Chapter 4: Acquiring Digital Evidence

1. C. When partitions have been removed or the partitions are not recognized by Linux, EnCase still recognizes the physical drive and acquires it as such.

2. B. LinEn does not have a built-in write blocker. Rather, it relies upon Linux’s automount feature having been disabled.

3. B. Although EnCase only examines the contents within the evidence files, it is still good forensic practice to wipe/sterilize each hard drive prior to reusing it to eliminate the argument of possible cross-contamination.

4. E. You should suspect an HPA or a DCO. Booting with LinEn or using Tableau or FastBloc SE should enable you to see all sectors.

5. C. Digital evidence must be treated like any other evidence, whereas a chain ...

Get EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition by

Chapter 4: Acquiring Digital Evidence

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly