EnCE: EnCase Certified Examiner
Terms
undefined, object
copy deck
-
- Encase Environment -
Upon starting a new case, what two directories should be defined? -
Default EXPORT and TEMP directories.
EnCE Study Guide, Page 2 -
- Encase Environment -
All lab media should be forensically sterile. What does this mean? -
The media should be:
- WIPED of all data
- VERIFIED to be absent of all data
- Freshly partitioned and formatted
EnCE Study Guide, Page 2 -
- Encase Environment -
All lab media should maintain a unique __________, and a unique __________ to receive evidence files. -
- VOLUME LABEL
- DIRECTORY
EnCE Study Guide, Page 2 -
- Encase Environment -
What happens when an examiner double-clicks on a file of a file type known by EnCase? -
The data is copied to the case defined TEMP directory, and the associated viewer is then called to display the file data.
EnCE Study Guide, Page 2 -
- Encase Environment -
What happens to the data files that are copied by EnCase to the case defined TEMP directory? -
When Encase is PROPERLY shut down, EnCase will DELETE the files from the temp folder.
EnCE Study Guide, Page 2 -
- Evidence File -
What is the evidence file? -
It is a BIT STREAM image of the source media written to a file(s).
EnCE Study Guide, Page 2 -
- Evidence File -
Evidence files can be segmented between a range of _____ and _____. -
Min 1 Mb - Max 2000 Mb.
(The default size of an evidence file is 640 Mb.)
EnCE Study Guide, Page 2 -
- Evidence File -
You can add data to an existing evidence file. (TRUE / FALSE) -
FALSE
The contents of an evidence file CANNOT be changed, altered, or modified.
EnCE Study Guide, Page 2 -
- Evidence File -
What does the FIRST block of the evidence file contain? -
It contains the CASE INFORMATION, which is validated by an attached CRC.
EnCE Study Guide, Page 2 -
- Evidence File -
How is the evidence file verified? -
- CRC (32bit) every 64 Sectors
- MD5 (128bit) computed during the source media acquisition and placed at the end of the evidence file.
ALL CRC's and the MD5 MUST validate and verify.
EnCE Study Guide, Page 3 -
- Evidence File -
If any changes occur to the evidence file (file corruption, etc...), what happens? -
The CRC for the affected block(s) will NO LONGER VERIFY, and EnCase will display an ERROR when any data in that block(s) are accessed.
EnCE Study Guide, Page 3 -
- Evidence File -
Can individual segments of an evidence file be verified? (YES / NO) -
YES
In Encase go to <Tools> - <Verify Single Evidence File>
EnCE Study Guide, Page 4 -
- Evidence File -
What three (3) aspects of an evidence file can be changed without impacting the evidence file verification? -
1. Add / Remove PASSWORD protection
2. Change file COMPRESSION
3. Change the file SEGMENT SIZE
EnCE Study Guide, Page 4 -
- Case File -
What is the CASE file? -
It is a TEXT file containing:
- Pointers to evidence file(s)
- Results of searches and analysis (File Signature / Hashes)
- Bookmarks
- Investigator's Notes
EnCE Study Guide, Page 2 -
- Case File -
What is the MAXIMUM number of evidence files that can be added to a single case file? -
There is NO limit. (ie. 8 HDDs, 200 FDDs, and 24 CDRs)
EnCE Study Guide, Page 3 -
- Case File -
What is the file extension for a Encase version 4.x case file? ...for the back-up case file? -
.CASE for Encase v4.x
(prior versions was .CAS)
A backup file is created every 10 minutes by default with an extension of .CBK.
EnCE Study Guide, Page 4 -
- Evidence File -
Evidence files can be RENAMED and MOVED without changing their Verification and Validity? (TRUE / FALSE) -
TRUE
The applied filename of the evidence file can be changed, and/or moved to another location; however, Encase will prompt you to locate the renamed evidence file, if it is changed/moved after it has been added to a case.
EnCE Study Guide, Page 4 -
- Configuration Files -
In the EnCase Environment, what are configuration files and how are they used? -
.INI files that store global changes and settings to the Encase Environment. The global environment dictates information/tools available for ALL cases.
EnCE Study Guide, Page 3 -
- Configuration Files -
Name the five (6) default configuration files and briefly describe what they are used for... -
FileSignatures.INI - dictates what will happen when a user double-clicks on a specific file.
FileTypes.INI - external viewers are associated with file extensions.
