GD0-110 Online Practice Questions and Answers

Which of the following would be a true statement about the function of the BIOS?

A. The BIOS is responsible for checking and configuring the system after the power is turned on.

B. Botha and c.

C. The BIOS is responsible for swapping out memory pages when RAM fills up.

D. The BIOS integrates compressed executable files with memory addresses for faster execution.

Consider the following path in a FAT file system:

A. From the root directory c:\

B. From itself

C. From the My Pictures directory

D. From the My Documents directory

You are investigating a case of child pornography on a hard drive containing Windows XP. In the : \Documents and Settings\Bad You are investigating a case of child pornography on a hard drive containing Windows XP. In the :\Documents and Settings\Bad Guy\Local Settings\Temporary Internet Files folder you find three images of child pornography. You find no other copies of the images on the suspect hard drive, and you find no other copies of the filenames. What can be deduced from your findings images on the suspect hard drive, and you find no other copies of the filenames. What can be deduced from your findings?

A. The presence and location of the images is strong evidence of possession.

B. The presence and location of the images proves the images were intentionally downloaded.

C. Both a and c

D. The presence and location of the images is not strong evidence of possession.

Assume that MyNote.txt has been deleted. The FAT file system directory entry for that file has been overwritten. The data for MyNote.txt is now:

A. Allocated

B. Cross-linked

C. Unallocated

D. Overwritten

How does EnCase verify that the evidence file contains an exact copy of the suspect hard drive?

A. By means of a CRC value of the suspect hard drive compared to a CRC value of the data stored in the evidence file. By means of a CRC value of the suspect hard drive compared to a CRC value of the data stored in the evidence file.

B. By means of a CRC value of the evidence file itself.

C. By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of the data stored in the evidence file. By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of the data stored in the evidence file.

D. By means of an MD5 hash value of the evidence file itself.

The case number in an evidence file can be changed without causing the verification feature to report an error, if:

A. The user utilizes a text editor.

B. The user utilizes the case information editor within EnCase.

C. The evidence file is reacquired.

D. The case information cannot be changed in an evidence file, without causing the verification feature to report an error.

Within EnCase, what is the purpose of the temp folder?

A. This is the folder that will automatically store an evidence file when the acquisition is made in DOS.

B. This is the folder that temporarily stores all bookmark and search results.

C. This is the folder used to hold copies of files that are sent to external viewers.

D. This is the folder that will be automatically selected when the opy/unerase feature is used. This is the folder that will be automatically selected when the copy/unerase feature is used.

Select the appropriate name for the highlighted area of the binary numbers.

A. Nibble

B. Dword

C. Word

D. Byte

E. Bit

The following keyword was typed in exactly as shown. Choose the answer(s) that would result. All search criteria have default settings.

A. Meth Speed

B. Speed and Meth

C. Meth

D. Speed

Using good forensic practices, when seizing a computer at a business running Windows 2000 Server you should:

A. Shut it down normally.

B. Press the power button and hold it in.

C. Pull the plug from the back of the computer.

D. Pull the plug from the wall.

You are examining a hard drive that has Windows XP installed as the operating system. You see a file that has a date and time in the eletedcolumn. Where does that date and time come from ? Where does that date and time come from?

A. Directory Entry

B. Info2 file

C. Inode Table

D. Master File Table

When a document is printed using EMF in Windows, what file(s) are generated in the spooling process?

A. The .SHD file

B. The .SPL file

C. Both a and b

D. Neither a or b

An evidence file can be moved to another directory without changing the file verification.

A. True

B. False

A hash library would most accurately be described as:

A. Both a and b.

B. A master table of file headers and extensions.

C. A file containing hash values from one or more selected hash sets.

D. A list of the all the MD5 hash values used to verify the evidence files.

If cluster #3552 entry in the FAT table contains a value of this would mean:

A. The cluster is allocated

B. The cluster is marked bad

C. The cluster is unallocated

D. The cluster is the end of a file