Professional Documents
Culture Documents
Which three items are displayed in FTK Imager for an individual file in the Properties
window? (Choose three.)
A. flags
B. filename
C. hash set
D. timestamps
E. item number
Answer: A,B,D
m
QUESTION NO: 2
.co
In FTK, which search broadening option allows you to find grammatical variations of the word "kill"
such as "killer," "killed," and "killing"? ms
A. Phonic
B. Synonym
C. Stemming
xa
D. Fuzzy Logic
Answer: C
lE
ea
QUESTION NO: 3
R
When using FTK Imager to preview a physical drive, which number is assigned to the first logical
volume of an extended partition?
IT
A. 2
B. 3
C. 4
D. 5
Answer: D
QUESTION NO: 4
When previewing a physical drive on a local machine with FTK Imager, which statement is true?
A. FTK Imager can block calls to interrupt 13h and prevent writes to suspect media.
Answer: D
QUESTION NO: 5
A. individual files
B. all checked items
m
C. contents of a folder
D. all currently listed items
.co
Answer: C ms
QUESTION NO: 6
xa
To obtain protected files on a live machine with FTK Imager, which evidence item should be
added?
lE
A. image file
B. currently booted drive
ea
Answer: B
IT
QUESTION NO: 7
What are three image file formats that can be read by FTK Imager? (Choose three.)
A. E01 files
B. raw (dd) image files
C. SafeBack version 2.2 image files
D. SafeBack version 3.0 image files
E. Symantec Ghost compressed image files
Answer: A,B,C
QUESTION NO: 8
Which statement is true about using FTK Imager to simultaneously create multiple images of a
single source?
A. In the Image Creation Wizard, you should select the Add Additional Drives option.
B. You should use the Create Multiple Images option to create server image objects.
C. You should note the evidence item source signature and add it to the Image View pane.
D. In the Image Creation Wizard, you should add multiple destination jobs from the same
source prior To beginning image creation.
Answer: D
m
.co
QUESTION NO: 9
FTK Imager allows a user to convert a Raw (dd) image into which two formats? (Choose two.)
ms
A. E01
B. Ghost
xa
C. SMART
D. SafeBack
lE
Answer: A,C
ea
QUESTION NO: 10
R
You are converting one image file format to another using FTK Imager. Why are the hash
IT
values of the original image and the resulting new image the same?
Answer: D
QUESTION NO: 11
How can you use FTK Imager to obtain registry files from a live system?
Answer: A
QUESTION NO: 12
Which statement is true about using FTK Imager to export a folder and its subfolders?
m
C. Exporting a folder copies only the folder without any files.
D. Exporting a folder will copy all subfolders without the system attribute.
.co
Answer: A ms
QUESTION NO: 13
xa
You used FTK Imager to create several hash list files. You view the location where the files
were exported. What is the file extension type for these files?
lE
Answer: D
IT
QUESTION NO: 14
You create two evidence images from the suspect's drive: suspect.E01 and suspect.001. You
want to be able to verify that the image hash values are the same for suspect.E01 and
suspect.001 image files. Which file has the hash value for the Raw (dd) image?
A. suspect.001.txt
B. suspect.E01.txt
C. suspect.001.csv
D. suspect.E01.csv
QUESTION NO: 15
You successfully export and create a file hash list while using FTK Imager. Which three
pieces of information are included in this file? (Choose three.)
A. MD5
B. SHA1
C. filename
D. record date
E. date modified
m
Answer: A,B,C
QUESTION NO: 16
.co
ms
During the execution of a search warrant, you image a suspect drive using FTK Imager and store
the Raw(dd) image files on a portable drive. Later, these files are transferred to a server for
storage. How do you verify that the information stored on the server is unaltered?
xa
B. load the image into FTK and it automatically performs file verification
C. in FTK Imager, use the Verify Drive/Image function to automatically compare a calculated hash
ea
Answer: D
IT
QUESTION NO: 17
Which three items are contained in an Image Summary File using FTK Imager? (Choose
three.)
A. MD5
B. CRC
C. SHA1
D. Sector Count
E. Cluster Count
QUESTION NO: 18
Which two image formats contain an embedded hash value for file verification? (Choose two.)
A. E01
B. S01
C. ISO
D. CUE
E. 001 (dd)
Answer: A,B
m
.co
QUESTION NO: 19
While analyzing unallocated space, you locate what appears to be a 64-bit Windows date and
ms
time. Which FTK Imager feature allows you display the information as a date and time?
