NEW QUESTION 1
When previewing a physical drive on a local machine with FTK Imager, which statement is true?

• A. FTK Imager can block calls to interrupt 13h and prevent writes to suspect media.
• B. FTK Imager can operate from a USB drive, thus preventing writes to suspect media.
• C. FTK Imager can operate via a DOS boot disk, thus preventing writes to suspect media.
• D. FTK Imager should always be used in conjunction with a hardware write protect device toprevent writes to suspect media.

Answer: D

NEW QUESTION 2
Which file should be selected to open an existing case in FTK?

• A. ftk.exe
• B. case.ini
• C. case.dat
• D. isobuster.dll

Answer: C

NEW QUESTION 3
In FTK, when you view the Total File Items container (rather than the Actual Files container), why are there more items than files?

• A. Total File Items includes files that are in archive files, while Actual Files does not.
• B. Total File Items includes all unfiltered files while Actual Files includes only checked files.
• C. Total File Items includes all KFF Ignorables while Actual Files includes only the KFF Alerts.
• D. Total File Items includes files that are in the Graphics and E-Mail tabs, while Actual Files only includes files in the Graphics tab while excluding attachments in the E-mail tab.

Answer: A

NEW QUESTION 4
While analyzing unallocated space, you locate what appears to be a 64-bit Windows date and
time. Which FTK Imager feature allows you display the information as a date and time?

• A. INFO2 Filter
• B. Base Converter
• C. Metadata Parser
• D. Hex Value Interpreter

Answer: D

NEW QUESTION 5
What are two functions of the Summary Report in Registry Viewer? (Choose two.)

• A. Mastered
• B. Not Mastered

Answer: A

NEW QUESTION 6
When adding data to FTK, which statement about DriveFreeSpace is true?

• A. Mastered
• B. Not Mastered

Answer: A

NEW QUESTION 7
You are attempting to access data from the Protected Storage System Provider (PSSP) area of a registry. How do you accomplish this using PRTK?

• A. You drop the SAM file onto the PRTK interface.
• B. You drop the NTUSER.dat file onto the PRTK interface.
• C. You use the PSSP Attack Marshal from Registry Viewer.
• D. This area can not be accessed with PRTK as it is a registry file.

Answer: B

NEW QUESTION 8
In PRTK, which type of attack uses word lists?

• A. dictionary attack
• B. key space attack
• C. brute-force attack
• D. rainbow table attack

Answer: A

NEW QUESTION 9
When using FTK Imager to preview a physical drive, which number is assigned to the first logical volume of an extended partition?

• A. 2
• B. 3
• C. 4
• D. 5

Answer: D

NEW QUESTION 10
In FTK, you navigate to the Graphics tab at the Case level and you do not see any graphics. What should you do to see all graphics in the case?

• A. list all descendants
• B. run the graphic files filter
• C. check all items in the current list
• D. select the Graphics container button

Answer: A

NEW QUESTION 11
You are using FTK to process e-mail files. In which two areas can E-mail attachments be located? (Choose two.)

• A. the E-mail tab
• B. the From E-mail container in the Overview tab
• C. the Evidence Items container in the Overview tab
• D. the E-mail Messages container in the Overview tab

Answer: AB

NEW QUESTION 12
You used FTK Imager to create several hash list files. You view the location where the files were exported. What is the file extension type for these files?

• A. .txt = ASCII Text File
• B. .dif = Data Interchange Format
• C. .prn = Formatted Text Delimited
• D. .csv = Comma Separated Values

Answer: D

NEW QUESTION 13
FTK Imager can be invoked from within which program?

• A. FTK
• B. DNA
• C. PRTK
• D. Registry Viewer

Answer: A

NEW QUESTION 14
You view a registry file in Registry Viewer. You want to create a report, which includes items that you have marked "Add to Report." Which Registry Viewer option accomplishes
this task?

• A. Common Areas
• B. Generate Report
• C. Define Summary Report
• D. Manage Summary Reports

Answer: B

NEW QUESTION 15
In FTK, which two formats can be used to export an E-mail message? (Choose two.)

• A. raw format
• B. XML format
• C. PDF format
• D. HTML format
• E. binary format

Answer: AD

NEW QUESTION 16
FTK uses Data Carving to find which three file types? (Choose three.)

• A. JPEG files
• B. Yahoo! Chat Archives
• C. WPD (Word Perfect Documents)
• D. Enhanced Windows Meta Files (EMF)
• E. OLE Archive Files (Office Documents)

Answer: A

Explanation:
What happens when a duplicate hash value is imported into a KFF database?
A. It will not be accepted.
B. It will be marked as a duplicate.
C. The database will be corrupted.
D. The database will hide the duplicate.

NEW QUESTION 17
You create two evidence images from the suspect's drive: suspect.E01 and suspect.001. You want to be able to verify that the image hash values are the same for suspect.E01 and
suspect.001 image files. Which file has the hash value for the Raw (dd) image?

• A. suspect.001.txt
• B. suspect.E01.txt
• C. suspect.001.csv
• D. suspect.E01.csv

Answer: A

NEW QUESTION 18
Which data in the Registry can the Registry Viewer translate for the user? (Choose three.)

• A. calculate MD5 hashes of individual keys
• B. translate the MRUs in chronological order
• C. present data stored in null terminated keys
• D. present the date and time of each typed URL
• E. View Protected Storage System Provider (PSSP) data

Answer: BCE

NEW QUESTION 19
A. E01 files

• A. raw (dd) image files
• B. SafeBack version 2.2 image files
• C. SafeBack version 3.0 image files
• D. Symantec Ghost compressed image files

Answer: ABC

NEW QUESTION 20
Which Registry Viewer function would allow you to automatically document multiple unknown user names?

• A. Add to Report
• B. Export User List
• C. Add to Report with Children
• D. Summary Report with Wildcard

Answer: D

NEW QUESTION 21
You want to search for two words within five words of each other. Which search request would accomplish this function?

• A. apple by pear w/5
• B. June near July w/5
• C. supernova w/5 cassiopeia
• D. supernova by cassiopeia w/5

Answer: C

NEW QUESTION 22
A. highlight the data and select the Hex Value Interpreter tab

• A. highlight the data, right-click on the highlighted data and select the Show Hex Interpreter Window
• B. select the Hex Value Interpreter tab, highlight the data, right-click on the data to initiate theHex Interpreter
• C. right-click on the data area and select the Show Hex Interpreter Window and highlight thedata you want to interpret

Answer: B

NEW QUESTION 23
Which three items are displayed in FTK Imager for an individual file in the Properties
window? (Choose three.)

• A. flags
• B. filename
• C. hash set
• D. timestamps
• E. item number

Answer: ABD

NEW QUESTION 24
You have processed a case in FTK using all the default options. The investigator supplies you with a list of 400 names in an electronic format. What is the quickest way to search
unallocated space for all of these names?

• A. build a dtSearch string with all 400 names
• B. create a Regular Expression with all the names
• C. make an imported text file of the names in Live Search
• D. use an imported text file containing the names in Indexed Search

Answer: D

NEW QUESTION 25
Which statement is true about Processes to Perform in FTK?

• A. Processing options can be chosen only when adding evidence.
• B. Processing options can be chosen during or after adding evidence.
• C. Processing options can be chosen only after evidence has been added.
• D. If processing is not performed while adding evidence, the case must be started again.

Answer: B

NEW QUESTION 26
......