Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
395 Cards in this Set
- Front
- Back
?
|
?
|
|
Constructed to maintain the authenticity and integrity of the original evidence
|
Evidence File
|
|
The use of this type of file is to demonstrate how the evidence is preserved.
|
Evidence File
|
|
Evidence File is also known as a _____ file.
|
Image
|
|
Bit by Bit copy of the original file or hard drive.
|
Image / Evidence File
|
|
Using Encase preserves the data of an Image / Evidence file and also adds pertinent information that helps preserve the _____ __ ______.
|
Chain of Custody
|
|
MD5 stands for :
|
Message Digest 5
|
|
CRC stands for:
|
Cyclical Redundancy Check
|
|
Algorithm applied to data streams using 128-bit hexadecimal value.
|
MD5
|
|
2^ ___ power attempts are needed to be made to match the hash of an MD5 encryption.
|
128
|
|
The odds of two files having the same MD5 is _____.
|
remote
|
|
32 bit hex algorithm
|
CRC
|
|
2^ __ power is the CRC requirement to have two files possibly have the same hash value.
|
32
|
|
CRC is _____ than MD5 due to only having a 4 billion chance of replicating the same hash value.
|
faster
|
|
MD5 has many more ______ thus using up more computer system resources
|
calculations
|
|
Encase uses both CRC and MD5 but ___ is used more.
|
CRC
|
|
What are the three file components of an evidence file?
|
1. Header
2. Data Blocks 3. File Integrity Component |
|
This appears on the front of the evidence file and the data blocks immediately follow.
|
Header
|
|
Is verified with its own CRC
|
Data Blocks
|
|
Is throughout the file. It is not located in only one place.
|
File Integrity Component
|
|
The ___ is after each block and header.
|
CRC
|
|
When the ENTIRE data block is subject to a MD5 hash, what will show up at the end of the physical layout?
|
Acquisition hash
|
|
AN MD5 hash is only calculated on the ____.
|
data
|
|
The header contains what five things?
|
1. Evidence name and number
2. Notes 3. Date/time of acquisition 4. Version of Encase used 5. OS under which the acquisition took place. |
|
After the header is subjected to a CRC it is compressed. Why?
|
Saves space and removes ability to alter clear test data.
|
|
Where is the header placed after being CRC'd and compressed?
|
Front of the evidence file
|
|
The default block size for an evidence file is __ sectors
|
64
|
|
Once the data is in memory, a ___ is computed for the sectors.
|
CRC
|
|
Once all the data is completely CRC'd, then no more ____ is present to process.
|
data
|
|
Once there is no more data to be CRC'd, the acquisition hash is completed and written to the _____ or ___ of the evidence file.
|
last/end
|
|
The MD5 is part of the _____ contained in the final segment.
|
metadata
|
|
ALL ______ evidence files will not require a header again after the data is CRC'd and stored.
|
subsequent
|
|
Once you see the ___ value you know it is the end along with the metadata.
|
MD5
|
|
You may fill the drive you are using and need another drive. You will have to _____ another drive to be consistent.
|
span
|
|
EnCase allows spanning, some drives may have the same space (say 80 Gb) not the same number of _____.
|
sectors
|
|
EnCase does have a little overhead when imaging a drive, with this in mind, it is advised to use a _____ drive for acquisition.
|
larger
|
|
After the image is creater, the file is added to an ____ case.
|
open
|
|
File verification occurs automatically to provide data _____.
|
integrity
|
|
Each block of data in the evidence file is subject to verification ___ calculation.
|
CRC
|
|
The verification CRC must match the CRC values calculated when it was ____.
|
acquired
|
|
An error is reported if a block is not _____.
|
verified
|
|
Verification occurs for all _____.
|
blocks
|
|
The blocks of data are also subject to verification of the MD5 hash and this is called the _____ hash value.
|
Verification
|
|
You can change the block size for data. The default of 64 sectors should be fine but making a _____ size does speed up the acquisition.
|
larger
|
|
The only caveat to making the sectors larger is that the CRC values are written every ___ sectors instead of 64.
|
128
|
|
If there was a _____ sector, then more data (128 sectors) would be lost.
|
corrupted
|
|
When a _____ file is created you choose the file name and the storage path.
|
case
|
|
When creating a case file you choose the file name and the storage path. Be sure to be as ______ as possible when doing this.
|
consistent
|
|
Backups are created every __ minutes in EnCase.
|
10
|
|
Back up to _____ locations and possibly drives to make sure you do not loose the data if something were to happen to the drive you are working on.
|
different
|
|
EnCase uses ____ files located in the config folder
|
.ini
|
|
EnCase uses .ini located in the _____ folder.
|
config
|
|
The primary .ini files are the _____ file.
|
keyword
|
|
The keyword file stores _____ keywords.
|
global
|
|
This .ini file Stores the text styles used by the database.
|
TextStyles.ini
|
|
Stores values for the file signature database.
|
File Signatures
|
|
Database information regarding the viewers that EnCase can use when viewing data.
|
Viewers.ini
|
|
Stores the database of user IDs and usernames
|
SecurityIDs.ini
|
|
____ files are easily manipulated and caution must be taken when editing these files.
|
.ini
|
|
This is a special folder that places the storage files such as .PST or .DBX files
|
ParseCache
|
|
The _____ folder allows the intensive process to occur without using up all the stations memory and processor.
|
ParseCache
|
|
Avoiding detection
|
Goal of Anti-Forensics
|
|
Disrupting information collection
|
Goal of Anti-Forensics
|
|
Increasing the examiner's time
|
Goal of Anti-Forensics
|
|
Casting doubt on a forensic report or testimony
|
Goal of Anti-Forensics
|
|
Forcing a tool to reveal its presence
|
Goal of Anti-Forensics
|
|
Subverting the tool, using it to attack the examiner or organization.
|
Goal of Anti-Forensics
|
|
EnCase uses two methods for identifying file types.
|
1. File Extensions
2. File Signatures |
|
It clarifies actual data
|
Metadata
|
|
Data about Data
|
Metadata
|
|
It can include size, time, date, location, etc.
|
Metadata
|
|
If an examiner has "when" the violator accessed the system, this makes i much easier to find out what files were accessed by using a ______ order of file accesses.
|
chronological
|
|
Removing the files often does not delete the file access ______.
|
directory
|
|
Writing over the access times so that the tacking of the _____ is difficult or near impossible is an effective Anti-Forensic practice
|
timelines
|
|
Using the Anti Forensic tool _____ will modify all timestamps you want to change or delete information.