Keywords.INI - stores global keyword lists used during searches.
Filters.INI - available filters used by Encase.
Viewers.INI - all external viewers and their execution path with necessary parameters.
TextStyles.INI - Used to configure display width and font in the bottom pane of the EnCase window.
EnCE Study Guide, Page 3 -
- Searches -
Searches within the EnCase Windows environment are both __________ and __________. -
- PHYSICAL
- LOGICAL
EnCE Study Guide, Pg 4 -
- Searches -
What is UNICODE? -
Unicode uses TWO (2) bytes for each character, allowing the representation of 65,536 characters.
EnCE Study Guide, Pg. 5 -
- Searches -
During a search for a keyword, selecting the UNICODE option will cause Encase to search for the keyword in both ASCII and UNICODE. (TRUE / FALSE) -
TRUE.
EnCE Study Guide, Pg. 5 -
- Searches -
How is the GREP symbol " ? " used during a search? -
? Means "or not" - joh?n will yield both JON and JOHN.
EnCE Study Guide, Pg. 5 -
- Searches -
How is the GREP symbol " \x " used during a search? -
\x Indicates that the following value is to be treated as a hexadecimal value. (\xFF\xD8\xFF...)
EnCE Study Guide, Pg. 5 -
- Searches -
How is the GREP symbol " * " used during a search? -
* States to repeat the preceding character or set any number of times, including zero times.
EnCE Study Guide, Pg. 4 -
- Searches -
How is the GREP symbol " + " used during a search? -
+ States to repeat the preceding chracter or set any number of times, but at least once.
EnCE Study Guide, Pg. 4 -
- Searches -
How is the GREP symbol " ^ " used during a search? -
^ States "not" - [^a-z] = NO alpha characters from a to z.
EnCE Study Guide, Pg. 4 -
- Searches -
How is the GREP symbol " - " used during a search? -
- Denotes a range or characters, as in [1-9] or [a-z].
EnCE Study Guide, Pg. 4 -
- Searches -
How is the GREP symbols " [ ] " used during a search? -
[ ] Square brackets form a set. The included values within the set have to match a single character. [1-9] will match any single numeric value from 1 to 9.
EnCE Study Guide, Pg. 4 -
- Searches -
Default settings for the EnCase BOOT DISK search do NOT include case sensitivity, GREP or UNICODE. (TRUE / FALSE) -
TRUE
EnCE Study Guide, Pg. 4 -
- Searches -
Searches in unallocated space are (Physical / Logical) only. (Choose one) -
Searches in unallocated space are PHYSICAL only, as no logical definitions exist in this area.
EnCE Study Guide, Pg. 4 -
- Searches -
In the EnCase Windows environment, searches will find keywords in non-contiguous clusters in unallocated space. (TRUE / FALSE) -
FALSE
No searching tool will find keywords in non-contiguous clusters in unallocated space.
EnCE Study Guide, Pg. 4 -
- File Signatures -
Within the EnCase Environment, what does the File Signatures function do? -
It simply compares the displayed file extension with the file's header/signature.
EnCE Study Guide, Pg. 5 -
- File Signatures -
The File Signature table in EnCase CANNOT be changed. (TRUE / FALSE) -
FALSE.
The File Signature table CAN be edited and/or added to by accessing the table, and choosing [right-click]-New.
EnCE Study Guide, Pg. 5 -
- File Signatures -
After adding a device to your case, you immediately go to the Gallery View tab, as this will display all supported image files, even if they maintain extensions inconsisent with image files. (TRUE/FALSE) -
FALSE
The Gallery View will NOT display image files with incorrect extensions until the File Signature Analysis function has been run.
EnCE Study Guide, Pg. 5 -
- File Signatures -
After running the File Signature Analysis function, a file shows " !Bad Signature " as the result. What does this mean? -
!Bad Signature - The extension is in the File Signature table, but the header is incorrect and the header is not in the File Signatures table.
BAD -> [header].[ext] <-GOOD
EnCE Study Guide, Pg. 5 -
- File Signatures -
After running the File Signature Analysis function, a file shows " *[Alias] " as the result. What does this mean? -
*[Alias] - The header is in the table and the extension is incorrect. this indicates a file with a renamed extension.
GOOD -> [header].[ext] <- BAD
EnCE Study Guide, Pg. 5 -
- File Signatures -
After running the File Signature Analysis function, a file shows " MATCH " as the result. What does this mean? -
MATCH - The header matches the extension. If the extension has no header in the File Signatures table then EnCase will return a MATCH as long as the header of the file does not match any header in the File Signatures table.
GOOD -> [header].[ext] <- GOOD
EnCE Study Guide, Pg. 5 -
- File Signatures -
Before running the File Signature Analysis function, the Gallery View will display all supported image files, even if they maintain extensions inconsisent with image files. (TRUE/FALSE) -
FALSE
The Gallery View will NOT display image files with incorrect extensions until the File Signature Analysis function has been run.
EnCE Study Guide, Pg. 5 -
- File Signatures -
After running the File Signature Analysis function, a file shows " UNKNOWN " as the result. What does this mean? -
UNKNOWN - Indicates that neither the header/signature nor the extension is listed in the table. If either the header/signature or the extension is listed in the table, you will NOT obtain a value of UNKNOWN.
UNKNOWN -> [header].[ext] <- UNKNOWN
EnCE Study Guide, Pg. 5 -
- Hash Analysis -
The hash value computed for a given file is based upon the physical file, including the files slack area. (TRUE / FALSE) -
FALSE
The hash value is computed on the LOGICAL file only.
EnCE Study Guide, Pg. 6 -
- Hash Analysis -
The hash value for a file will change if it is moved to another Folder/Directory. (TRUE / FALSE) -
FALSE
The Folder/Directory that a file resides within has NO bearing on its hash value.
EnCE Study Guide, Pg. 6 -
- Hash Analysis -
What purpose does a Hash Analysis serve for the Examiner? -
Hash Analysis allows the examiner to identify files that are known - either as innocuous files that can be ignord, or as files that are evidentiary in content.
EnCE Study Guide, Pg. 6 -
- Hash Analysis -
A files content can be recreated based on the computed hash value of that file. (TRUE / FALSE) -
FALSE
A file CANNOT be created from the files computed hash value.
EnCE Study Guide, Pg. 6 -
- ASCII and Binary -
What does ASCII stand for? -
American Standard Code for Information Exchange.
EnCE Study Guide, Pg. 6 -
- ASCII and Binary -
The ASCII Table is a _____ - Bit table. -
The ASCII table is a 7-bit table. The resultant 128 values represent alpha/numeric values, common punctuation, etc.
EnCE Study Guide, Pg. 6 -
- ASCII and Binary -
What does the "LE" indicator within EnCase indicate? -
It indicates the number of BYTES that been selected / swept / highlighted.
EnCE Study Guide, Pg. 6 -
- ASCII and Binary -
Nibble = _____
Byte = _____
Word = _____
DWord = _____ -
Nibble = 4 bits (16 possible values)
Byte = 8 bits (256 possible values)
Word = 2 bytes (16 bits)
DWord = 4 bytes (32 bits)
EnCE Study Guide, Pg. 6 -
- File Systems -
Only one file can occupy a CLUSTER at one time. (TRUE / FALSE) -
TRUE
No two files can occupy the same cluster.
EnCE Study Guide, Pg. 7 -
- File System -
___________ file size is the amount of actual media space allocated to the file.
Choose One:
- Physical
- Logical
- Allocated -
PHYSICAL
EnCE Study Guide, Pg. 7 -
- File System -
___________ file size is the actual number of bytes that the file contains.
Choose One:
- Physical
- Logical
- Allocated -
LOGICAL
EnCE Study Guide, Pg. 7 -
- File System -
By default, each sector contains ____ data bytes. -
512 data bytes. This size is consistant across different media types. (ZIP Disks, Floppies, HDD, etc...)
EnCE Study Guide, Pg. 7 -
- File System -
Each FAT volume maintains how many copies of the FAT? -
It maintains two (2) copies of the FAT - FAT1 and FAT2.
EnCE Study Guide, Pg. 7 -
- File System -
The number of clusters that a file system can manage is determined by the available number of _____ employed by the FAT.
Choose One:
- bytes
- bits
- sectors
- blocks -
BITS.
FAT16 (2/16) - allows 65,536 clusters
FAT32 (2/32) - allows 268,435,456 clusters
EnCE Study Guide, Pg. 7 -
- File System -
The FAT file systems (FAT12, FAT16, FAT32) group one or more sectors, in powers of 2, into _________.
Choose One:
- Blocks
- Clusters
- Groups -
CLUSTERS
EnCE Study Guide, Pg. 7 -
- File System -
The FAT maintains information regarding the status of all the clusters on the volume. What are some of these settings? -
- Available
- End of File
- BAD
- In Use
EnCE Study Guide, Pg. 7 -
- Slack Space -
What is Slack Space? -
It is the data from the end of the logical file to end of the physical file. EnCase displays this data in RED text.
EnCE Study Guide, Pg. 7 -
- Slack Space -
EnCase displays Slack Space in red text. By default, what other entry is also displayed in red and why? -
Directory entries are also displayed in red. Neither slack nor directories have any logical size.
EnCE Study Guide, Pg. 7 -
- Deleted Files -
How does EnCase determine if a deleted file has been overwritten? -
If the starting extent (cluster) is in use by another file.
EnCE Study Guide, Pg. 8 -
- Deleted Files -
Deleting a file has NO effect on the actual data in FAT or NTFS. (TRUE / FALSE) -
TRUE
EnCE Study Guide, Pg. 8 -
- Deleted Files -
What two (2) actions occur when a file is deleted from a FAT system? -
1. The first character of the directory entry pertianing to the file is changed to E5h.
2. The values within the FAT that pertain to this file is reset to zero (available).
EnCE Study Guide, Pg. 8 -
- Computer Hardware and Systems -
What does BIOS stand for? -
BIOS = Basic Input Output System
EnCE Study Guide, Pg. 8 -
- Computer Hardware and Systems -
What does the BIOS do? -
It is responsible for the initial checking of the system components and initial configuration of the system once power is turned on.
EnCE Study Guide, Pg. 8 -
- Computer Hardware and Systems -
What does the Examiner access to determine the target system boot sequence and system date/time? -
The systems BIOS (Basic Input/Output System).
EnCE Study Guide, Pg. 8 -
- Computer Hardware and Systems -
What is RAM? -
Random Access Memory - stores data temorarily and is accessible immediately to the Operating System.
EnCE Study Guide, Pg. 8 -
- Computer Hardware and Systems -
What is ROM? -
Read Only Memory
EnCE Study Guide, Pg. 8 -
- Computer Hardware and Systems -
What is CPU? -
Central Processing Unit. This is the actual processor chip NOT the whole computer system. It is normally located on the system motherboard.
EnCE Study Guide, Pg. 8 -
- Computer Hardware and Systems -
What is the first activity taken by a computer system after power is applied? -
POST - Power On Self Test. This includes the testing of identified attached devices on the system bus.
EnCE Study Guide, Pg. 9 -
- Computer Hardware and Systems -
When are drive letters assigned by the operating system? -
During the boot process. Note these letters are NOT written to the media.
EnCE Study Guide, Pg. 9 -
- Computer Hardware and Systems -
In order for media to be bootable it must maintain a _________________. -
Bootable partition / volume and in the case of HDD's it must also be set to Active.
EnCE Study Guide, Pg. 9 -
- Computer Hardware and Systems -
What are some examples of Add-In Cards? -
SCSI Host Card, Video Card, Network Interface Card (NIC), etc...
EnCE Study Guide, Pg. 9 -
- HDD's -
How are most standard IDE Drives configured for the roles of MASTER/SLAVE/CABLE? -
Through the use of Jumper PINs on the physical drive.
EnCE Study Guide, Pg. 9 -
- HDD's -
SCSI drives follow the same methodology as IDE drives of MASTER/SLAVE. (TRUE / FALSE) -
FALSE.
SCSI drives are assigned ID numbers, usually by a jumper PIN on the physical drive.
EnCE Study Guide, Pg. 9 -
- HDD's -
What is the formula for determing hard drive capacity (CHS geometry)? -
Clusters x Heads x Sectors x 512
EnCE Study Guide, Pg. 9 -
- HDD's -
What is contained in the first sector of a standard hard drive? -
The MASTER BOOT RECORD. In the Windows and Linux operating system environment, the partition table is also located here.
EnCE Study Guide, Pg. 9 -
- HDD's -
What is contained in the first sector of each defined partition on a physical hard drive? -
VOLUME BOOT RECORD.
EnCE Study Guide, Pg. 9 -
- HDD's -
The partition Master Boot Record (MBR) can maintian how many entries? What is each records length? -
The MBR can maintian four (4) records, each 16 Bytes in length.
