AccessData Certified Examiner

http://www.Prepking.com

AccessData A30-327

AccessData Certified Examiner

60 Q&A

Version : A9.0

http://www.prepking.com/�


Prepking - King of Computer Certification Important Information, Please Read Carefully Other Prepking products A) Offline Testing engine Use the offline Testing engine product to practice the questions in an exam environment. B) Study Guide (not available for all exams) Build a foundation of knowledge which will be useful also after passing the exam. Latest Version We are constantly reviewing our products. New material is added and old material is updated. Free updates are available for 90 days after the purchase. You should check your member zone at Prepking and update 3-4 days before the scheduled exam date. Here is the procedure to get the latest version: 1.Go towww.Prepking.com 2.Click on Member zone/Log in (right side) 3. Then click My Account 4.The latest versions of all purchased products are downloadable from here. Just click the links. For most updates,it is enough just to print the new questions at the end of the new version, not the whole document. Feedback If you spot a possible improvement then please let us know. We always interested in improving product quality. Feedback should be send to [email protected]. You should include the following: Exam number, version, page number, question number, and your login ID. Our experts will answer your mail promptly. Copyright Each PDF file contains a unique serial number associated with your particular name and contact information for security purposes. So if we find out that a particular PDF file is being distributed by you, Prepking reserves the right to take legal action against you according to the International Copyright Laws. Explanations This product does not include explanations at the moment. If you are interested in providing explanations for this exam, please contact [email protected].


mailto:[email protected]�


1. Which three items are displayed in FTK Imager for an individual file in the Properties window? (Choose

three.)

A.flags

B.filename

C.hash set

D.timestamps

E.item number

Answer: ABD

2. In FTK, which search broadening option allows you to find grammatical variations of the word "kill" such

as "killer," "killed," and "killing"?

A.Phonic

B.Synonym

C.Stemming

D.Fuzzy Logic

Answer: C

3. When using FTK Imager to preview a physical drive, which number is assigned to the first logical

volume

of an extended partition?

A.2

B.3

C.4

D.5

Answer: D

4. When previewing a physical drive on a local machine with FTK Imager, which statement is true?

A.FTK Imager can block calls to interrupt 13h and prevent writes to suspect media.

B.FTK Imager can operate from a USB drive, thus preventing writes to suspect media.

C.FTK Imager can operate via a DOS boot disk, thus preventing writes to suspect media.

D.FTK Imager should always be used in conjunction with a hardware write protect device to prevent

writes

to suspect media.

Answer: D

5. Which type of evidence can be added to FTK Imager?

A.individual files

B.all checked items

C.contents of a folder

D.all currently listed items

Answer: C



6. To obtain protected files on a live machine with FTK Imager, which evidence item should be added?

A.image file

B.currently booted drive

C.server object settings

D.profile access control list

Answer: B

7. What are three image file formats that can be read by FTK Imager? (Choose three.)

A.E01 files

B.raw (dd) image files

C.SafeBack version 2.2 image files

D.SafeBack version 3.0 image files

E.Symantec Ghost compressed image files

Answer: ABC

8. Which statement is true about using FTK Imager to simultaneously create multiple images of a single

source?

A.In the Image Creation Wizard, you should select the Add Additional Drives option.

B.You should use the Create Multiple Images option to create server image objects.

C.You should note the evidence item source signature and add it to the Image View pane.

D.In the Image Creation Wizard, you should add multiple destination jobs from the same source prior to

beginning image creation.

Answer: D

9. FTK Imager allows a user to convert a Raw (dd) image into which two formats? (Choose two.)

A.E01

B.Ghost

C.SMART

D.SafeBack

Answer: AC

10. You are converting one image file format to another using FTK Imager.

Why are the hash values of the original image and the resulting new image the same?

A.because FTK Imager's progress bar tracks the conversion

B.because FTK Imager verifies the amount of data converted

C.because FTK Imager compares the elapsed time of conversion

D.because FTK Imager hashes only the data during the conversion

Answer: D

11. How can you use FTK Imager to obtain registry files from a live system?

A.You use the Export Files option.

B.You use the Advanced Recovery option.



C.Registry files cannot be exported from a live system.

D.You use the Protected Storage System Provider option.

Answer: A

12. Which statement is true about using FTK Imager to export a folder and its subfolders?

A.Exporting a folder will copy all its subfolders.

B.Each subfolder must be exported individually.

C.Exporting a folder copies only the folder without any files.

D.Exporting a folder will copy all subfolders without the system attribute.

Answer: A

13. You used FTK Imager to create several hash list files. You view the location where the files were

exported.

What is the file extension type for these files?