A. INFO2 Filter
xa
B. Base Converter
C. Metadata Parser
lE
Answer: D
R ea
QUESTION NO: 20
IT
A. Archive container
B. Java Code container
C. Documents container
D. Internet Files container
Answer: C
QUESTION NO: 21
Answer: D
QUESTION NO: 22
You are using FTK to process e-mail files. In which two areas can E-mail attachments be
located? (Choose two.)
m
B. the From E-mail container in the Overview tab
C. the Evidence Items container in the Overview tab
.co
D. the E-mail Messages container in the Overview tab
Answer: A,B
ms
QUESTION NO: 23
xa
In FTK, which tab provides specific information on the evidence items, file items, file status and file
lE
category?
A. E-mail tab
ea
B. Explore tab
C. Overview tab
R
D. Graphics tab
IT
Answer: C
QUESTION NO: 24
In FTK, you navigate to the Graphics tab at the Case level and you do not see any graphics. What
should you do to see all graphics in the case?
QUESTION NO: 25
In FTK, which two formats can be used to export an E-mail message? (Choose two.)
A. raw format
B. XML format
C. PDF format
D. HTML format
E. binary format
Answer: A,D
m
.co
QUESTION NO: 26
In FTK, when you view the Total File Items container (rather than the Actual Files container), why
ms
are there more items than files?
A. Total File Items includes files that are in archive files, while Actual Files does not.
xa
B. Total File Items includes all unfiltered files while Actual Files includes only checked files.
C. Total File Items includes all KFFIgnorables while Actual Files includes only the KFF
lE
Alerts.
D. Total File Items includes files that are in the Graphics and E-Mail tabs, while Actual Files
ea
only includes files in the Graphics tab while excluding attachments in the E-mail tab.
Answer: A
R
IT
QUESTION NO: 27
Answer: B
QUESTION NO: 28
A. local drive
B. registry MRU list
C. contents of a folder
D. acquired image of a drive
E. compressed volume files (CVFs)
Answer: A,C,D
QUESTION NO: 29
You want to search for two words within five words of each other. Which search request
m
would accomplish this function?
.co
A. apple by pear w/5
B. June near July w/5
C. supernova w/5cassiopeia
ms
D. supernova bycassiopeia w/5
Answer: C
xa
lE
QUESTION NO: 30
m
D. check the Stemming box;
check the File Name Pattern box;
.co
type %.doc in the pattern container
Answer: A
ms
QUESTION NO: 31
xa
You have processed a case in FTK using all the default options. The investigator supplies you with
a list of 400 names in an electronic format. What is the quickest way to search
lE
Answer: D
QUESTION NO: 32
A. 000-000-0000
B. ddd-4-3-dddd-4-3
C. 000-00000-000-ABC
D. 0000-0000-0000-0000
QUESTION NO: 33
You examine evidence and flag several graphic images found in different folders. You now want to
bookmark these items into a single bookmark. Which tab in FTK do you use to view only the
flagged thumbnails?
A. Explore tab
B. Graphics tab
C. Overview tab
D. Bookmark tab
m
Answer: C
QUESTION NO: 34
.co
ms
Click the Exhibit button.
xa
lE
R ea
IT
What change do you make to the file filter shown in the exhibit in order to show only graphics with
a logical size between 500 kilobytes and 10 megabytes?
Answer: D
QUESTION NO: 35
FTK uses Data Carving to find which three file types? (Choose three.)
A. JPEG files
B. Yahoo! Chat Archives
m
C. WPD (Word Perfect Documents)
D. Enhanced WindowsMeta Files (EMF)
.co
E. OLE Archive Files (Office Documents)
Answer: A,D,E
ms
QUESTION NO: 36
xa
You are asked to process a case using FTK and to produce a report that only includes selected
lE
D. Supplementary Files
IT
Answer: C
QUESTION NO: 37
Which two options are available in the FTK Report Wizard? (Choose two.)
Answer: A,B
QUESTION NO: 38
Using the FTK Report Wizard, which two options are available in the List by File Path
window? (Choose two.)
Answer: B,C
m
QUESTION NO: 39
.co
Using the FTK Report Wizard, which two options are available in the Bookmarks - A
window? (Choose two.)
ms
A. Apply a filter to the list
B. Group all filenames at end of report
xa
Answer: D,E
R ea
QUESTION NO: 40
IT
A. highlight the data and select the Hex Value Interpreter tab
B. highlight the data, right-click on the highlighted data and select the Show Hex Interpreter
Window
C. select the Hex Value Interpreter tab, highlight the data, right-click on the data to initiate the
Hex Interpreter
D. right-click on the data area and select the Show Hex Interpreter Window and highlight the
data you want to interpret
Answer: B
Which data in the Registry can the Registry Viewer translate for the user? (Choose three.)