|
Timestomp
|
|
Another Anti Forensic tools is to prevent the _____ from being created.
|
Metadata
|
|
Under HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate, setting it to "1" will _____ updating of the last-accessed timestamp
|
disable
|
|
Setting your entire drive to _____ _____ except by you and your password will cause frustration to a Forensic Examination.
|
read only
|
|
Another way to cause problems with a Forensic Examination is to use a tool that securely removes files from your computer hard drive and clears free space to remove any _____ data.
|
residual
|
|
Darik's Boot and Nuke (DBAN)
|
Anti-Forensics Tool
|
|
Anti forensics tool that securely removes files from your computer and can be booted from a floppy, CD, DVD or USB
|
Darik's Boot and Nuke (DBAN)
|
|
A program that hides files within the slack space of a NTFS file system.
|
Slacker Program
|
|
A slacker program is very useful for people that want to _____ files.
|
hide
|
|
Files that have been carved by slacker programs are _____ detected using standard forensics tools.
|
easily
|
|
FragFS is an advanced data hiding tool/technique that hides data in the ___ (_____ _____ _____)
|
MFT / Master File Table
|
|
RuneFS is a _____ program that stores data in "Bad Blocks".
|
Slacker
|
|
Is deleting the browser history all a user has to do in order to hide where he\she has been?
|
No
|
|
To be certain browser history is removed, you can use tools such as _____, AssureYourPrivacy.com, and SoftChecker.
|
WinClear
|
|
To be certain browser history is removed, you can use tools such as WinClear, ______, and SoftChecker.
|
AssureYourPrivacy.com
|
|
To be certain browser history is removed, you can use tools such as WinClear, AssureYourPrivacy.com, and _____.
|
SoftChecker
|
|
When you erase a file on your computer, the actual data in the file is not overwritten. The space utilized by that file is simply marked as "_____" for use by other data
|
free
|
|
The method to securely erase data is to write over the same physical spot on the hard disk multiple times with different patterns, effectively obliterating the magnetic _____ of the data which was once there.
|
signatures
|
|
Software to securely erase data are _____, Eraser, Necrofile, and File Shredder.
|
SDelete
|
|
Software to securely erase data are SDelete, _____, Necrofile, and File Shredder.
|
Eraser
|
|
Software to securely erase data are SDelete, Eraser, _____, and File Shredder.
|
Necrofile
|
|
Software to securely erase data are SDelete, Eraser, Necrofile, and ______.
|
File Shredder
|
|
Another method of hiding or erasing the data is to use a program that when a file is accessed _____ a program will automatically erase the file and overwrite it with useless data
|
incorrectly
|
|
One of the most effective ways to hold off an investigation into your device is to use what?
|
File Encryption
|
|
File encryption only encrypts only file _____.
|
contents
|
|
File encryption leaves important information such as file name, size, and timestamps _____.
|
unencrypted
|
|
Parts of an encrypted files contents can be _____ from other locations such as temporary files, swap file, and deleted unencrypted copies.
|
reconstructed
|
|
Parts of an encrypted files contents can be reconstructed from other locations such as ______ _____, swap file, and deleted unencrypted copies.
|
temporary files
|
|
Parts of an encrypted files contents can be reconstructed from other locations such as temporary files, _____ _____, and deleted unencrypted copies.
|
swap file
|
|
Parts of an encrypted files contents can be reconstructed from other locations such as temporary files, swap file, and _____ ______ _____.
|
deleted unencrypted copies
|
|
The purpose of _____ _____ is to confuse, disorientate and divert the forensic examination process.
|
trail obfuscation
|
|
An application that changes the header information of a file.
|
Transmorgrify
|
|
Changing a files header from .jpg to .doc would require you use _____.
|
Transmorgrify
|
|
Even if the header information of a file is changed, the OS will read the file ______.
|
extension
|
|
The art to hiding messages (or binary) in a form that people who are not addressees can't perceive them
|
Steganography
|
|
Hiding Data within data
|
Watermarking
|
|
File formats with more room for compression are best
-_____ _____ (___ ___) -Sound files (MP3, WAV) -Video files (MPG, AVI) |
Image files (JPEG, GIF)
|
|
File formats with more room for compression are best
-Image files (JPEG, GIF) -_____ _____ (___ ___) -Video files (MPG, AVI) |
Sound files (MP3, WAV)
|
|
File formats with more room for _____ are best
-Image files (JPEG, GIF) -Sound files (MP3, WAV) -Video files (MPG, AVI) |
compression
|
|
In watermarking, the hidden information may be _____, but not necessarily.
|
encrypted
|
|
Process whereby the magnetic media is erased.
|
Disk Degaussing
|
|
Degaussing requires a _____ _____ that is designed and approved for the type of media being purged.
|
degausser device
|
|
_____ systems and _____ are not the same in a virtual machine compared to a physical machine.
|
File / directories
|
|
The push to use virtual machines makes the forensic investigator _____ about this technology.
|
learn
|
|
a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk
|
Live View
|
|
Uses TPM(Trusted Platform Module) - a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a desktop or portable computer, and communicates with the rest of the system by using a hardware bus.
|
BitLocker
|
|
Computers that incorporate a ___ (_____ _____ _____)can also create a key that has not only been wrapped, but is also tied to specific hardware or software conditions.
|
TPM (Trusted Platform Module)
|
|
Live view is available for _____
|
download
|
|
Java-based graphical forensics tool that creates a VMware virtual machine out of a raw disk image or physical disk
|
Live View
|
|
Dummy files such as _____ files added to computer files are one of the other methods to Anti Forensics.
|
index.dat
|
|
EnCase _____ are one of the other methods to Anti Forensics.
|
landmines
|
|
EnCase is separated into 4 distinct windows. They are the _____ Pane, Table Pane, View Pane, and the Filter Pane.
|
Tree
|
|
EnCase is separated into 4 distinct windows. They are the Tree Pane, _____ Pane, View Pane, and the Filter Pane.
|
Table
|
|
EnCase is separated into 4 distinct windows. They are the Tree Pane, Table Pane, _____ Pane, and the Filter Pane.
|
View
|
|
EnCase is separated into 4 distinct windows. They are the Tree Pane, Table Pane, View Pane, and the _____ Pane.
|
Filter
|
|
The starting point for all Encase cases is the _____ Pane. The first step it to create a case!
|
Tree
|
|
Enter all pertinent information in the _____ options screen.
|
case
|
|
The _____ folder is used to place a file in order to view it externally.
