Guidance Software GD0-110 dumps - 100% Pass Guarantee!

EnCase is able to read and examine which of the following file systems?

A. HFS

B. FAT

C. NTFS

D. EXT3

You are working in a computer forensic lab. A law enforcement investigator brings you a computer and a valid search warrant. You have legal authority to search the computer. The investigator hands you a piece of paper that has three printed checks on it. All three checks have the same check and account number. You image the suspect computer and open the evidence file with EnCase. You checks have the same check and account number. You image the suspect computer and open the evidence file with EnCase. You perform a text search for the account number and check number. Nothing returns on the search results. You perform a text search for all other information found on the printed checks and there is still nothing returned in the search results. You run a signature analysis and check the gallery. You cannot locate any graphical copies of the printed checks in the gallery. At this point, is it safe to say that the checks are not located on the suspect computer? checks are not located on the suspect computer?

A. No. The images could be located a compressed file.

B. No. The images could be in unallocated clusters.

C. No. The images could be embedded in a document.

D. All of the above.

E. No. The images could be in an image format not viewable inside EnCase.

In Windows 98 and ME, Internet based e-mail, such as Hotmail, will most likely be recovered in the folder.

A. C:\Windows\Online\Applications\email

B. C:\Windows\Temp

C. C:\Windows\Temporary Internet files

D. C:\Windows\History\Email

You are investigating a case involving fraud. You seized a computer from a suspect who stated that the computer is not used by anyone other than himself. The computer has Windows 98 installed on the hard drive. You find the filename C:\downloads\check01.jpg that EnCase shows as being moved. The starting extent is 0C4057. You find another filename :\downloads\chk1.dll with the starting extent 0C4057, which EnCase also shows as being moved. In the C:\Windows\System folder you find an allocated file named chk1.dll with the starting extent 0C4057. The chk1.dll file is a JPEG image of a counterfeit check. What can be deduced from your findings?

A. The presence and location of the files is strong evidence the suspect committed the crime.

B. The presence and location of the files is not strong evidence the suspect committed the crime.

When a file is deleted in the FAT file system, what happens to the filename?

A. The first character of the directory entry is marked with a hex E5.

B. It is wiped from the directory.

C. It is zeroed out.

D. The first character of the directory entry is marked with a hex 00.