Answer: B,C,E
QUESTION NO: 42
m
What are two functions of the Summary Report in Registry Viewer? (Choose two.)
.co
A. adds individual key values
B. is a template for other registry files
ms
C. displays investigator keyword search results
D. permits searching of registry values based on key headers
Answer: A,B
xa
lE
QUESTION NO: 43
ea
When using Registry Viewer to view a key with 20 values, what option can be used to display only
5 of the 20 values in a report?
R
A. Report
IT
B. Special Reports
C. Summary Report
D. Add to ReportWith Children
Answer: C
QUESTION NO: 44
You view a registry file in Registry Viewer. You want to create a report, which includes items that
you have marked "Add to Report." Which Registry Viewer option accomplishes this task?
A. Common Areas
B. Generate Report
Answer: B
QUESTION NO: 45
Which Registry Viewer function would allow you to automatically document multiple
unknown user names?
A. Add to Report
B. Export User List
C. Add to Report with Children
m
D. Summary Report with Wildcard
.co
Answer: D
ms
QUESTION NO: 46
A. dictionary attack
B. key space attack
lE
C. brute-force attack
D. rainbow table attack
ea
Answer: A
R
IT
QUESTION NO: 47
Answer: D
QUESTION NO: 48
A. Art of War
B. Entropy Test
C. Advanced EFS Attack
D. Primary Dictionary Attack
Answer: A
QUESTION NO: 49
You are attempting to access data from the Protected Storage System Provider (PSSP) area of a
registry. How do you accomplish this using PRTK?
m
A. You drop the SAM file onto the PRTK interface.
.co
B. You drop the NTUSER.dat file onto the PRTK interface.
C. You use the PSSP Attack Marshal from Registry Viewer.
D. This area can not be accessed with PRTK as it is a registry file.
ms
Answer: B
xa
QUESTION NO: 50
lE
When using PRTK to attack encrypted files exported from a case, which statement is true?
ea
A. PRTK will request the user access control list from FTK.
B. PRTK will generate temporary copies of decrypted files for printing.
R
C. FTK will stop all active jobs to allow PRTK to decrypt the exported files.
D. File hash values will change when they are saved in their decrypted format.
IT
Answer: D
QUESTION NO: 51
In FTK, a user may alter the alert or ignore status of individual hash sets within the active
KFF. Which utility is used to accomplish this?
Answer: A
QUESTION NO: 52
After creating a case, the Encrypted Files container lists EFS files. However, no decrypted
sub- items are present. All other necessary components for EFS decryption are present in the
case. Which two files must be used to recover the EFS password for use in FTK? (Choose two.)
A. SAM
B. system
m
C. SECURITY
D. Master Key
.co
E. FEK Certificate
Answer: A,B
ms
QUESTION NO: 53
xa
C. PRTK and FTK must be installed on the same machine to decrypt EFS files.
D. EFS files must be exported from a case and provided to PRTK for decryption.
R
Answer: A,C
IT
QUESTION NO: 54
Answer: B
QUESTION NO: 55
m
Which two Registry Viewer operations can be conducted from FTK? (Choose two.)
.co
A. list SAM file account names in FTK
B. view all registry files from within FTK
C. createsubitems of individual keys for FTK
ms
D. export a registry report to the FTK case report
Answer: B,D
xa
lE
QUESTION NO: 56
A. FTK
R
B. DNA
C. PRTK
IT
D. Registry Viewer
Answer: A
QUESTION NO: 57
Into which two categories can an imported hash set be assigned? (Choose two.)
A. alert
B. ignore
C. contraband
D. system files
QUESTION NO: 58
What happens when a duplicate hash value is imported into a KFF database?
Answer: A
m
QUESTION NO: 59
.co
You currently store alternate hash libraries on a remote server. Where do you configure FTK to
access these files rather than the default library, ADKFFLibrary.hdb?
ms
A. Preferences
B. User Options
xa
C. Analysis Tools
D. Import KFF Hashes
lE
Answer: A
ea
QUESTION NO: 60
R
A. ftk.exe
B. case.ini
C. case.dat
D. isobuster.dll
Answer: C