|
Temp
|
|
EnCase 6 allows _____ that makes searches much faster than previous versions.
|
indexing
|
|
It is a good idea to develop a _____ for data in the cases folder
|
template
|
|
Be consistent with the _____ and _____ of all EnCase cases.
|
numbering/setup
|
|
Represents a live physical device in the lower right of the icon.
|
Blue Triangle
|
|
Selecting an object under the _____ places a blue check box in all the files under the table view.
|
Entries
|
|
The box directly to the left of the filter pane that has ex. 11/15
|
Dixon box
|
|
The box next to the square box that looks like a baseball diamond is used to show all files selected in the _____ pane.
|
table
|
|
In the Table Pane, to lock a column you will need to right click the column, and then select column and then _____ _____.
|
set lock
|
|
This column displays a Booleen True or False value stating whether the object will appear in the Report view. By default, objects do not.
|
In Report
|
|
This column displays the file's extension if it has one. Windows uses file extensions to determine which application to use to open it, while other OSs instead use header or other metadata information to do so. EnCase reports the actual extension used by the file. If it has been changed, the real extension remains an unknown until a file signature analysis is run.
|
File Ext
|
|
File types will return information from the File Types view and table based on file _____.
|
extension
|
|
The _____ category is likewise pulled from the File Types table and is a general category, such as documents or images.
|
File
|
|
This column is populated after a file signature analysis and returns the result of that process. The results could be "match," "! Bad Signature," and so on.
|
Signature
|
|
This column briefly describes the object (file, folder, volume), some of its attributes, and what the icon means that sometimes accompanies the object name.
|
Description
|
|
This column displays a Boolean True or False value indicating whether file has been deleted.
|
Is Deleted
|
|
This column indicates the date/time a file was last accessed. The file does not have to change but be accessed only. Programs vary in the way they touch this time stamp. It may or may not reflect user activity. Some hex editors allow data to be altered and no date/time stamps are changed.
|
Last Accessed
|
|
This column indicates the date/time a file was created in that particular location. You can edit a file after it was originally written, giving it a last written date/time later than originally written (created). If you move it to a new location, the file will take on a new creation date/time for when and where it was moved, making it "appear" to have been created after it was last written. This concept confuses many, but the key is understanding that the creation date/time typically indicates when it was created in its current location and that files can be moved around after they were last written.
|
File Created.
|
|
This column displays the date/time that a file was opened, data was changed, and the file was saved. If the file is opened and the data isn't changed, there shouldn't be a change in the last written date/time.
|
Last Written
|
|
This column indicates the date/time a file or folder's file system record entry was changed. This pertains to NTFS and Linux file systems.
|
Entry Modified
|
|
This column reports the date/time of file deletion according to a Windows Recycle Bin INFO2 database.
|
File Deleted
|
|
This column reports the date/time the evidence file in which objects resides was acquired.
|
File Acquired
|
|
This column specifies the actual size of data in a file from first byte to last byte, reported in bytes.
|
Logical Size
|
|
This column specifies the actual size of the file plus slack space.
|
Physical Size
|
|
The Starting _____ is the starting cluster for a file in the format Evidence File Number (order within the Case) | Logical Drive Letter | Starting Cluster Number; in the case of resident data in a master file table (MFT), the starting cluster will be followed by a comma and the byte offset from the beginning of the cluster to the beginning of the data.
|
Extent
|
|
This column lists the number of data runs or extents for a file.
|
File Extents
|
|
This displays a Boolean True or False value stating whether security settings have been applied to the object.
|
Permissions
|
|
This displays the number of times the highlighted file is referenced or bookmarked.
|
References
|
|
This displays the number of bytes into the device that a file begins.
|
Physical Location
|
|
This is the starting sector where a file starts.
|
Physical Sector
|
|
This displays the evidence file in which object resides.
|
Evidence File
|
|
The _____ Identifier is the file table index number.
|
File
|
|
This is the ___ hash value of each file is displayed after Compute Hash Value is run from the Search tool window.
|
MD5
|
|
This displays the hash set a file belongs to if it matches a known value in the hash library (usually set up as Known and Notable but can be defined by the user).
|
Hash Category
|
|
This displays the full path to the file, including the evidence file name.
|
Full Path
|
|
This displays DOS 8.3 file name.
|
Short Name
|
|
This displays the file name for files as they are mounted in Windows Explorer after EnCase Virtual File System is activated and the device is mounted.
|
Unique Name
|
|
If the file is an allocated, nondeleted file, this column is blank. If the file is deleted and has been overwritten, this column will show which file has overwritten the original file. If the file is in the Recycle Bin, this column shows the original location of the file when it was deleted.
|
Original Path
|
|
A _____ Link contains no data about the file that is pointed to; their value lies mostly in pointing to resources on other systems.
|
Symbolic
|
|
Specifies that you want to search only the data written and not the entire space allocated.
|
Initialized Size
|
|
This is the character encoding table upon which the file is based.
|
Code Page
|
|
This displays True if the file displayed is a duplicate of another file.
|
Is Duplicate
|
|
This denotes hidden files that are used by the operating system internally and are hidden from the user.
|
Is Internal
|
|
This displays True if the original file is deleted and its space is currently occupied by another file.
|
Is Overwritten
|
|
using the _____ view, To view data in the table view just right click on the In Report and select in report.
|
Report
|
|
A _____ appears in the column and when you go to report view you see the data.
|
dot
|
|
View images in the case
|
Gallery view
|
|
You can copy, bookmark, and change the size of the bookmarks when viewing the _____ view.
|
report
|
|
In _____ view, you can view the sectors of the drive which are color coded according to the legend.
|
Disk view
|
|
Provides a chronological activity view.
|
Timeline View
|
|
Created files, written files, accessed files, modified files, deleted files, and acquired files by right clicking on the _____ area.
|
timeline
|
|
Hitting the _____ sign makes the view larger to allow easier navigation.
|
+
|
|
There is no report or printing feature available in the _____ view. If you want to print you need to do a screen shot
|
timeline
|
|
In _____ View, you can view the data in Hex view or text view.
|
Text
|
|
In _____ view, you can select an area to view and bookmark it, export it, and copy and paste the data.
|
Text
|
|
_____ view comes up automatically when EnCase detects a picture.
|
Picture
|
|
Displays output from scripts run on the data or drive.
|
Console view
|
|
Is enabled in the full version of EnCase and allows you to view the document in its native format.
|
Doc view
|
|
There is even a ___ locator that is a real time updated location platform that allows the users to either locate evidence or precisely show where the evidence is.
|
GPS
|
|
Works in Hex or text view and searches a sector or disk.
|
Find
|
|
All you need to do is hit the dark arrows and squares to change the view
|
Moving the panes
|
|
Either a 1 or a 0. Each representing a ___
|
BIT
|
|
What is a BIT?
|
(Binary Unit)
|
|
What is a nibble?
|
4 bits
|
|
What is a Byte?
|
8 bits
|
|
What are 2 Bytes called?
|
Word
|
|
What are 4 Bytes called?
|
Dword or Double word
|
|
Dword equals how many bits?
|
32
|
|
What is the Base of Hexadecimal?
|
Base 16
|
|
What is the Base of Binary?
|
Base 2
|
|
Hex is typically annotated by an _ after the number.
|
h
|
|
_ has the parser expecting a number in hex.
|
0
|
|
in 0x98, the x stands for ____
|
hex
|
|
It is easier to use the _____ method to convert to hex.
|
nibble
|
|
_____ numbers are separated into 2 nibble sections. Left and Right.
|
Binary
|
|
254 in binary is _ _ _ _ - _ _ _ _
|
1111-1110
|
|
Take each nibble _____.
|
separately
|
|
1111 = 8+4+2+1 = 15 or _
|
F
|
|
1110 = 8+4+2+0 = 14 or _
|
E
|
|
So ___ is the correct representation of 254 in hex.
|
FEh
|
|
ASCII stands for what?
|
American Code for Information Interchange.
|
|
ASCII differentiates between what?
|
lower and upper case.
|
|
A character set developed to accommodate more characters in a language.
|
Unicode
|
|
This standard allows the interchange of text from one language to another.
|
Unicode
|
|
To search the drive or block of selected text you must create a string or _____ search.
|
keyword
|
|
_____ searches are created and stored for future use.
|
Keyword
|
|
The keywords can be _____ or case level
|
global
|
|
The keywords can be global or _____ level
|
case
|
|
Keywords become global and are stored in the _____.___ file.
|
Keywords.ini
|
|
How do you create a Keyword?
|
Select keyword > Right click > Select new
|
|
When creating a keyword, you will notice that as you type the view shows each letter in _____.
|
Unicode
|
|
By default, when creating a Keyword, the case is not _____ sensitive.
|
case
|
|
Name is a what?
|
Keyword search option
|
|
Case sensitive is a what?
|
Keyword search option
|
|
GREP is a what?
|
Keyword search option
|
|
RTL Reading is a what?
|
Keyword search option
|
|
ANSI LAtin -1 is a what?
|
Keyword search option
|
|
Unicode is a search expression found under what?
|
Keyword search option
|
|
Big- Endian Unicode is a search expression found under what?
|
Keyword search option
|
|
UTF-8 is a search expression found under what?
|
Keyword search option
|
|
UTF-7 is a search expression found under what?
|
Keyword search option
|
|
Code page is a search expression found under what?
|
Keyword search option
|
|
Keyword tester is a search option included under what?
|
Keyword search option
|
|
Adding _____ can be accomplished by importing (which uses a previous exported list) or by adding keyword lists.
|
keywords
|
|
Select a folder in the tree pane Right Click and choose Add Keyword list.
|
Keyword list
|
|
Globally search for the Regular Expression and Print
|
GREP Keywords
|
|
EnCase uses ____ because of its power and ease of use.
|
GREP
|
|
GREP is commonly used for _____ _____ number searches
|
Social Security
|
|
References to specific files or data.
|
Bookmarking
|
|
Can be created just about any where in EnCase.
|
Bookmarking
|
|
Highlighted data is the most common _____.
|
Bookmark
|
|
High and Low ASCII can be a _____ type.
|
Bookmark
|
|
Hex can be a _____ type.
|
Bookmark
|
|
Unicode can be a ______ type.
|
Bookmark
|
|
ROT-13 - code is rotated 13 characters to appear encrypted can be a _____ type.
|
Bookmark
|
|
HTML can be a _____ type.
|
Bookmark
|
|
Pictures can be a _____ type.
|
bookmark
|
|
Integers can be a _____ type.
|
Bookmark
|
|
Dates can be a _____ type.
|
Bookmark
|
|
Very useful to help add information into the case.
|
Notes Bookmark
|
|
Used to depict the folder structure in the bookmark.
|
Folder Information Bookmark
|
|
You can create _____ that help show the information you acquired.
|
reports
|
|
A reference to a file that contains significant information to your case is called a _____ file bookmark.
|
Notable
|
|
With a notable file bookmark, The data is not bookmarked just the _____ of the file are bookmarked.
|
attributes
|
|
_____ are essential when annotating data and making reports.
|
Bookmarks
|
|
EnCase 6 allows us to index the data to assist us in searching data. This is called _____ Searches.
|
Indexed
|
|
You first must create an index by running the _____ case tool.
|
index
|
|
Creating _____ is an essential part of forensics.
|
reports
|
|
EnCase provides _____ _____ reports that are very useful and easy to create.
|
web page
|
|
When you have created the bookmarks you desire and want to export them to a web page it is as easy as right clicking in the _____ pane and choose the export option as a web page.
|
table
|
|
When you have created the bookmarks you desire and want to export them to a web page it is as easy as right clicking in the table pane and choose the _____ option as a web page.
|
export
|
|
Checksum does not see _____.
Ex. 1234 and 4321 will produce the same checksum. |
order
|
|
_____ is a fixed size arbitrary block of data.
Ex. SSN, bank accounts, etc. |
Checksum
|
|
CRC
|
Cyclical Redundancy Check
|
|
CRC is a variation of _____.
|
checksum
|
|
CRC is _____ sensitive
|
order
|
|
Most hard drives store 1 CRC for every _____.
|
sector
|
|
When a CRC value of a sector does not match a value recomputed by the drive hardware a ___-_____ read error occurs.
|
low-level
|
|
the odds that two sectors containing different data will produce the same CRC is roughly one in a _____.
|
billion
|
|
Every byte of the file is verified using a __-bit CRC, making it extremely difficult, if not impossible, to tamper with the evidence once it has been acquired. This allows the investigators and legal team to confidently stand by the evidence in court.
|
32
|
|
EnCase computes a CRC for every block of __ sectors (32KB) written to the Evidence File.
|
64
|
|
EnCase computes a CRC for every block of 64 sectors (32KB) written to the ______ File.
|
Evidence
|
|
EnCase uses an industry standard _____ algorithm to achieve an average size reduction of 50%.
