Archive for março 2014
A30-327 : FTK AccessData Certified Examiner - ACE - Uma ajudinha nas perguntas da certificação em FTK - Parte 9
Nona parte da coleção de questões para a certificação A30-327 AccessData Certified Examiner ACE, para a ferramenta FTK, FTK Imager, PRTK e Registry Viewer.
Volto a referir que é muito importante a leitura dos manuais:
Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf
Estas perguntas foram retiradas de um antigo dump disponível pela internet fora.
Q.You have processed a case in FTK using all the default options. The investigator supplies you with a list of 400 names in an electronic format. What is the quickest way to search unallocated space for all of these names?
A. build adtSearch string with all 400 names
B. create a Regular Expression with all the names
C. make an imported text file of the names in Live Search
D. use an imported text file containing the names in Indexed Search
Answer: D
Q.Which pattern does the following regular expression recover? (\d{4}[\- ]){3}\d{4}
A. 000-000-0000
B. ddd-4-3-dddd-4-3
C. 000-00000-000-ABC
D. 0000-0000-0000-0000
Answer: D
Q.You examine evidence and flag several graphic images found in different folders. You now want to bookmark these items into a single bookmark. Which tab in FTK do you use to view only the flagged thumbnails?
A. Explore tab
B. Graphics tab
C. Overview tab
D. Bookmark tab
Answer: C
Q.What change do you make to the file filter shown in the exhibit in order to show only graphics with a logical size between 500 kilobytes and 10 megabytes?
A. You change all file status items to a red circle.
B. You change all file status items to a yellow triangle.
C. You make no change. The filter is correct as shown.
D. You change Graphics in the File Type column to a yellow triangle.
Answer: D
Q.FTK uses Data Carving to find which three file types? (Choose three.)
A. JPEG files
B. Yahoo! Chat Archives
C. WPD (Word Perfect Documents)
D. Enhanced WindowsMeta Files (EMF)
E. OLE Archive Files (Office Documents)
Answer: A,D,E
Q.You are asked to process a case using FTK and to produce a report that only includes selected graphics. What allows you to display only flagged graphics?
A. List by File Path
B. List File Properties
C. Graphic Thumbnails
D. Supplementary Files
Answer: C
Q.Which two options are available in the FTK Report Wizard? (Choose two.)
A. List by File Path
B. List File Properties
C. Include HTML File Listing
D. Include PRTK Output List
Answer: A,B
Q.Using the FTK Report Wizard, which two options are available in the List by File Path window? (Choose two.)
A. List File Properties
B. Export to the Report
C. Apply a Filter to the List
D. Include Registry Viewer Reports
Answer: B,C
Q.Using the FTK Report Wizard, which two options are available in the Bookmarks - A window? (Choose two.)
A. Apply a filter to the list
B. Group all filenames at end of report
C. Yes, include all graphics in the case
D. No, do not include a bookmark section
E. Export full-size graphics and link them to the thumbnails
Answer: D,E
Q.In Registry Viewer, which steps initiate the Hex Interpreter?
A. highlight the data and select the Hex Value Interpreter tab
B. highlight the data, right-click on the highlighted data and select the Show Hex Interpreter Window
C. select the Hex Value Interpreter tab, highlight the data, right-click on the data to initiate the Hex Interpreter
D. right-click on the data area and select the Show Hex Interpreter Window and highlight the data you want to interpret
Answer: B
Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 2: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.HTML
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.HTML
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html
Volto a referir que é muito importante a leitura dos manuais:
Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf
Estas perguntas foram retiradas de um antigo dump disponível pela internet fora.
Q.You have processed a case in FTK using all the default options. The investigator supplies you with a list of 400 names in an electronic format. What is the quickest way to search unallocated space for all of these names?
A. build adtSearch string with all 400 names
B. create a Regular Expression with all the names
C. make an imported text file of the names in Live Search
D. use an imported text file containing the names in Indexed Search
Answer: D
Q.Which pattern does the following regular expression recover? (\d{4}[\- ]){3}\d{4}
A. 000-000-0000
B. ddd-4-3-dddd-4-3
C. 000-00000-000-ABC
D. 0000-0000-0000-0000
Answer: D
Q.You examine evidence and flag several graphic images found in different folders. You now want to bookmark these items into a single bookmark. Which tab in FTK do you use to view only the flagged thumbnails?
A. Explore tab
B. Graphics tab
C. Overview tab
D. Bookmark tab
Answer: C
Q.What change do you make to the file filter shown in the exhibit in order to show only graphics with a logical size between 500 kilobytes and 10 megabytes?
A. You change all file status items to a red circle.
B. You change all file status items to a yellow triangle.
C. You make no change. The filter is correct as shown.
D. You change Graphics in the File Type column to a yellow triangle.
Answer: D
Q.FTK uses Data Carving to find which three file types? (Choose three.)
A. JPEG files
B. Yahoo! Chat Archives
C. WPD (Word Perfect Documents)
D. Enhanced WindowsMeta Files (EMF)
E. OLE Archive Files (Office Documents)
Answer: A,D,E
Q.You are asked to process a case using FTK and to produce a report that only includes selected graphics. What allows you to display only flagged graphics?
A. List by File Path
B. List File Properties
C. Graphic Thumbnails
D. Supplementary Files
Answer: C
Q.Which two options are available in the FTK Report Wizard? (Choose two.)
A. List by File Path
B. List File Properties
C. Include HTML File Listing
D. Include PRTK Output List
Answer: A,B
Q.Using the FTK Report Wizard, which two options are available in the List by File Path window? (Choose two.)
A. List File Properties
B. Export to the Report
C. Apply a Filter to the List
D. Include Registry Viewer Reports
Answer: B,C
Q.Using the FTK Report Wizard, which two options are available in the Bookmarks - A window? (Choose two.)
A. Apply a filter to the list
B. Group all filenames at end of report
C. Yes, include all graphics in the case
D. No, do not include a bookmark section
E. Export full-size graphics and link them to the thumbnails
Answer: D,E
Q.In Registry Viewer, which steps initiate the Hex Interpreter?
A. highlight the data and select the Hex Value Interpreter tab
B. highlight the data, right-click on the highlighted data and select the Show Hex Interpreter Window
C. select the Hex Value Interpreter tab, highlight the data, right-click on the data to initiate the Hex Interpreter
D. right-click on the data area and select the Show Hex Interpreter Window and highlight the data you want to interpret
Answer: B
Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 2: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.HTML
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.HTML
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html
A30-327 : FTK AccessData Certified Examiner - ACE - Uma ajudinha nas perguntas da certificação em FTK - Parte 8
Oitava parte da coleção de questões para a certificação A30-327 AccessData Certified Examiner ACE, para a ferramenta FTK, FTK Imager, PRTK e Registry Viewer.
Volto a referir que é muito importante a leitura dos manuais:
Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf
Estas perguntas foram retiradas de um antigo dump disponível pela internet fora.
Q.When adding data to FTK, which statement about DriveFreeSpace is true?
A. DriveFreeSpace is merged with deleted files.
B. DriveFreeSpace is segmented into 10 megabyte items.
C. DriveFreeSpace is truncated, based on the size of the case.dat file.
D. DriveFreeSpace is classified with file slack items in the Overview tab.
Answer: D
Q.You are using FTK to process e-mail files. In which two areas can E-mail attachments be located? (Choose two.)
A. the E-mail tab
B. the From E-mail container in the Overview tab
C. the Evidence Items container in the Overview tab
D. the E-mail Messages container in the Overview tab
Answer: A,B
Q.In FTK, which tab provides specific information on the evidence items, file items, file status and file category?
A. E-mail tab
B. Explore tab
C. Overview tab
D. Graphics tab
Answer: C
Q.In FTK, you navigate to the Graphics tab at the Case level and you do not see any graphics. What should you do to see all graphics in the case?
A. list all descendants
B. run the graphic files filter
C. check all items in the current list
D. select the Graphics container button
Answer: A
Q.In FTK, which two formats can be used to export an E-mail message? (Choose two.)
A. raw format
B. XML format
C. PDF format
D. HTML format
E. binary format
Answer: A,D
Q.In FTK, when you view the Total File Items container (rather than the Actual Files container), why are there more items than files?
A. Total File Items includes files that are in archive files, while Actual Files does not.
B. Total File Items includes all unfiltered files while Actual Files includes only checked files.
C. Total File Items includes all KFFIgnorables while Actual Files includes only the KFF Alerts.
D. Total File Items includes files that are in the Graphics and E-Mail tabs, while Actual Files only includes files in the Graphics tab while excluding attachments in the E-mail tab.
