How many copies of the FAT are located on a FAT 32, Windows 98-formatted partition?

A. 3

B. 1

C. 4

D. 2

The results of a hash analysis on an evidence file that has been added to a case will be stored in which of the following files?

A. The evidence file

B. The case file

C. The configuration HashAnalysis.ini file

D. All of the above

When undeleting a file in the FAT file system, EnCase will check the to see if it has already been overwritten.

A. directory entry

B. data on the hard drive

C. deletion table

D. FAT

Searches and bookmarks are stored in the evidence file.

A. True

B. False

A SCSI drive is pinned as a master when it is:

A. The only drive on the computer.

B. A SCSI drive is not pinned as a master.

C. Whenever another drive is on the same cable and is pinned as a slave.

D. The primary of two drives connected to one cable.

The EnCase evidence file logical filename can be changed without affecting the verification of the acquired evidence.

A. True

B. False

Which of the following items could contain digital evidence?

A. Cellular phones

B. Credit card readers

C. Digital cameras

D. Personal assistant devices

You are an investigator and have encountered a computer that is running at the home of a suspect. The computer does not appear to be a part of a network. The operating system is Windows XP Home. No programs are visibly running. You should:

A. Pull the plug from the back of the computer.

B. Shut it down with the start menu.

C. Pull the plug from the wall.

D. Turn it off with the power button.

Using good forensic practices, when seizing a computer at a business running Windows 2000 Server you should:

A. Shut it down normally.

B. Press the power button and hold it in.

C. Pull the plug from the back of the computer.

D. Pull the plug from the wall.

When a file is deleted in the FAT or NTFS file systems, what happens to the data on the hard drive?

A. The file header is marked with a Sigma so the file is not recognized by the operating system.

B. It is moved to a special area.

C. It is overwritten with zeroes.

D. Nothing.