotted number of bytes.

Options:

A.

True

B.

False

Question 20

When an EnCase user double-clicks on a valid .jpg file, that file is:

Options:

A.

Copied to the EnCase specified temp folder and opened by an associated program.

B.

Copied to the default export folder and opened by an associated program.

C.

Opened by EnCase.

D.

Renamed to JPG_0001.jpg and copied to the default export folder.

Question 21

To undelete a file in the FAT file system, EnCase computes the number of _______ the file will use based on the file ______.

Options:

A.

Clusters; starting extent

B.

Sectors; starting extent

C.

Sectors; file size

D.

Clusters; file size

Question 22

By default, what color does EnCase use for slack?

Options:

A.

Black

B.

Red

C.

Black on red

D.

Red on black

Question 23

In the FAT file system, the size of a deleted file can be found:

Options:

A.

In the FAT

B.

In the file header

C.

In the file footer

D.

In the directory entry

Question 24

A CPU is:

Options:

A.

An entire computer box, not including the monitor and other attached peripheral devices.

B.

A motherboard with all required devices connected.

C.

A Central Programming Unit.

D.

A chip that would be considered the brain of a computer, which is installed on a motherboard.

Question 25

The EnCase methodology dictates that ________ be created prior to acquiring evidence.

Options:

A.

an .E01 file on the lab drive

B.

a unique directory on the lab drive for case management

C.

a text file for notes

D.

All of the above

Question 26

A hard drive has 8 sectors per cluster. File Mystuff.doc has a logical file size of 13,000 bytes. How many clusters will be used by Mystuff.doc?

Options:

A.

1

B.

2

C.

3

D.

4

Page: 1 / 7
Total 174 questions
Get GD0-110 Full Access Download GD0-110 PDF