EnCE Study Guide, Pg. 9 -
- First Response -
Using EnCase while doing an on-site triage, what are the four (4) options for previewing a drive? -
1. FastBloc
2. Parallel Cable
3. Network Cable
4. Boot Disk Text Search
EnCE Study Guide, Pg. 10 -
- First Response -
Why is it important to boot a target system with a Forensic Boot Disk? -
To prevent writes to the target hard drive and the default mounting of a compressed volume.
EnCE Study Guide, Pg. 10 -
- First Response -
What two files need to be modified on a standard DOS boot disk to make it forensically sound? -
1. IO.SYS
2. COMMAND.COM
Also, the drvspace.bin command must be removed.
EnCE Study Guide, Pg. 10 -
- First Response -
Run through the basic procedure for a forensic system takedown. -
1. Photograph environment
2. external inspection
3. lable connections
4. internal inspection
5. disconnnect power/data cables from HDD
6. boot with EnCase boot disk
7. access BIOS - note date/time and boot sequence
EnCE Study Guide, Pg. 10 -
- First Response -
Using the EnCase Boot Disk, you will be able to see ALL file systems, including NT logical partitions, Linux, Unix, and MAC HFS. (TRUE / FALSE) -
FALSE.
The EnCase boot disk uses DOS, which cannot understand other file systems. You should obtain the physical disk evidence file, and then resolve the file structure using EnCase.
EnCE Study Guide, Pg. 10 -
- Restoring Evidence Files -
Evidence files can be restored to media of equal OR greater size. (TRUE / FALSE) -
TRUE.
EnCE Study Guide, Pg. 10 -
- Restoring Evidence Files -
How can you verify that the restore completed properly and that it is an exact match to the original media? -
The MD5 hash value of a properly restored evidence file will match the value maintained within the evidence file.
EnCE Study Guide, Pg. 10 -
- Restoring Evidence Files -
When restoring evidence files of a logical partition, the file system it is being restored to must match the original. (TRUE / FALSE) -
TRUE.
EnCE Study Guide, Pg. 10 -
- OS Artifacts -
Where do you commonly see BASE64 encoded files? -
Email Attachments.
EnCE Study Guide, Pg. 10 -
- OS Artifacts -
Where does Windows 2000 and XP store users personal folders? -
"C:\Documents and Settings"
EnCE Study Guide, Pg. 10 -
- OS Artifacts -
What are .LNK files? - .lnk are "shortcut" files created by the windows operating system to files manipulated by the logged in user. They can show dates, times, and full path to the target file.
-
- OS Artifacts -
Name some of the more common artifact locations in the Windows 9X operating environment. -
C:\Windows\Recent
C:\Windows\Desktop
C:\Windows\Send To
C:\Windows\Temp -
- OS Artifacts -
In DOS/Windows environments, what is the length of FAT Directory entries? - 32 Bytes in Length.
-
- Legal -
Every printed document from a computer is considered an "Original". (TRUE / FALSE) -
TRUE.
EnCE Study Guide, Pg. 11 -
- Legal -
Compression of evidence files has no bearing on the validity or admissibility fo the data. (TRUE / FALSE) -
TRUE.
Courts have ruled that the manner in which data is maintained, while in storage, is not relevant, as long as the data is accurately portrayed when accessed and presented in a printout or other output, readable by sight. -
- Legal -
What is meant by the legal term "Daubert"? -
It is a legal test employed by US courts to determine if a scientific or technical process is acceptable.
EnCE Study Guide, Pg. 11 -
- Legal -
What are the three basic questions asked to determine if a process is acceptable under Daubert? -
1. Has the process been tested and subjected to peer review?
2. Does the process/application maintain general acceptance within the related community.
3. Can the findings be duplicated/repeated? -
- Legal -
If the original evidence must be returned to the owner, can the EnCase Evidence files be considered "Best Evidence"? -
Yes.
EnCE Study Guide, Pg. 11 -
- OS Artifacts -
What type of files are commonly associated with printing in the Windows operating system? - .emf / .spl / .shd
-
- First Response -
If the file system is not support by EnCase, the Examiner cannot use EnCase to do the examination. (TRUE / FALSE) -
FALSE.
The examiner can still to text searches, run EnScripts for file headers and footers, etc... -
- First Response -
You need to do an onsite acquisition of a Windows NT Server, should you Shut Down the system or pull the power plug? - Gracefully shut down the system. Generally, servers need to be shut down gracefully. Workstations or personal computers should have the power plug pulled.
-
- Computer Hardware and Systems -
What does IDE stand for? - Integrated Drive Electronics.