NEW QUESTION 1
A. highlight the data and select the Hex Value Interpreter tab

• A. highlight the data, right-click on the highlighted data and select the Show Hex Interpreter Window
• B. select the Hex Value Interpreter tab, highlight the data, right-click on the data to initiate theHex Interpreter
• C. right-click on the data area and select the Show Hex Interpreter Window and highlight thedata you want to interpret

Answer: B

NEW QUESTION 2
Which pattern does the following regular expression recover?
(d{4}[- ]){3}d{4}

• A. 000-000-0000
• B. ddd-4-3-dddd-4-3
• C. 000-00000-000-ABC
• D. 0000-0000-0000-0000

Answer: D

NEW QUESTION 3
After creating a case, the Encrypted Files container lists EFS files. However, no decrypted
sub- items are present. All other necessary components for EFS decryption are present in the case. Which two files must be used to recover the EFS password for use in FTK? (Choose two.)

• A. SAM
• B. system
• C. SECURITY
• D. Master Key
• E. FEK Certificate

Answer: AB

NEW QUESTION 4
Which data in the Registry can the Registry Viewer translate for the user? (Choose three.)

• A. calculate MD5 hashes of individual keys
• B. translate the MRUs in chronological order
• C. present data stored in null terminated keys
• D. present the date and time of each typed URL
• E. View Protected Storage System Provider (PSSP) data

Answer: BCE

NEW QUESTION 5
In FTK, which two formats can be used to export an E-mail message? (Choose two.)

• A. raw format
• B. XML format
• C. PDF format
• D. HTML format
• E. binary format

Answer: AD

NEW QUESTION 6
Using the FTK Report Wizard, which two options are available in the List by File Path window? (Choose two.)

• A. List File Properties
• B. Export to the Report
• C. Apply a Filter to the List
• D. Include Registry Viewer Reports

Answer: BC

NEW QUESTION 7
You want to search for two words within five words of each other. Which search request would accomplish this function?

• A. apple by pear w/5
• B. June near July w/5
• C. supernova w/5 cassiopeia
• D. supernova by cassiopeia w/5

Answer: C

NEW QUESTION 8
What is the purpose of the Golden Dictionary?

• A. maintains previously created level information
• B. maintains previously created profile information
• C. maintains a list of the 100 most likely passwords
• D. maintains previously recovered passwords

Answer: D

NEW QUESTION 9
During the execution of a search warrant, you image a suspect drive using FTK Imager and store the Raw(dd) image files on a portable drive. Later, these files are transferred to a server for storage. How do you verify that the information stored on the server is unaltered?

• A. open and view the Summary file
• B. load the image into FTK and it automatically performs file verification
• C. in FTK Imager, use the Verify Drive/Image function to automatically compare a calculatedhash with a stored hash
• D. use FTK Imager to create a verification hash and manually compare that value to the valuestored in the Summary file

Answer: D

NEW QUESTION 10
Which statement is true about using FTK Imager to simultaneously create multiple images of a single source?

• A. In the Image Creation Wizard, you should select the Add Additional Drives option.
• B. You should use the Create Multiple Images option to create server image objects.
• C. You should note the evidence item source signature and add it to the Image View pane.
• D. In the Image Creation Wizard, you should add multiple destination jobs from the same source prior To beginning image creation.

Answer: D

NEW QUESTION 11
In which Overview tab container are HTML files classified?

• A. Archive container
• B. Java Code container
• C. Documents container
• D. Internet Files container

Answer: C

NEW QUESTION 12
In FTK, you navigate to the Graphics tab at the Case level and you do not see any graphics. What should you do to see all graphics in the case?

• A. list all descendants
• B. run the graphic files filter
• C. check all items in the current list
• D. select the Graphics container button

Answer: A

NEW QUESTION 13
Which two Registry Viewer operations can be conducted from FTK? (Choose two.)

• A. list SAM file account names in FTK
• B. view all registry files from within FTK
• C. create subitems of individual keys for FTK
• D. export a registry report to the FTK case report

Answer: BD

NEW QUESTION 14
Which Registry Viewer function would allow you to automatically document multiple unknown user names?

• A. Add to Report
• B. Export User List
• C. Add to Report with Children
• D. Summary Report with Wildcard

Answer: D

NEW QUESTION 15
You are using FTK to process e-mail files. In which two areas can E-mail attachments be located? (Choose two.)

• A. the E-mail tab
• B. the From E-mail container in the Overview tab
• C. the Evidence Items container in the Overview tab
• D. the E-mail Messages container in the Overview tab

Answer: AB

NEW QUESTION 16
When using PRTK to attack encrypted files exported from a case, which statement is true?

• A. PRTK will request the user access control list from FTK.
• B. PRTK will generate temporary copies of decrypted files for printing.
• C. FTK will stop all active jobs to allow PRTK to decrypt the exported files.
• D. File hash values will change when they are saved in their decrypted format.
• E. Additional interoperability between PRTK and NTAccess becomes available when files begin decrypting.

Answer: D

NEW QUESTION 17
FTK Imager can be invoked from within which program?

• A. FTK
• B. DNA
• C. PRTK
• D. Registry Viewer

Answer: A

NEW QUESTION 18
Click the Exhibit button.
When decrypting EFS files in a case, you receive the result shown in the exhibit. What is the most plausible explanation for this result?

• A. The encrypted file was corrupt.
• B. A different user encrypted the remaining encrypted file.
• C. The hash value of the remaining encrypted file did not match.
• D. The remaining encrypted file had previously been bookmarked.
• E. An incorrect CRC value for the $EFS certificate was applied by the user.

Answer: B

NEW QUESTION 19
Which three items are displayed in FTK Imager for an individual file in the Properties
window? (Choose three.)

• A. flags
• B. filename
• C. hash set
• D. timestamps
• E. item number

Answer: ABD

NEW QUESTION 20
Which type of evidence can be added to FTK Imager?

• A. individual files
• B. all checked items
• C. contents of a folder
• D. all currently listed items

Answer: C

NEW QUESTION 21
......