The Official EnCE:Encase Certified Examiner Study Guide Second Edition Chapter 8 Review Questions

20 terms by MrJayness

Create a new folder

Advertisement Upgrade to remove ads

I still need to add the answer options for the more complicated questions.

When running a signature analysis, EnCase will do which of the following?

A signature analysis will compare a file's header or signature to its file extension.

A file header is which of the following?

A file header identifies the type of file and is located in the beginning of the file's data.

The Windows operating system uses a file name's ___ to associate files with the proper applications.

The Windows operating system uses a file's extension to associate the file with the proper application.

Unix (including Linux) operating systems use a file's ___ to associate file types to specific applications.

Unix (including Linux) operating systems use a file's header information to associate file types to specific applications.

The Mac OS X operating systems uses which of the following file information to associate a file to a specific application?

When determining which application to use to open a file, Mac OS X gives first precedence to user defined settings, second preference to creator code metadata, and third precedence to file name extensions. If none of these are present, other rules come into play.

Information regarding a file's header information and extension is saved by EnCase in the ___ file.

Information about a file's header and extension is saved in the FileSignature.ini file.

When a file's signature is unknown and a valid file extension exists, EnCase will display the following result after a signature analysis is performed:

When a file signature is unknown and a valid extension is present, EnCase will display the status as being !Bad Signature.

When a file's signature is known and the file extension does not match, EnCase will display the following result after a signature analysis is performed:

When a file's signature is known and an inaccurate file extension is present, EnCase reports the alias in the File Signature column and may update the File Category column.

When a file's signature is known and the file extension matches, EnCase will display the following result after a signature analysis is performed:

When a file's signature is known and an accurate file extension is present, EnCase will display the result as a match.

When a file's signature and extension are not recognized, EnCase will display the following result after a signature analysis is performed:

When a file's signature and extension are not recognized, EnCase will display the result as unknown.

Can a file with a unique header share multiple file extensions?

A unique file header can share multiple file extensions. An example of such a case is a .JPEG or JPG file, which shares the same file header \xFF\xD8\xFF[\xFF\xE0\xE1].

A user can manually add new file headers and extensions by doing which of the following?

A user can manually add new file headers and extensions by accessing the File Signature views and creating a new header and extension in the appropriate folder.

Select the correct answer that completes the following statement: An MD5 has ___ .

An MD5 hash is a 128-bit hash value, and the odds of two different files having the same value is one in 2128. A file's MD5 hash value is based on the file's data area, not it's file name, which resides outside the data area.

EnCase can create a hash value for the following:

EnCase can calculate hash values for any of the options listed.

What portion of an evidence file does EnCase analyze during the verification process to yield an MD5 has value.

EnCase will analyze the data area of an evidence file only during the verification process.

Will changing a file's name affect the file's MD5 hash value?

Merely changing a file's name will not affect its MD5 hash value because the hash value is based on the file's data, not its file name.

Usually a hash value found in a hash set named Windows XP Home Edition would be reported in the Hash Category column as which of the following?

These hash sets have been procured from known safe sources and are categorized as Known. In most cases they are nonevidentiary and can be ignored when conducting searches and other analyses.

With regard to hash categories, evidentiary files or files of interest are categorized as which of the following?

Evidentiary files or files of interest are categorized as Notable.

An MD5 hash of a specific media generated by EnCase will yield the same hash value as an independent third-party MD5 hashing utility.

Regardless of the MD5 hashing utility, the hash value generated will have the same result, because the MD5 hash is an industry-standard algorithm.

A hash ___ is comprised of hash ___ , which is comprised of hash ___ .

A hash library is comprised of hash sets, which are comprised of hash values.

Please allow access to your computer’s microphone to use Voice Recording.

Having trouble? Click here for help.

We can’t access your microphone!

Click the icon above to update your browser permissions above and try again

Example:

Reload the page to try again!

Reload

Press Cmd-0 to reset your zoom

Press Ctrl-0 to reset your zoom

It looks like your browser might be zoomed in or out. Your browser needs to be zoomed to a normal size to record audio.

Please upgrade Flash or install Chrome
to use Voice Recording.

For more help, see our troubleshooting page.

Your microphone is muted

For help fixing this issue, see this FAQ.

Star this term

You can study starred terms together

NEW! Voice Recording

Create Set