|
compression
|
|
EnCase uses an industry standard compression algorithm to achieve an average size reduction of __%.
|
50
|
|
Compression _____ has any effect on the final evidence, and compressed blocks are checked for validity in the same way as uncompressed ones.
|
NEVER
|
|
You can __-_____ an Evidence File manually, just click on the Case tab and select the appropriate Evidence File. RIGHT-CLICK and select Verify File Integrity. A confirmation box will appear.
|
re-verify
|
|
You can re-verify an Evidence File manually, just click on the Case tab and select the appropriate Evidence File. RIGHT-CLICK and select _____ _____ _____. A confirmation box will appear.
|
Verify File Integrity
|
|
EnCase calculates an ___ hash when it acquires a physical drive or logical volume.
|
MD5
|
|
The _____ value is written into the Evidence File and becomes part of the documentation of the evidence.
|
hash
|
|
The hash value that is stored in the Evidence File and the hash value that is computed when the Evidence File is added to a case both appear in the Report for immediate _____ that the Evidence File has not changed since it was acquired.
|
confirmation
|
|
A _____ file is a text file that contains pointers to the evidence and additional information specific to that case, such as bookmarks, search results, sorts, hash analysis and signature analysis results.
|
case
|
|
A _____ file is created when the user saves the case.
|
case
|
|
Compression _____ has any effect on the final evidence, and compressed blocks are checked for validity in the same way as uncompressed ones.
|
NEVER
|
|
In the Status Bar, PS is the _____.
|
Physical Sector number
|
|
You can __-_____ an Evidence File manually, just click on the Case tab and select the appropriate Evidence File. RIGHT-CLICK and select Verify File Integrity. A confirmation box will appear.
|
re-verify
|
|
In the Status Bar, LS is the _____.
|
Logical Sector number
|
|
You can re-verify an Evidence File manually, just click on the Case tab and select the appropriate Evidence File. RIGHT-CLICK and select _____ _____ _____. A confirmation box will appear.
|
Verify File Integrity
|
|
EnCase calculates an ___ hash when it acquires a physical drive or logical volume.
|
MD5
|
|
The _____ value is written into the Evidence File and becomes part of the documentation of the evidence.
|
hash
|
|
The hash value that is stored in the Evidence File and the hash value that is computed when the Evidence File is added to a case both appear in the Report for immediate _____ that the Evidence File has not changed since it was acquired.
|
confirmation
|
|
A _____ file is a text file that contains pointers to the evidence and additional information specific to that case, such as bookmarks, search results, sorts, hash analysis and signature analysis results.
|
case
|
|
A _____ file is created when the user saves the case.
|
case
|
|
In the Status Bar, PS is the _____.
|
Physical Sector number
|
|
In the Status Bar, LS is the _____.
|
Logical Sector number
|
|
Compression _____ has any effect on the final evidence, and compressed blocks are checked for validity in the same way as uncompressed ones.
|
NEVER
|
|
You can __-_____ an Evidence File manually, just click on the Case tab and select the appropriate Evidence File. RIGHT-CLICK and select Verify File Integrity. A confirmation box will appear.
|
re-verify
|
|
You can re-verify an Evidence File manually, just click on the Case tab and select the appropriate Evidence File. RIGHT-CLICK and select _____ _____ _____. A confirmation box will appear.
|
Verify File Integrity
|
|
EnCase calculates an ___ hash when it acquires a physical drive or logical volume.
|
MD5
|
|
The _____ value is written into the Evidence File and becomes part of the documentation of the evidence.
|
hash
|
|
The hash value that is stored in the Evidence File and the hash value that is computed when the Evidence File is added to a case both appear in the Report for immediate _____ that the Evidence File has not changed since it was acquired.
|
confirmation
|
|
A _____ file is a text file that contains pointers to the evidence and additional information specific to that case, such as bookmarks, search results, sorts, hash analysis and signature analysis results.
|
case
|
|
A _____ file is created when the user saves the case.
|
case
|
|
In the Status Bar, PS is the _____.
|
Physical Sector number
|
|
In the Status Bar, LS is the _____.
|
Logical Sector number
|
|
In the Status Bar, CL is the _____.
|
Cluster number
|
|
In the Status Bar, SO is the _____.
|
Sector Offset
|
|
The distance in bytes from the beginning of the sector.
|
Sector Offset
|
|
In the Status Bar, FO is the _____.
|
File Offset
|
|
The File _____ is the distance in bytes from the beginning of the file.
|
Offset
|
|
In the Status Bar, LE is the _____.
|
Length
|
|
The number in bytes of the selected area.
|
Length
|
|
There are _____ different types of bookmarks.
|
Five
|
|
A _____ File Bookmark is any one file that was bookmarked individually. This is a fully customizable bookmark
|
Notable
|
|
Created by sweeping data. This is a fully customizable bookmark.
|
Highlighted Data Bookmark
|
|
Allows the investigator to write anything into the Report. It has a few formatting features, and is not a bookmark of evidence.
|
Notes Bookmark
|
|
Bookmarks the tree structure of a folder. There is no comment on this bookmark. Options include showing the device information and the number of columns to use for the tree structure.
|
Folder Information Bookmark
|
|
Indicates that a group of selected files was bookmarked.
|
File Group
|
|
After files are erased, application programs and normal processes of most operating systems will _____ their directory entries.
|
overwrite
|
|
Data is left on the disk with no indication that it is there. Searching the _____ space for known file headers and their associated end-of-file markers (if any) is one method of identifying such data
|
unallocated
|
|
To view certain file _____ you want to search for click on view and file signatures….
|
headers
|
|
Place a blue checkmark in the _____ space to search this space.
|
Unallocated
|
|
Possibly go to Keywords view and create a new folder called File _____…
|
Headers
|
|
Make sure to have ____ selected when searching unallocated space.
|
GREP
|
|
When searching unallocated space, you Right Click and choose _____.
|
edit
|
|
When searching unallocated disk space, after Right clicking and choosing edit, You will see a _____ expression. Copy the expression into your new signature and name it whatever you want to help you know what it is
|
search
|
|
Once the search is completed, review the _____ to determine the relevance to the investigation.
|
hits
|
|
To see the search hits as pictures, in the right pane, table view, scroll to the column entitled _____, which is deactivated for all search hits.
|
Picture
|
|
Select/Blue Check all search hits, right-click anywhere in the Picture column, and select _____-_____ Selected Items. You can now view the pictures in the bottom pane or switch the view above the right pane to Gallery.
|
Picture-Invert
|
|
EnCase will read the structure of the evidence files and will alert the examiner that the three hard drives formed some type of _____ array.
|
RAID
|
|
To virtually recreate the software _____, you must scan the disk configuration of the drive containing the keys to the _____.
|
RAID
|
|
In this case, it is the boot disk containing the operating system forming the RAID. Right-click on the _____ drive and scan its configuration.
|
boot
|
|
EnCase will virtually recreate the _____ RAID, including the last assigned volume drive letter. You can then browse and search the logical file structure.
|
software
|
|
EnCase will virtually recreate the software RAID, including the last assigned _____ drive letter. You can then browse and search the logical file structure.
|
volume
|
|
EnCase will virtually recreate the software RAID, including the last assigned volume drive letter. You can then browse and search the _____ file structure.
|
logical
|
|
The EnCase evidence file is best described as follows:
A. A mirror image of the source device written to a hard drive B. A sector-by-sector image of the source device written to corresponding sectors of a seconda ary hard drive c. A bitstream image of a source device written to the corresponding sectors of a secondary hard drive D. A bitstream image of a source device written to a file or several file segments |
D. An EnCase evidence file is a bitstream image of a source device such as a hard drive, CD-ROM, or floppy disk written to a file (.Eol) or several file segments (.E02, .E03, and so on).
|
|
How does EnCase verify the contents of an evidence file?
A. EnCase writes an MD5 hash value for every 32 sectors copied. B. EnCase writes an MD5 value for every 64 sectors copied. c. EnCase writes a CRC value for every 32 sectors copied. D. EnCase writes a CRC value for every 64 sectors copied. |
EnCase writes a CRC value for every 64 sectors copied, by default. If the block size has been increased, the CRC frequency will be adjusted accordingly.
|
|
What is the smallest file size that an EnCase evidence file can be saved as?
A. 64 sectors B. 512 sectors C. 1 MB D. 2MB E. 640MB |
The smallest file size that an EnCase evidence file can be saved as is 1 MB.
|
|
What is the largest file segment size that an EnCase evidence file can be saved as?
A. 640MB B. 1-GBB C. 2GB D. No maximum limit |
The biggest file size that an EnCase evidence file can be saved as is 2 GB.
|
|
How does EnCase verify that the evidence file contains an exact copy of the source device?
A. By comparing the MDS hash value of the source device to the MDS hash value of the data stored in the evidence file B. By comparing the CRC value of the source device to the CRC of the data stored in the evidence file C. By comparing the MDS hash value of the source device to the MDS hash value of the entire evidence file D. By comparing the CRC value of the source device to the CRC value of the entire evidence file |
A. EnCase compares the MDS hash value of the source device ro the MDS hash value of iust the data stored in the evidence file, not the entire contents of the evidence file, such as case information and CRC values of each data block.
|
|
How does EnCase verify that the case information—such as case number, evidence number, notes, and so on—in an evidence file has nor been damaged or altered after the evidence file has been written?
A. The case file writes a CRC value for the case information and verifies it when the case is opened. B. EnCase does not verify the case information because it can be changed at any time. C. EnCase writes a CRC value for the case information and verifies the CRC value when the evidence is added to a case. D. EnCase writes an MD5 value of the case information and verifies the MD5 value when the evidence is added to a case. |
C. EnCase calculates a CRC value for the case information, which is verified when the evidence file is added to a case.
|
|
For an EnCase evidence file to successfully pass the file verification process, which of the following? must be true?
A. The MD5 hash value must verify. B. The CRC values and the MD5 hash value both must verify. c. Either the CRC or MDS hash values must verify. D. The CRC values must verify. |
B. when an evidence file containing an MD5 hash value is added to a case, EnCase verifies both the CRC and MD5 hash values.
|
|
The MDS hash algorithm produces a _____ value.
A. 32-bit B. 64-bit C. 128-bit D. 256-bit |
C. The MD5 hash algorithm produces a 128-bit value.
|
|
The MD5 hash algorithm is — hexadecimal characters in length.
A..16h B. 32 C. 64 D. 128 |
B. The MDS hash algorithm is 32 characters in length.
|
|
If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later altered?
A. EnCase will detect the error when that area of the evidence file is accessed by the user. B. EnCase will detect the error if the evidence file is manually reverified. C. EnCase will allow the examiner to continue to access the rest of the evidence file that has not been changed. D. All of the above. |
D. EnCase will detect the error and will still allow the examiner to access the unaffected areas
of the evidence file. |
|
which of the following aspects of the EnCase evidence file can be changed during a reacquire of the evidence file?
A. Investigator's name B. Evidence number C. Notes D. Evidence file size E. All of the above |
D. The evidence file size can be changed during a reacquire.
|
|
An evidence file was archived onto five CD-ROMs with the third file segment on disc 3. Can the contents of the third file segment be verified by itself while still on the CD-ROM?
A. No. All evidence file segments must be put back together. B. Yes. Any evidence file segmenr can be verified independently by comparing the CRC values. |
B. EnCase can verify independent evidence tile segments by comparing the CRC values of the data blocks.
|
|
will EnCase allow a user to write data into an acquired evidence file?
A. Yes, when adding notes or comments to bookmarks. B. Yes, when adding search results. C. Aand W D. No, data cannot he added to the evidence file after the acquisition is made. |
D. EnCase does not write to the evidence tile after the acquisition is complete.
|
|
All investigators using EnCase should mn tests on the evidence file acquisition and verification process to do which of the following?
A. To further the investigator’s understanding of the evidence file B. To give more weight to the investigator's testimony in court c. To verify that all hardware and software is functioning properly D. All of the above |
D. As with any forensic tool, the investigator should test the tools to better understand how the tool performs and to verify that it is functioning properly.
|
|
when a noncompressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence file will remain the same for both files.
A. True B. False |
A. Compressing an evidence file does not change its MDS hash value.
|
|
Search hit results and bookmarks are stored in the evidence file,
A. True B. False |
B. Search hit results and bookmarks are stored in the case and .cbak files.
|
|
The EnCase evidence file’s logical file name can be changed without affecting the veriiication of the acquired evidence.
A. True B. False |
A. An EnCase evidence file's logical file name can be renamed without affecting the verification of the acquired evidence.
|
|
An evidence file can not be moved to another directory without changing the file verification.
A. True B. False |
B. EnCase evidence files can be moved without affecting the file verification.
|
|
what happens when EnCase attempts to reopen a case once the evidence file has been moved?
A. EnCase reports that the file's integriry has been compromised and renders the file useless. B. EnCase reports a diiferent hash value for the evidence file. c. EnCase prompts for the location of the evidence file. D. EnCase opens the case, excluding the moved evidence file. |
C. when an evidence file has moved from the previous path, Encase will prompt for the new location of the evidence file.
|
|
During reacquisition, you can change which of the following? (Choose all that apply.)
A. Block size and error granulariry B. Add or remove a password c. Investigator’s name D. Compression |
A, B, D, E. All may he changed during reacquisition with the exception of the investigator's name.
|
|
In the EnCase Windows environment, must an examiner first create a new case before adding a device to examine?
A.Yes B..No |
1. A. In the windows environment, you must first create a new case before the Add Device select tool appears on the toolbar.
|
|
Proper file management and organization require that which of the following should be created prior to acquiring evidence?
A. Evidence, Export, Temp, and Index folders B Unique naming conventions for folders belonging to the same case c. All subfolders saved under one folder with the same unique name D. All of the above |
D. Any folders created for a specific case should be created beforehand, and they should be grouped together under one folder with the same unique name as the case name and case file name.
|
|
The EnCase methodology dictates that the lab drive used to store EnCase evidence files must have which of the following prior to acquiring an image?
A. FAT 32 partition B. NTFS partition C. Clean format D. Previously wiped and sterile partition |
D. A hard drive used to store evidence files should be completely wiped of any data to prevent any chance of cross-contamination.
|
|
when creating a new case, the Case Options dialog box prompts for which of the following?
A. Name or (case name) B. Examiner name c. Default export folder D. Temporary folder E. All of the above |
E. The Case Options dialog box asks for all the options listed when a new case is created.
|
|
what determines the action that will result when a user double-dicks a file within EnCase?
A. The settings in the TEXTSTYLES.INI file B. The settings in the FlLETYPES.INI file c. The settings in the FILESIGNATURES.INl file D. The settings in the VIEWERS.INI file |
B. The FILETYPES.INI file stores information on files such as types, extensions, and viewers used to access the file.
|
|
In the EnCase environment, the term external viewers is best described as which of the following?
A. Internal programs that are copied out of an evidence file B. External programs loaded in the evidence file to open specific file rypes c. Extemnal programs thar are associared with EnCase to open speciiic file rypes D. External viewers used to open a file that has been copied out of an evidence file |
C. External viewers are programs that EnCase uses to open specific file types.
|
|
where is the list of extemnal viewers kepr within EnCase?
A. The settings in the TEXTSTY[.ESJNI file B. The settings in the FIL.ETYPEs.INI file c. The settings in the FILESIGNATURES.INI file D. The settings in the vIEwERS.INI file |
the VIEWERS.INI file stores information on external programs that EnCase uses to open specific file types.
|
|
when the copy/unerase feature is used, EnCase saves the selected file(s) to which folder?
A. Evidence B. Export c. Temp D. None of the above |
B. when EnCase copies selected items or undeletes files, they are saved externally to the Export folder.
|
|
Can the Export folder be moved once it is saved within a case?
A. Yes B. No |
A. Yes. The Export folder can be moved by selecting Tools in the menu bar and selecting Options, and then changing the path of the Default Export Folder on the Case Options tab in the resulting dialog box.
|
|
Files that have been sent to external viewers are copied to which folder?
A. Evidence B. Export C. Temp D. None of the above |
C. when files are opened by external viewers, they are first copied to the Temp folder before the external viewers can access the files.
|
|
The Temp folder of a case cannot be changed once the case has been saved.
A. True B. False |
B. Once a case has been saved, the EnCase user can change the location of the Temp folder by selecting Tools .., Options and changing the path of that folder.
|
|
Files stored in the Temp folder are removed once EnCase is properly closed.
A. True B. False |
A. EnCase will empty the Temp folder once the program has properly shut down. However, files will still remain in the Temp folder if EnCase has shut down improperly.
|
|
How do you access the setting to adjust how often a backup file (.cbak) is saved?
A. Select Tools> Options> Case Options B. Select view ) Options> Case Options c. Select Tools> Options> Global D. Select view Options> Global |
C. To adjust the amount of minutes the backup file is saved, select Tools in the menu bar, select Options, and then change the time in the Auto Save Minutes box on the Global tab of the resulting dialog box.
|
|
what is the maximum number of columns that can be sorted simultaneously in the Table view tab?
A. Two B. Three C. Five D. 28 (maximum number of tabs) |
C. EnCase allows the user to sort up to five columns in the Table view tab.
|
|
How would a user reverse-sort on a column in the Table view?
A. hlold down the Ctrl key, and double-click the selected column header. B. Right-click the welected column, select Sort, and select either Sort Ascending or Sort Descending. C. Both A and B. |
C. The user can use either method to reverse-sort on a column.
|
|
How can you hide a column in the Table view?
A. Place the cursor on the selected column, and press Ctrl+l I. B. Right-click on the selected column, select Column, and select [lide. c. Right-dick on the selected column, select Show Columns, and uncheck the desired fields to be hidden. D. All of the above. |
D. All three methods will hide selected columns from the Table view.
|
|
what does the Gallery view tab use to determine graphics files?
A. Header or file signature B. File extension C. File name D. File size |
B. The Gallery view displays images based onl the File Category - Picture,’ which is determined by file extensions until such time that a file signature analysis is run.
|
|
will the Encase Gallery view display a .jpg file if its file extension was renamed to .txt?
A. No, because EnCase will treat it as a text file. B. Yes, because the Gallery view looks ar a file’s header information and nor the file extension. c. Yes, but mly if a signature aualysis is performed to correct the “File Category” to Picture” based on its file header information. D. Yes, but only after a hash analysis is performed to determine the file's true identity. |
C. when a signature analysis is performed, EnCase will update or correct the ‘File Category to picture,” in this particular case based on the information contained in the file header.
|
|
How would a user change the default colors and text fonts within EnCase?
A. The user cannot change the default colors and fonts settings. B. The user can change the default colors and tonts settings by right-clicking the selected items and scrolling down to Change Colors and Fonts. C. The user can change the default colors and fonts settings by clicking the view tab on the menu bar and selecting the Colors tab or Fonts tab. D. The user can change default colors and forns settings by clicking the Tools tab on the menu bar, selecting Options, and selecting the Colors tab or Fonts tab. |
D. A user can change the way colors and fonts appear by selecting the Tools tab and then clicking Options to change colors and fonts.
|
|
An EnCase user will always know the exact location of the selected data in the evidence file by looking at which of the following?