A..txt = ASCII Text File

B..dif = Data Interchange Format

C..prn = Formatted Text Delimited

D..csv = Comma Separated Values

Answer: D

14. You create two evidence images from the suspect's drive: suspect.E01 and suspect.001. You want to

be able to verify that the image hash values are the same for suspect.E01 and suspect.001 image files.

Which file has the hash value for the Raw (dd) image?

A.suspect.001.txt

B.suspect.E01.txt

C.suspect.001.csv

D.suspect.E01.csv

Answer: A

15. You successfully export and create a file hash list while using FTK Imager.

Which three pieces of information are included in this file? (Choose three.)

A.MD5

B.SHA1

C.filename

D.record date

E.date modified

Answer: ABC

16. During the execution of a search warrant, you image a suspect drive using FTK Imager and store the

Raw(dd) image files on a portable drive. Later, these files are transferred to a server for storage.

How do you verify that the information stored on the server is unaltered?

A.open and view the Summary file



B.load the image into FTK and it automatically performs file verification

C.in FTK Imager, use the Verify Drive/Image function to automatically compare a calculated hash with a

stored hash

D.use FTK Imager to create a verification hash and manually compare that value to the value stored in

the

Summary file

Answer: D

17. Which three items are contained in an Image Summary File using FTK Imager? (Choose three.)

A.MD5

B.CRC

C.SHA1

D.Sector Count

E.Cluster Count

Answer: ACD

18. Which two image formats contain an embedded hash value for file verification? (Choose two.)

A.E01

B.S01

C.ISO

D.CUE

E.001 (dd)

Answer: AB

19. While analyzing unallocated space, you locate what appears to be a 64-bit Windows date and time.

Which FTK Imager feature allows you display the information as a date and time?

A.INFO2 Filter

B.Base Converter

C.Metadata Parser

D.Hex Value Interpreter

Answer: D

20. In which Overview tab container are HTML files classified?

A.Archive container

B.Java Code container

C.Documents container

D.Internet Files container

Answer: C

21. When adding data to FTK, which statement about DriveFreeSpace is true?

A.DriveFreeSpace is merged with deleted files.

B.DriveFreeSpace is segmented into 10 megabyte items.



C.DriveFreeSpace is truncated, based on the size of the case.dat file.

D.DriveFreeSpace is classified with file slack items in the Overview tab.

Answer: D

22. You are using FTK to process e-mail files.

In which two areas can E-mail attachments be located? (Choose two.)

A.the E-mail tab

B.the From E-mail container in the Overview tab

C.the Evidence Items container in the Overview tab

D.the E-mail Messages container in the Overview tab

Answer: AB

23. In FTK, which tab provides specific information on the evidence items, file items, file status and file

category?

A.E-mail tab

B.Explore tab

C.Overview tab

D.Graphics tab

Answer: C

24. In FTK, you navigate to the Graphics tab at the Case level and you do not see any graphics.

What should you do to see all graphics in the case?

A.list all descendants

B.run the graphic files filter

C.check all items in the current list

D.select the Graphics container button

Answer: A

25. In FTK, which two formats can be used to export an E-mail message? (Choose two.)

A.raw format

B.XML format

C.PDF format

D.HTML format

E.binary format

Answer: AD

26. In FTK, when you view the Total File Items container (rather than the Actual Files container), why are

there more items than files?

A.Total File Items includes files that are in archive files, while Actual Files does not.

B.Total File Items includes all unfiltered files while Actual Files includes only checked files.

C.Total File Items includes all KFF Ignorables while Actual Files includes only the KFF Alerts.

D.Total File Items includes files that are in the Graphics and E-Mail tabs, while Actual Files only includes



files in the Graphics tab while excluding attachments in the E-mail tab.

Answer: A

27. Which statement is true about Processes to Perform in FTK?

A.Processing options can be chosen only when adding evidence.

B.Processing options can be chosen during or after adding evidence.

C.Processing options can be chosen only after evidence has been added.

D.If processing is not performed while adding evidence, the case must be started again.

Answer: B

28. What are three types of evidence that can be added to a case in FTK? (Choose three.)

A.local drive

B.registry MRU list

C.contents of a folder

D.acquired image of a drive

E.compressed volume files (CVFs)

Answer: ACD

29. You want to search for two words within five words of each other.

Which search request would accomplish this function?

A.apple by pear w/5

B.June near July w/5

C.supernova w/5 cassiopeia

D.supernova by cassiopeia w/5

Answer: C

30. Click the Exhibit button.

Pass Your Exam at First Attempt with 100% Pass Guarantee

Buy Full Version of A30-327 Exam at

http://www.prepking.com/A30-327.htm


http://www.prepking.com/A30-327.htm�

AccessData Certified Examiner

Documents

Transcript of AccessData Certified Examiner