NEW QUESTION 1
When adding data to FTK, which statement about DriveFreeSpace is true?

• A. Mastered
• B. Not Mastered

Answer: A

NEW QUESTION 2
Which data in the Registry can the Registry Viewer translate for the user? (Choose three.)

• A. calculate MD5 hashes of individual keys
• B. translate the MRUs in chronological order
• C. present data stored in null terminated keys
• D. present the date and time of each typed URL
• E. View Protected Storage System Provider (PSSP) data

Answer: BCE

NEW QUESTION 3
In FTK, which tab provides specific information on the evidence items, file items, file status and file category?

• A. E-mail tab
• B. Explore tab
• C. Overview tab
• D. Graphics tab

Answer: C

NEW QUESTION 4
While analyzing unallocated space, you locate what appears to be a 64-bit Windows date and
time. Which FTK Imager feature allows you display the information as a date and time?

• A. INFO2 Filter
• B. Base Converter
• C. Metadata Parser
• D. Hex Value Interpreter

Answer: D

NEW QUESTION 5
Which type of evidence can be added to FTK Imager?

• A. individual files
• B. all checked items
• C. contents of a folder
• D. all currently listed items

Answer: C

NEW QUESTION 6
You are attempting to access data from the Protected Storage System Provider (PSSP) area of a registry. How do you accomplish this using PRTK?

• A. You drop the SAM file onto the PRTK interface.
• B. You drop the NTUSER.dat file onto the PRTK interface.
• C. You use the PSSP Attack Marshal from Registry Viewer.
• D. This area can not be accessed with PRTK as it is a registry file.

Answer: B

NEW QUESTION 7
What are two functions of the Summary Report in Registry Viewer? (Choose two.)

• A. Mastered
• B. Not Mastered

Answer: A

NEW QUESTION 8
Which three items are contained in an Image Summary File using FTK Imager? (Choose three.)

• A. MD5
• B. CRC
• C. SHA1
• D. Sector Count
• E. Cluster Count

Answer: ACD

NEW QUESTION 9
Which two Registry Viewer operations can be conducted from FTK? (Choose two.)

• A. list SAM file account names in FTK
• B. view all registry files from within FTK
• C. create subitems of individual keys for FTK
• D. export a registry report to the FTK case report

Answer: BD

NEW QUESTION 10
In FTK, a user may alter the alert or ignore status of individual hash sets within the active KFF. Which utility is used to accomplish this?

• A. KFF Alert Editor
• B. ADKFF Library Selector
• C. Hash Database File Selector
• D. Hash Database Recovery Engine

Answer: A

NEW QUESTION 11
Which pattern does the following regular expression recover?
(d{4}[- ]){3}d{4}

• A. 000-000-0000
• B. ddd-4-3-dddd-4-3
• C. 000-00000-000-ABC
• D. 0000-0000-0000-0000

Answer: D

NEW QUESTION 12
Which statement is true about using FTK Imager to simultaneously create multiple images of a single source?

• A. In the Image Creation Wizard, you should select the Add Additional Drives option.
• B. You should use the Create Multiple Images option to create server image objects.
• C. You should note the evidence item source signature and add it to the Image View pane.
• D. In the Image Creation Wizard, you should add multiple destination jobs from the same source prior To beginning image creation.

Answer: D

NEW QUESTION 13
How can you use FTK Imager to obtain registry files from a live system?

• A. You use the Export Files option.
• B. You use the Advanced Recovery option.
• C. Registry files cannot be exported from a live system.
• D. You use the Protected Storage System Provider option.

Answer: A

NEW QUESTION 14
You are using FTK to process e-mail files. In which two areas can E-mail attachments be located? (Choose two.)

• A. the E-mail tab
• B. the From E-mail container in the Overview tab
• C. the Evidence Items container in the Overview tab
• D. the E-mail Messages container in the Overview tab

Answer: AB

NEW QUESTION 15
When previewing a physical drive on a local machine with FTK Imager, which statement is true?

• A. FTK Imager can block calls to interrupt 13h and prevent writes to suspect media.
• B. FTK Imager can operate from a USB drive, thus preventing writes to suspect media.
• C. FTK Imager can operate via a DOS boot disk, thus preventing writes to suspect media.
• D. FTK Imager should always be used in conjunction with a hardware write protect device toprevent writes to suspect media.

Answer: D

NEW QUESTION 16
You view a registry file in Registry Viewer. You want to create a report, which includes items that you have marked "Add to Report." Which Registry Viewer option accomplishes
this task?

• A. Common Areas
• B. Generate Report
• C. Define Summary Report
• D. Manage Summary Reports

Answer: B

NEW QUESTION 17
You examine evidence and flag several graphic images found in different folders. You now want to bookmark these items into a single bookmark. Which tab in FTK do you use to view only the flagged thumbnails?

• A. Explore tab
• B. Graphics tab
• C. Overview tab
• D. Bookmark tab

Answer: C

NEW QUESTION 18
Which Registry Viewer function would allow you to automatically document multiple unknown user names?

• A. Add to Report
• B. Export User List
• C. Add to Report with Children
• D. Summary Report with Wildcard

Answer: D

NEW QUESTION 19
Into which two categories can an imported hash set be assigned? (Choose two.)

• A. alert
• B. ignore
• C. contraband
• D. system files

Answer: AB

NEW QUESTION 20
FTK Imager can be invoked from within which program?

• A. FTK
• B. DNA
• C. PRTK
• D. Registry Viewer

Answer: A

NEW QUESTION 21
You have processed a case in FTK using all the default options. The investigator supplies you with a list of 400 names in an electronic format. What is the quickest way to search
unallocated space for all of these names?

• A. build a dtSearch string with all 400 names
• B. create a Regular Expression with all the names
• C. make an imported text file of the names in Live Search
• D. use an imported text file containing the names in Indexed Search

Answer: D

NEW QUESTION 22
Which two statements are true? (Choose two.)

• A. PRTK can recover Windows logon passwords.
• B. PRTK must run in conjunction with DNA workers to decrypt EFS files.
• C. PRTK and FTK must be installed on the same machine to decrypt EFS files.
• D. EFS files must be exported from a case and provided to PRTK for decryption.

Answer: AC

NEW QUESTION 23
You currently store alternate hash libraries on a remote server. Where do you configure FTK to access these files rather than the default library, ADKFFLibrary.hdb?

• A. Preferences
• B. User Options
• C. Analysis Tools
• D. Import KFF Hashes

Answer: A

NEW QUESTION 24
......