GD0-110 Certification Exam for EnCE Outside North America Questions and Answers

The end of a logical file to the end of the cluster that the file ends in is called:

Select the appropriate name for the highlighted area of the binary numbers.

The FAT in the File Allocation Table file system keeps track of:

A FAT directory has as a logical size of:

Temp files created by EnCase are deleted when EnCase is properly closed.

Within EnCase for Windows, the search process is:

The results of a hash analysis on an evidence file that has been added to a case will be stored in which of the following files?

The EnCase evidence file logical filename can be changed without affecting the verification of the acquired evidence.

Calls to the C:\ volume of the hard drive are not made by DOS when a computer is booted with a standard DOS 6.22 boot disk.

By default, what color does EnCase use for slack?

A hash set would most accurately be described as:

In the EnCase environment, the term uxternal viewers is best described as:

When a file is deleted in the FAT or NTFS file systems, what happens to the data on the hard drive?

When a non-compressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence will remain the same for both files.

The spool files that are created during a print job are __________ after the print job is completed.

A standard Windows 98 boot disk is acceptable for booting a suspect drive.

In Windows, the file MyNote.txt is deleted from C Drive and is automatically sent to the recycle Bin. The long filename was MyNote.txt and the short filename was MYNOTE.TXT. When viewing the recycle Bin with EnCase, how will the long filename and short filename appear?

ROM is an acronym for:

When an EnCase user double-clicks on a valid .jpg file, that file is:

You are investigating a case involving fraud. You seized a computer from a suspect who stated that the computer is not used by anyone other than himself. The computer has Windows 98 installed on the hard drive. You find the filename C:\downloads\check01.jpg?that EnCase shows as being moved. The starting extent is 0C4057. You find another filename C:\downloads\chk1.dll with the starting extent 0C4057, which EnCase also shows as being moved. In the C:\windows\System folder you find an allocated file named chk1.dll with the starting extent 0C4057. The chk1.dll file is a JPEG image of a counterfeit check. Could this information be used to refute the suspect claim that he never knew it was on the computer?

To undelete a file in the FAT file system, EnCase computes the number of _______ the file will use based on the file ______.

Which of the following directories contain the information that is found on a Windows 98 Desktop?

A sector on a hard drive contains how many bytes?