The Encase evidence file is best described as follows:
An EnCase evidence file is a bitstream image of a source drive such as a hard drive, CD-ROM, or floppy disk written to a file (.E01) or several file segments (.E02, E03, and so on).
How does EnCase verify the contents of an evidence file?
EnCase writes a CRC value for every 64 sectors copied, by default. If the block size has been increased, the CRC frequency will be adjusted accordingly.
What is the smallest file size that an EnCase evidence file can be saved as?
The smallest file size that an EnCase evidence file can be save as is 1 MB.
What is the largest file size segment that an EnCase evidence file be saved as?
The largest file size that an EnCase evidence file can be saved as is 2 GB.
How does EnCase verify that the evidence file contains an exact copy of the source device?
EnCase compares the MD5 hash value of the source device to the MD5 hash value of just the data stored in the evidence file, not the entire contents of the evidence file, such as case information and CRC values of each data block.
How does EnCase verify that the case information-such as case number, evidence number, notes, and so on-in an evidence file has not been damaged or altered after the evidence file has been written?
EnCase calculates a CRC value for the case information, which is verified when the evidence file is added to the case.
For an EnCase evidence file to successfully pass the file verification process, which of the following must be true?
When an evidence file containing an MD5 hash value is added to the case, EnCase verifies both the CRC and MD5 hash values.
The MD5 hash algorithm produces a ___ value.
The MD5 hash algorithm produces a 128-bit value.
The MD5 hash algorithm is ___ hexadecimal characters in length.
The MD5 hash algorithm is 32 characters in length.
If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later altered?
EnCase will detect the error and will still allow the examiner to access the unaffected areas of the evidence file.
Which of the following aspects of the EnCase evidence file can be changed during a reacquire of the evidence file?
The evidence file size can be changed during a reacquire.
An evidence file was archived onto five CD-ROMS with the third file segment on disc 3. Can the contents of the third file segment be verified by itself while still on the CD-ROM?
EnCase can verify independent evidence file segments by comparing the CRC values of the data blocks.
Will EnCase allow a user to write data into an acquired evidence file?
EnCase does not write to the evidence file after the acquisition is complete.
All investigators using EnCase should run tests on the evidence file acquisition and verification process to do which of the following?
As with any forensic tool, the investigator should test the tools to better understand how the tool performs and to verify that it is functioning properly.
When a non compressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence file will remain the same.
Compressing an evidence file does not change its MD5 hash value.
Search hit results are bookmarks stored in the evidence file.
Search hit results and bookmarks are stored in the case and .cbak files.
The EnCase evidence file's logical file name can be changed without affecting the verification of the acquired evidence.
An EnCase evidence file's logical file name can be renamed without affecting the verification of the acquired evidence.
An evidence file can be moved to another directory without changing the file verification.
EnCase evidence files can be moved without affecting the file verification.
What happens when EnCase attempts to reopen a case once the evidence file has been moved?
When an evidence file has moved from the previous path, EnCase will prompt for the new location of the evidence file.
During reacquisition, you can change which of the following?
All may be changed during reacquisition with the exception of the investigator's name.