e-forense - Análise Forense Computacional, Hacking, Segurança & Código

Nona parte da coleção de questões para a certificação A30-327 AccessData Certified Examiner ACE, para a ferramenta FTK, FTK Imager, PRTK e Registry Viewer.

Volto a referir que é muito importante a leitura dos manuais:

Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf

Estas perguntas foram retiradas de um antigo dump disponível pela internet fora.

Q.You have processed a case in FTK using all the default options. The investigator supplies you with a list of 400 names in an electronic format. What is the quickest way to search unallocated space for all of these names?
A. build adtSearch string with all 400 names
B. create a Regular Expression with all the names
C. make an imported text file of the names in Live Search
D. use an imported text file containing the names in Indexed Search
Answer: D

Q.Which pattern does the following regular expression recover? (\d{4}[\- ]){3}\d{4}
A. 000-000-0000
B. ddd-4-3-dddd-4-3
C. 000-00000-000-ABC
D. 0000-0000-0000-0000
Answer: D

Q.You examine evidence and flag several graphic images found in different folders. You now want to bookmark these items into a single bookmark. Which tab in FTK do you use to view only the flagged thumbnails?
A. Explore tab
B. Graphics tab
C. Overview tab
D. Bookmark tab
Answer: C

Q.What change do you make to the file filter shown in the exhibit in order to show only graphics with a logical size between 500 kilobytes and 10 megabytes?
A. You change all file status items to a red circle.
B. You change all file status items to a yellow triangle.
C. You make no change. The filter is correct as shown.
D. You change Graphics in the File Type column to a yellow triangle.
Answer: D

Q.FTK uses Data Carving to find which three file types? (Choose three.)
A. JPEG files
B. Yahoo! Chat Archives
C. WPD (Word Perfect Documents)
D. Enhanced WindowsMeta Files (EMF)
E. OLE Archive Files (Office Documents)
Answer: A,D,E

Q.You are asked to process a case using FTK and to produce a report that only includes selected graphics. What allows you to display only flagged graphics?
A. List by File Path
B. List File Properties
C. Graphic Thumbnails
D. Supplementary Files
Answer: C

Q.Which two options are available in the FTK Report Wizard? (Choose two.)
A. List by File Path
B. List File Properties
C. Include HTML File Listing
D. Include PRTK Output List
Answer: A,B

Q.Using the FTK Report Wizard, which two options are available in the List by File Path window? (Choose two.)
A. List File Properties
B. Export to the Report
C. Apply a Filter to the List
D. Include Registry Viewer Reports
Answer: B,C

Q.Using the FTK Report Wizard, which two options are available in the Bookmarks - A window? (Choose two.)
A. Apply a filter to the list
B. Group all filenames at end of report
C. Yes, include all graphics in the case
D. No, do not include a bookmark section
E. Export full-size graphics and link them to the thumbnails
Answer: D,E

Q.In Registry Viewer, which steps initiate the Hex Interpreter?
A. highlight the data and select the Hex Value Interpreter tab
B. highlight the data, right-click on the highlighted data and select the Show Hex Interpreter Window
C. select the Hex Value Interpreter tab, highlight the data, right-click on the data to initiate the Hex Interpreter
D. right-click on the data area and select the Show Hex Interpreter Window and highlight the data you want to interpret
Answer: B

Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 2: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.HTML
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.HTML
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html