e-forense - Análise Forense Computacional, Hacking, Segurança & Código

Sétima parte da coleção de questões para a certificação A30-327 AccessData Certified Examiner ACE, para a ferramenta FTK, FTK Imager, PRTK e Registry Viewer.

Volto a referir que é muito importante a leitura dos manuais:

Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf

Estas perguntas foram retiradas de um antigo dump disponível pela internet fora.

Q.How can you use FTK Imager to obtain registry files from a live system?
A. You use the Export Files option.
B. You use the Advanced Recovery option.
C. Registry files cannot be exported from a live system.
D. You use the Protected Storage System Provider option.
Answer: A

Q.Which statement is true about using FTK Imager to export a folder and its subfolders?
A. Exporting a folder will copy all its subfolders.
B. Each subfolder must be exported individually.
C. Exporting a folder copies only the folder without any files.
D. Exporting a folder will copy all subfolders without the system attribute.
Answer: A

Q.You used FTK Imager to create several hash list files. You view the location where the files were exported. What is the file extension type for these files?
A. .txt = ASCII Text File
B. .dif = Data Interchange Format
C. .prn = Formatted Text Delimited
D. .csv = Comma Separated Values
Answer: D

Q.You create two evidence images from the suspect's drive: suspect.E01 and suspect.001. You want to be able to verify that the image hash values are the same for suspect.E01 and suspect.001 image files. Which file has the hash value for the Raw (dd) image?
A. suspect.001.txt
B. suspect.E01.txt
C. suspect.001.csv
D. suspect.E01.csv
Answer: A

Q.You successfully export and create a file hash list while using FTK Imager. Which three pieces of information are included in this file? (Choose three.)
A. MD5
B. SHA1
C. filename
D. record date
E. date modified
Answer: A,B,C

Q.During the execution of a search warrant, you image a suspect drive using FTK Imager and store the Raw(dd) image files on a portable drive. Later, these files are transferred to a server for storage. How do you verify that the information stored on the server is unaltered?
A. open and view the Summary file
B. load the image into FTK and it automatically performs file verification
C. in FTK Imager, use the Verify Drive/Image function to automatically compare a calculated hash with a stored hash
D. use FTK Imager to create a verification hash and manually compare that value to the value stored in the Summary file
Answer: D

Q.Which three items are contained in an Image Summary File using FTK Imager? (Choose three.)
A. MD5
B. CRC
C. SHA1
D. Sector Count
E. Cluster Count
Answer: A,C,D

Q.Which two image formats contain an embedded hash value for file verification? (Choose two.)
A. E01
B. S01
C. ISO
D. CUE
E. 001 (dd)
Answer: A,B

Q.While analyzing unallocated space, you locate what appears to be a 64-bit Windows date and time. Which FTK Imager feature allows you display the information as a date and time?
A. INFO2 Filter
B. Base Converter
C. Metadata Parser
D. Hex Value Interpreter
Answer: D

Q.In which Overview tab container are HTML files classified?
A. Archive container
B. Java Code container
C. Documents container
D. Internet Files container
Answer: C


Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 2: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.HTML
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.HTML
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.html
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html