A standard DOS 6.22 boot disk is acceptable for booting a suspect drive.

A. True

B. False

A file extension and signature can be manually added by:

A. Using the new library feature under hash libraries.

B. Right-clicking on a file and selecting dd.?

C. Using the new set feature under hash sets.

D. Using the new file signature feature under file signatures.

Before utilizing an analysis technique on computer evidence, the investigator should:

A. Test the technique on simulated evidence in a controlled environment to confirm that the results are consistent.

B. Be trained in the employment of the technique.

C. Botha and b.

D. Neithera or b.

Select the appropriate name for the highlighted area of the binary numbers.

A. Word

B. Dword

C. Byte

D. Nibble

E. Bit

When a non-compressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence will remain the same for both files.

A. True

B. False

When undeleting a file in the FAT file system, EnCase will check the _____________ to see if it has already been overwritten.

A. data on the hard drive

B. deletion table

C. directory entry

D. FAT

Within EnCase, you highlight a range of data within a file. The length indicator displays the value 30. How many bytes have you actually selected?

A. 30

B. 3

C. 60

D. 15

You are investigating a case of child pornography on a hard drive containing Windows XP. In the :\Documents and Settings\Bad You are investigating a case of child pornography on a hard drive containing Windows XP. In the C:\Documents

and Settings\Bad Guy\Local Settings\Temporary Internet Files folder you find three images of child pornography. You find no other copies of the images on the suspect hard drive, and you find no other copies of the filenames.

What can be deduced from your findings?

A. The presence and location of the images is not strong evidence of possession.

B. The presence and location of the images is strong evidence of possession.

C. The presence and location of the images proves the images were intentionally downloaded.

D. Both a and c

The MD5 hash algorithm produces a _____ number.

A. 32 bit

B. 256 bit

C. 64 bit

D. 128 bit

Within EnCase, what is the purpose of the temp folder?

A. This is the folder used to hold copies of files that are sent to external viewers.

B. This is the folder that will automatically store an evidence file when the acquisition is made in DOS.

C. This is the folder that temporarily stores all bookmark and search results.

D. This is the folder that will be automatically selected when the copy/unerase feature is used. This is the folder that will be automatically selected when the copy/unerase feature is used.