Actual Test

AccessData A30-327
AccessData Certified Examiner

Version: 1.0
QUESTION NO: 1

Which three items are displayed in FTK Imager for an individual file in the Properties

window? (Choose three.)

A. flags
B. filename
C. hash set
D. timestamps
E. item number

Answer: A,B,D

QUESTION NO: 2

In FTK, which search broadening option allows you to find grammatical variations of the word "kill"
such as "killer," "killed," and "killing"?

A. Phonic
B. Synonym
C. Stemming
D. Fuzzy Logic

Answer: C

QUESTION NO: 3

When using FTK Imager to preview a physical drive, which number is assigned to the first logical
volume of an extended partition?

A. 2
B. 3
C. 4
D. 5

Answer: D

QUESTION NO: 4

When previewing a physical drive on a local machine with FTK Imager, which statement is true?

A. FTK Imager can block calls to interrupt 13h and prevent writes to suspect media.
B. FTK Imager can operate from a USB drive, thus preventing writes to suspect media.
C. FTK Imager can operate via a DOS boot disk, thus preventing writes to suspect media.
AccessData A30-327 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 2
D. FTK Imager should always be used in conjunction with a hardware write protect device to
prevent writes to suspect media.

Answer: D

QUESTION NO: 5

Which type of evidence can be added to FTK Imager?

A. individual files
B. all checked items
C. contents of a folder
D. all currently listed items

Answer: C

QUESTION NO: 6

To obtain protected files on a live machine with FTK Imager, which evidence item should be
added?

A. image file
B. currently booted drive
C. server object settings
D. profile access control list

Answer: B

QUESTION NO: 7

What are three image file formats that can be read by FTK Imager? (Choose three.)

A. E01 files
B. raw (dd) image files
C. SafeBack version 2.2 image files
D. SafeBack version 3.0 image files
E. Symantec Ghost compressed image files

Answer: A,B,C

QUESTION NO: 8

Which statement is true about using FTK Imager to simultaneously create multiple images of a
single source?

A. In the Image Creation Wizard, you should select the Add Additional Drives option.
B. You should use the Create Multiple Images option to create server image objects.
C. You should note the evidence item source signature and add it to the Image View pane.
D. In the Image Creation Wizard, you should add multiple destination jobs from the same
source prior To beginning image creation.

Answer: D

QUESTION NO: 9

FTK Imager allows a user to convert a Raw (dd) image into which two formats? (Choose two.)

A. E01
B. Ghost
C. SMART
D. SafeBack

Answer: A,C

QUESTION NO: 10

You are converting one image file format to another using FTK Imager. Why are the hash

values of the original image and the resulting new image the same?

A. because FTK Imager's progress bar tracks the conversion
B. because FTK Imager verifies the amount of data converted
C. because FTK Imager compares the elapsed time of conversion
D. because FTK Imager hashes only the data during the conversion

Answer: D

QUESTION NO: 11

How can you use FTK Imager to obtain registry files from a live system?

A. You use the Export Files option.
B. You use the Advanced Recovery option.
C. Registry files cannot be exported from a live system.
D. You use the Protected Storage System Provider option.

Answer: A

QUESTION NO: 12

Which statement is true about using FTK Imager to export a folder and its subfolders?

A. Exporting a folder will copy all its subfolders.
B. Each subfolder must be exported individually.
C. Exporting a folder copies only the folder without any files.
D. Exporting a folder will copy all subfolders without the system attribute.

Answer: A

QUESTION NO: 13

You used FTK Imager to create several hash list files. You view the location where the files

were exported. What is the file extension type for these files?

A. .txt = ASCII Text File
B. .dif = Data Interchange Format
C. .prn = Formatted Text Delimited
D. .csv = Comma Separated Values

Answer: D

QUESTION NO: 14

You create two evidence images from the suspect's drive: suspect.E01 and suspect.001. You
want to be able to verify that the image hash values are the same for suspect.E01 and

suspect.001 image files. Which file has the hash value for the Raw (dd) image?

A. suspect.001.txt
B. suspect.E01.txt
C. suspect.001.csv
D. suspect.E01.csv

Answer: A

QUESTION NO: 15

You successfully export and create a file hash list while using FTK Imager. Which three
pieces of information are included in this file? (Choose three.)

A. MD5
B. SHA1
C. filename
D. record date
E. date modified

Answer: A,B,C

QUESTION NO: 16

During the execution of a search warrant, you image a suspect drive using FTK Imager and store
the Raw(dd) image files on a portable drive. Later, these files are transferred to a server for
storage. How do you verify that the information stored on the server is unaltered?