A. Data bar B. Dixon box C. Disk view D. Hex view |
A. The navigation data displays (he selected data’s exact location, including the full path, physical sector, logical sector number, cluster number, sector offset, and file offset.
|
|
1. Computers use a numbering system with only two digits, 0 and 1. This system is referred to as
which of the following? A. Hexadecimal B. ASCIl c. Binary D. FAT |
1. C. Binary is a numbering system consisting of 0 and I used by computers to process information.
|
|
A bit can have a binary value of which of the following?
A. 0 or 1 B. 0-9 c. 0-9 and A-F D. On or Off |
A. Bi refers to two; therefore, a bit can have only two values, 0 or 1.
|
|
A byte consists of — bits.
A..2. B. 4 C. 8 D. 16 |
C. A byte consists of 8 bits or two 4-bit nibbles, commonly referred to as the left nibble and right nibble.
|
|
If 1 bit can have two unique possibilities, 2 bits can have four unique possibilities, and 3 bits can have eight unique possibilities. This is known as the power of 2. How many unique possibilities are there in 8 bits (2 to the 8th power)?
A..16 B. 64 C. 128 D. 256 |
D.2 to the 8th power is 2x2 eight times,or 2x2x2 2x2x2x2x2 = 256
|
|
when the letter A is represented as 41h, it is displayed in which of the following?
A. Hexadecimal B. ASCII c. Binary D. Decimal |
A. values expressed with the letter b as a suffix are hexadecimal characters. EnCase can display the letter 4 in text or hexadecimal formats.
|
|
what is the decimal integer value for the binary code 0000-1001?
A. 7 B. 9 C. 11 D. 1001 |
B. Starting from the right, the bits are “on’ for bit positions 1 and 8, which totals 9.
|
|
Select all of the following that depict a Dword value.
A. 00000001 B. 0001 C. FF00 l0AF D. 0000 0000 0000 0000 0000 0000 0000 0001 |
C, D. A Dword is a 32-bit value. A is incorrect because it depicts 8 binary bits or one byte.
B is incorrect as it depicts 4 binary bits or one nibble. C is correct because it represents four hexadecimal values with each being 8 bits (4 x 8 = 32 bits). D is correct because i represents 32 binary bits. |
|
How many characters can be addressed by the -bit ASCII character table? 16-bit Unicode?
A. 64and256 B. 128 and 256 c. 64 and 65,536 D. 128 and 65,536 |
D.2 to the 7th power is 2x2 seven times or 2x2x2x2x2x2x2=o128,while 2 to the 16th power is 2x2 sixteen times = 65.536.
|
|
where does EnCase (version 5 or 6) store keywords?
A. within each specific case file (.case and .cbak) B. In the KEYWORDS.INl tile C. BothAandB D. None of the above |
C. In version 5 and 6, keywords can be saved in specific case files (.case and .cbak) as well as globally in the KEYwORDS.INl file.
|
|
when performing a keyword search in windows, EnCase searches which of the following?
A. The logical files B. The physical disk in unallocated clusters and other unused disk areas C. BothAandB D. None of the above |
C. EnCase performs a search not only of logical files but of the entire disk to include unallocated clusters and unused disk areas outside the logical partition.
|
|
By default, search terms are case sensitive.
A. True B. False |
B. By default, the Case Sensitive option is not selected; therefore, search terms are not case sensitive unless you select that option.
|
|
By selecting the Unicode box, EnCase searches for both ASCII and Unicode formats.
A. True B. False |
A. By selecting the Unicode box, EnCase will search for both ASCII and Unicode formats.
|
|
with regard to a search using EnCase in the windows environment, can EnCase find a word or phrase that is fragmented or spans in noncontiguous clusters?
A. No, because the letters are located in noncontiguous clusters. B. No, EnCase performs a physical search only. c. No, unless the File Slack option is deselected in the dialog box before the search. D. Yes, EnCase performs both physical and logical searches. |
D. Encase can perform both physical searches as well as logical searches for keyword(s) that span noncontiguous clusters.
|
|
Which of the following would be a search hit for the His keyword?
A. this B. His c. history D. Bill_Chisholm@gmail.com E. All of the above |
E. Since the entry allows for characters to precede and follow the keyword, and the default setting does not have the Case Sensitive option enabled, all the selections apply.
|
|
which of the following would be a search for for the following GREP expression?
[Aa-zjLiz [Aa-z]L A. Elizabeth B. Lizzy C. Liz1 D. None of the above |
C. The GRIP symbol A means to exclude the following characters. So the GREP expression in the question excludes the alpha characters (a through z) before and after the keyword but will find nonalpha characters such as numbers.
|
|
which of the following would be a search hir for the following GREP expression?
[\x00- \x07] \x0O\x00\x00. A. 00000001 AOEE-F11 B. Os000OO0AOEE-F1m C. 0A000000AOEEF1 D. 08'000000AOEE-F1a |
B. The GREP expression in the question permits a hexadecimal range from 00 through
0 followed 1w hexadecimal values 00 00 00 and any other characters. |
|
which of the following would be a search hir for the following GREP expression?
Jan 1st, 2?O?06 A. Jan 1st, 2006 B. Jan 1st, 06 C. BothmA-andnBE D. None of the above |
C. The GREP expression ? calls for the preceding character to be repeated 0 or 1 time. nhe GREP expression calls for 2 or not, then 0 or not, followed by 06.
|
|
which of the following will not be a search hit for the following GREP expression?
[^#]123[ \-)45[ \-]6789[^#] A. A1234567890 B. A12345-6789 C. A123-45-6789 D. A123 45 6789 |
A. The GREP expression [‘#] means that it cannot be a number, meaning the first character and bst character following the 9 can't be nunbers. Therefore, A will not retumn as a search hit becanuse the number 0 follows the number 9.
|
|
A sweep or highlight of a specific range of text is referred to as which of the following?
A. File group bookmark B. Folder information bookmark c. Highlighted data bookmark D. Notable file bookmark E. Notes bookmark |
C. The highlighted data bookmark is a sweep or highlight of a specific text fragment
|
|
which of the following is not correct regarding building and querying indexes?
A. To search an index, click the Search button on the toolbar. B. Search hits will appear in the Docs tab and in the Transcript tab. c. The Hits tab appears in the Filters pane and is used to navigate among search hits. D. The indexing tool is an EnScript. E. Conditions are used to query an index. |
A. Searching an index is not conducted from the search button on the toolhar; rather, coridit toons are Lised to query the index.
|