Review Questions

1. The EnCase evidence file is best described as follows:

A. A mirror image of the source device written to a hard drive

B. A sector-by-sector image of the source device written to corresponding sectors of a secondary hard drive

C. A bitstream image of a source device written to the corresponding sectors of a secondary hard drive

D. A bitstream image of a source device written to a file or several file segments

2. How does EnCase verify the contents of an evidence file, using the default settings?

A. EnCase writes an MD5 and/or SHA-1 hash value for every 32 sectors copied.

B. EnCase writes an MD5 and/or SHA-1 value for every 64 sectors copied.

C. EnCase writes a CRC value for every 32 sectors copied.

D. EnCase writes a CRC value ...

Get EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial