Study guide for the ACE test
FTK Imager can read a Norton Ghost Compressed Image file
FTK Imager can image individual files
FTK Imager can read a Norton Ghost Uncompressed File
FTK Imager is a write blocking device/software
False. (It will not directly write to a suspect device but windows may)
Using FTK Imager, if you convert and EO1 to Raw (or vis versa), the Hashes would match.
Name 3 image file types that allow compression.
E01, S01, AD01
Why would FTK imager indicate drive numbers, 1,2,3, and 5?
5 and above indicates an extended partition. 1-4 indicates Primary partitions.
When exporting a file from Imager, the time and date stamps of the exported file will not match those of the file in the original image.
False. Imager will use the original times and dates for the file it exports.
When you export a file hashlist from Imager, the files go out into a plain text file.
False. They go into a CSV (comma separated values) file.
What function would you use in FTK Imager to automatically grab commonly used files from the registry?
Obtain Protected Files
FTK Imager can hash or image files that are in use by the operating system.
In PRTK which type of attack uses word lists?
Name three attack types in PRTK
Decryption, Keyspace, Password Reset.
Where can a user determine what type of attacks can be run on a file.
Help -> Recovery Module
What is the most successful method for password recovery.
AD Decryption. (Instant)
What 3 parts comprise an attack profile?
Languages, Dictionaries, Levels.
What happens to a file's hash value when it is decrypted
How would you view all the graphics in a case in FTK
Select the root of the evdence tree and enable the quick picks for it.
The AD01 format has embeded hash data for hash verficaiton