A. open and view the Summary file
B. load the image into FTK and it automatically performs file verification
C. in FTK Imager, use the Verify Drive/Image function to automatically compare a calculatedhash
with a stored hash
D. use FTK Imager to create a verification hash and manually compare that value to the
valuestored in the Summary file

Answer: D

QUESTION NO: 17

Which three items are contained in an Image Summary File using FTK Imager? (Choose

three.)

A. MD5
B. CRC
C. SHA1
D. Sector Count
E. Cluster Count

Answer: A,C,D

QUESTION NO: 18

Which two image formats contain an embedded hash value for file verification? (Choose two.)

A. E01
B. S01
C. ISO
D. CUE
E. 001 (dd)

Answer: A,B

QUESTION NO: 19

While analyzing unallocated space, you locate what appears to be a 64-bit Windows date and

time. Which FTK Imager feature allows you display the information as a date and time?

A. INFO2 Filter
B. Base Converter
C. Metadata Parser
D. Hex Value Interpreter

Answer: D

QUESTION NO: 20

In which Overview tab container are HTML files classified?

A. Archive container
B. Java Code container
C. Documents container
D. Internet Files container

Answer: C

QUESTION NO: 21

When adding data to FTK, which statement about DriveFreeSpace is true?

A. DriveFreeSpace is merged with deleted files.
B. DriveFreeSpace is segmented into 10 megabyte items.
C. DriveFreeSpace is truncated, based on the size of the case.dat file.
D. DriveFreeSpace is classified with file slack items in the Overview tab.

Answer: D

QUESTION NO: 22

You are using FTK to process e-mail files. In which two areas can E-mail attachments be

located? (Choose two.)

A. the E-mail tab
B. the From E-mail container in the Overview tab
C. the Evidence Items container in the Overview tab
D. the E-mail Messages container in the Overview tab

Answer: A,B

QUESTION NO: 23

In FTK, which tab provides specific information on the evidence items, file items, file status and file
category?

A. E-mail tab
B. Explore tab
C. Overview tab
D. Graphics tab

Answer: C

QUESTION NO: 24

In FTK, you navigate to the Graphics tab at the Case level and you do not see any graphics. What
should you do to see all graphics in the case?

A. list all descendants
B. run the graphic files filter
C. check all items in the current list
D. select the Graphics container button

Answer: A

QUESTION NO: 25

In FTK, which two formats can be used to export an E-mail message? (Choose two.)

A. raw format
B. XML format
C. PDF format
D. HTML format
E. binary format

Answer: A,D

QUESTION NO: 26

In FTK, when you view the Total File Items container (rather than the Actual Files container), why
are there more items than files?

A. Total File Items includes files that are in archive files, while Actual Files does not.
B. Total File Items includes all unfiltered files while Actual Files includes only checked files.
C. Total File Items includes all KFF Ignorables while Actual Files includes only the KFF
Alerts.
D. Total File Items includes files that are in the Graphics and E-Mail tabs, while Actual Files
only includes files in the Graphics tab while excluding attachments in the E-mail tab.

Answer: A

QUESTION NO: 27

Which statement is true about Processes to Perform in FTK?

A. Processing options can be chosen only when adding evidence.
B. Processing options can be chosen during or after adding evidence.
C. Processing options can be chosen only after evidence has been added.
D. If processing is not performed while adding evidence, the case must be started again.

Answer: B

QUESTION NO: 28

What are three types of evidence that can be added to a case in FTK? (Choose three.)

A. local drive
B. registry MRU list
C. contents of a folder
D. acquired image of a drive
E. compressed volume files (CVFs)

Answer: A,C,D

QUESTION NO: 29
You want to search for two words within five words of each other. Which search request
would accomplish this function?

A. apple by pear w/5
B. June near July w/5
C. supernova w/5 cassiopeia
D. supernova by cassiopeia w/5

Answer: C

QUESTION NO: 30

Click the Exhibit button.

You need to search for specific data that are located in a Microsoft Word document. You do not
know the exact spelling of this datA. Using the Index Search Options as displayed in the exhibit,
which changes do you make in the Broadening Options and Search Limiting Options containers?

A. check the Fuzzy box;
check the File Name Pattern box;
type *.doc in the pattern container
B. check the Stemming box;
C. check the Synonym box;
D. check the Stemming box;
type %.doc in the pattern container

Answer: A

QUESTION NO: 31

You have processed a case in FTK using all the default options. The investigator supplies you
with a list of 400 names in an electronic format. What is the quickest way to search

unallocated space for all of these names?

A. build a dtSearch string with all 400 names
B. create a Regular Expression with all the names
C. make an imported text file of the names in Live Search
D. use an imported text file containing the names in Indexed Search
Answer: D

QUESTION NO: 32

Which pattern does the following regular expression recover?

(\d{4}[\- ]){3}\d{4}

A. 000-000-0000
B. ddd-4-3-dddd-4-3
C. 000-00000-000-ABC
D. 0000-0000-0000-0000

Answer: D

QUESTION NO: 33

You examine evidence and flag several graphic images found in different folders. You now want to
bookmark these items into a single bookmark. Which tab in FTK do you use to view only the
flagged thumbnails?

A. Explore tab
B. Graphics tab
C. Overview tab
D. Bookmark tab

Answer: C

QUESTION NO: 34


What change do you make to the file filter shown in the exhibit in order to show only graphics with
a logical size between 500 kilobytes and 10 megabytes?

A. You change all file status items to a red circle.
B. You change all file status items to a yellow triangle.
C. You make no change. The filter is correct as shown.
D. You change Graphics in the File Type column to a yellow triangle.

Answer: D

QUESTION NO: 35

FTK uses Data Carving to find which three file types? (Choose three.)

A. JPEG files
B. Yahoo! Chat Archives
C. WPD (Word Perfect Documents)
D. Enhanced Windows Meta Files (EMF)
E. OLE Archive Files (Office Documents)

Answer: A,D,E

QUESTION NO: 36

You are asked to process a case using FTK and to produce a report that only includes selected
graphics. What allows you to display only flagged graphics?

A. List by File Path
B. List File Properties
C. Graphic Thumbnails
D. Supplementary Files

Answer: C

QUESTION NO: 37

Which two options are available in the FTK Report Wizard? (Choose two.)

A. List by File Path
B. List File Properties
C. Include HTML File Listing
D. Include PRTK Output List

Answer: A,B

QUESTION NO: 38

Using the FTK Report Wizard, which two options are available in the List by File Path

window? (Choose two.)

A. List File Properties
B. Export to the Report
C. Apply a Filter to the List
D. Include Registry Viewer Reports

Answer: B,C

QUESTION NO: 39

Using the FTK Report Wizard, which two options are available in the Bookmarks - A

window? (Choose two.)

A. Apply a filter to the list
B. Group all filenames at end of report
C. Yes, include all graphics in the case
D. No, do not include a bookmark section
E. Export full-size graphics and link them to the thumbnails

Answer: D,E

QUESTION NO: 40

In Registry Viewer, which steps initiate the Hex Interpreter?

A. highlight the data and select the Hex Value Interpreter tab
B. highlight the data, right-click on the highlighted data and select the Show Hex Interpreter
Window
C. select the Hex Value Interpreter tab, highlight the data, right-click on the data to initiate the
Hex Interpreter
D. right-click on the data area and select the Show Hex Interpreter Window and highlight the
data you want to interpret

Answer: B

QUESTION NO: 41

Which data in the Registry can the Registry Viewer translate for the user? (Choose three.)

A. calculate MD5 hashes of individual keys
B. translate the MRUs in chronological order
C. present data stored in null terminated keys
D. present the date and time of each typed URL
E. View Protected Storage System Provider (PSSP) data

Answer: B,C,E

QUESTION NO: 42

What are two functions of the Summary Report in Registry Viewer? (Choose two.)

A. adds individual key values
B. is a template for other registry files
C. displays investigator keyword search results
D. permits searching of registry values based on key headers

Answer: A,B

QUESTION NO: 43

When using Registry Viewer to view a key with 20 values, what option can be used to display only
5 of the 20 values in a report?

A. Report
B. Special Reports
C. Summary Report
D. Add to Report With Children

Answer: C

QUESTION NO: 44

You view a registry file in Registry Viewer. You want to create a report, which includes items that
you have marked "Add to Report." Which Registry Viewer option accomplishes this task?

A. Common Areas
B. Generate Report
C. Define Summary Report
D. Manage Summary Reports

Answer: B

QUESTION NO: 45

Which Registry Viewer function would allow you to automatically document multiple

unknown user names?

A. Add to Report
B. Export User List
C. Add to Report with Children
D. Summary Report with Wildcard

Answer: D

QUESTION NO: 46

In PRTK, which type of attack uses word lists?

A. dictionary attack
B. key space attack
C. brute-force attack
D. rainbow table attack

Answer: A

QUESTION NO: 47

What is the purpose of the Golden Dictionary?

A. maintains previously created level information
B. maintains previously created profile information
C. maintains a list of the 100 most likely passwords
D. maintains previously recovered passwords

Answer: D

QUESTION NO: 48

What is the most effective method to facilitate successful password recovery?

A. Art of War
B. Entropy Test
C. Advanced EFS Attack
D. Primary Dictionary Attack

Answer: A

QUESTION NO: 49

You are attempting to access data from the Protected Storage System Provider (PSSP) area of a
registry. How do you accomplish this using PRTK?

A. You drop the SAM file onto the PRTK interface.
B. You drop the NTUSER.dat file onto the PRTK interface.
C. You use the PSSP Attack Marshal from Registry Viewer.
D. This area can not be accessed with PRTK as it is a registry file.

Answer: B

QUESTION NO: 50

When using PRTK to attack encrypted files exported from a case, which statement is true?

A. PRTK will request the user access control list from FTK.
B. PRTK will generate temporary copies of decrypted files for printing.
C. FTK will stop all active jobs to allow PRTK to decrypt the exported files.
D. File hash values will change when they are saved in their decrypted format.
E. Additional interoperability between PRTK and NTAccess becomes available when files
begin decrypting.

Answer: D

QUESTION NO: 51

In FTK, a user may alter the alert or ignore status of individual hash sets within the active

KFF. Which utility is used to accomplish this?

A. KFF Alert Editor
B. ADKFF Library Selector
C. Hash Database File Selector
D. Hash Database Recovery Engine

Answer: A

QUESTION NO: 52

After creating a case, the Encrypted Files container lists EFS files. However, no decrypted

subitems are present. All other necessary components for EFS decryption are present in the
case. Which two files must be used to recover the EFS password for use in FTK? (Choose two.)

A. SAM
B. system
C. SECURITY
D. Master Key
E. FEK Certificate

Answer: A,B

QUESTION NO: 53

Which two statements are true? (Choose two.)

A. PRTK can recover Windows logon passwords.
B. PRTK must run in conjunction with DNA workers to decrypt EFS files.
C. PRTK and FTK must be installed on the same machine to decrypt EFS files.
D. EFS files must be exported from a case and provided to PRTK for decryption.

Answer: A,C

QUESTION NO: 54


When decrypting EFS files in a case, you receive the result shown in the exhibit. What is the most
plausible explanation for this result?

A. The encrypted file was corrupt.
B. A different user encrypted the remaining encrypted file.
C. The hash value of the remaining encrypted file did not match.
D. The remaining encrypted file had previously been bookmarked.
E. An incorrect CRC value for the $EFS certificate was applied by the user.

Answer: B

QUESTION NO: 55

Which two Registry Viewer operations can be conducted from FTK? (Choose two.)

A. list SAM file account names in FTK
B. view all registry files from within FTK
C. create subitems of individual keys for FTK
D. export a registry report to the FTK case report

Answer: B,D

QUESTION NO: 56

FTK Imager can be invoked from within which program?

A. FTK
B. DNA
C. PRTK
D. Registry Viewer

Answer: A

QUESTION NO: 57

Into which two categories can an imported hash set be assigned? (Choose two.)

A. alert
B. ignore
C. contraband
D. system files

Answer: A,B

QUESTION NO: 58

What happens when a duplicate hash value is imported into a KFF database?

A. It will not be accepted.
B. It will be marked as a duplicate.
C. The database will be corrupted.
D. The database will hide the duplicate.

Answer: A

QUESTION NO: 59

You currently store alternate hash libraries on a remote server. Where do you configure FTK to
access these files rather than the default library, ADKFFLibrary.hdb?

A. Preferences
B. User Options
C. Analysis Tools
D. Import KFF Hashes
Answer: A

QUESTION NO: 60

Which file should be selected to open an existing case in FTK?

A. ftk.exe
B. case.ini
C. case.dat
D. isobuster.dll

Answer: C
Explanation:


Actual Test

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Actual Test

Diunggah oleh

Hak Cipta:

Format Tersedia

AccessData A30-327

AccessData Certified Examiner

Anda mungkin juga menyukai