e-forense - Análise Forense Computacional, Hacking, Segurança & Código

Terceira parte da coleção de questões para a certificação A30-327 AccessData Certified Examiner ACE, para a ferramenta FTK, FTK Imager, PRTK e Registry Viewer.

Volto a referir que é muito importante a leitura dos manuais:

Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf

Aqui ficam mais 10 questões teóricas:

Q. Which of the following is NOT part of a PRTK attack profile?
a.Concatenation Matrix
b.Dictionaries
c.Character Groups
d.Rules

Q. What type of information is provided via the Help > Recovery Modules menu option in PRTK?
a.Attack Types
b.Estimated Recovery Time
c.Bit Strength
d.Difficulty Level

Q. In PRTK, which type of attack uses words lists?
a.keyspace attack
b.hash table attack
c.dictionary attack
d.brute-force attack

Q. What is the purpose of the PRTK Golden Dictionary?
a.maintains a list of the 100 most likely passwords
b.maintains previously created level information
c.maintains previously created profile information
d.maintains previously recovered passwords

Q. Which statement is true?
a.PRTK must run in conjunctuin with DNA workers to decrypt EFS files
b.PRTK and FTK must be installed on the same machine to decrypt EFS files
c.EFS files must be exported from a case and provided to PRTK for decryption
d.PRTK can recover Windows logon passwords

Q. Which statement is true concerning custom filters in FTK?
a.A custom filter can only be used in the case in which it was created.
b.A custom filter can be used in another case by copying it to the shared area in FTK
c.Only a Case Reviewer can copy a custom filter to the shared area in FTK
d.Only custom Column Settings can be copied to the shared area in FTK

Q. Which statement is true concerning Indexed Searching in FTK?
a.Indexed searches can only be restricted by checked files
b.Indexed searches can be restricted by checked files or a filter
c.Indexed searches cannot be restricted
d.Indexed searches can only be restricted by a filter

Q. Which processing option must be executed to view the child subitems of a *.zip file?
a.dtSearch Indexing
b.Expand Compound Files
c.Visualization
d.Entropy Test

Q. An FTK User assigned Case Reviewer status has what restriction?
a.Cannot bookmark files
b.Cannot log into a database
c.Cannot perform Indexed Searching
d.Cannot view files flagged as Privileged

Q. Which statement is true about Evidence Processing in FTK?
a.All Evidence Processing options available during case creation are also after case creation
b.A Processing Profile can be used when adding evidence to an existing case
c.Processing options can be chosen only when adding evidence
d.Processing options can be chosen during or after adding evidence

Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 2: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.html
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.HTML
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html