Answer: A
Q.Which statement is true about Processes to Perform in FTK?
A. Processing options can be chosen only when adding evidence.
B. Processing options can be chosen during or after adding evidence.
C. Processing options can be chosen only after evidence has been added.
D. If processing is not performed while adding evidence, the case must be started again.
Answer: B
Q.What are three types of evidence that can be added to a case in FTK? (Choose three.)
A. local drive
B. registry MRU list
C. contents of a folder
D. acquired image of a drive
E. compressed volume files (CVFs)
Answer: A,C,D
Q.You want to search for two words within five words of each other. Which search request would accomplish this function?
A. apple by pear w/5
B. June near July w/5
C. supernova w/5cassiopeia
D. supernova bycassiopeia w/5
Answer: C
Q.Click the Exhibit button.You need to search for specific data that are located in a Microsoft Word document. You do not know the exact spelling of this datA. Using the Index Search Options as displayed in the exhibit, which changes do you make in the Broadening Options and Search Limiting Options containers?
A. check the Fuzzy box;check the File Name Pattern box;type *.doc in the pattern container
B. check the Stemming box;check the File Name Pattern box;type *.doc in the pattern container
C. check the Synonym box;check the File Name Pattern box;type *.doc in the pattern container
D. check the Stemming box;check the File Name Pattern box;type %.doc in the pattern container
Answer: A
Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 2: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.HTML
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.HTML
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html
Volto a referir que é muito importante a leitura dos manuais:
Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf
Estas perguntas foram retiradas de um antigo dump disponível pela internet fora.
Q.When adding data to FTK, which statement about DriveFreeSpace is true?
A. DriveFreeSpace is merged with deleted files.
B. DriveFreeSpace is segmented into 10 megabyte items.
C. DriveFreeSpace is truncated, based on the size of the case.dat file.
D. DriveFreeSpace is classified with file slack items in the Overview tab.
Answer: D
Q.You are using FTK to process e-mail files. In which two areas can E-mail attachments be located? (Choose two.)
A. the E-mail tab
B. the From E-mail container in the Overview tab
C. the Evidence Items container in the Overview tab
D. the E-mail Messages container in the Overview tab
Answer: A,B
Q.In FTK, which tab provides specific information on the evidence items, file items, file status and file category?
A. E-mail tab
B. Explore tab
C. Overview tab
D. Graphics tab
Answer: C
Q.In FTK, you navigate to the Graphics tab at the Case level and you do not see any graphics. What should you do to see all graphics in the case?
A. list all descendants
B. run the graphic files filter
C. check all items in the current list
D. select the Graphics container button
Answer: A
Q.In FTK, which two formats can be used to export an E-mail message? (Choose two.)
A. raw format
B. XML format
C. PDF format
D. HTML format
E. binary format
Answer: A,D
Q.In FTK, when you view the Total File Items container (rather than the Actual Files container), why are there more items than files?
A. Total File Items includes files that are in archive files, while Actual Files does not.
B. Total File Items includes all unfiltered files while Actual Files includes only checked files.
C. Total File Items includes all KFFIgnorables while Actual Files includes only the KFF Alerts.
D. Total File Items includes files that are in the Graphics and E-Mail tabs, while Actual Files only includes files in the Graphics tab while excluding attachments in the E-mail tab.
Answer: A
Q.Which statement is true about Processes to Perform in FTK?
A. Processing options can be chosen only when adding evidence.
B. Processing options can be chosen during or after adding evidence.
C. Processing options can be chosen only after evidence has been added.
D. If processing is not performed while adding evidence, the case must be started again.
Answer: B
Q.What are three types of evidence that can be added to a case in FTK? (Choose three.)
A. local drive
B. registry MRU list
C. contents of a folder
D. acquired image of a drive
E. compressed volume files (CVFs)
Answer: A,C,D
Q.You want to search for two words within five words of each other. Which search request would accomplish this function?
A. apple by pear w/5
B. June near July w/5
C. supernova w/5cassiopeia
D. supernova bycassiopeia w/5
Answer: C
Q.Click the Exhibit button.You need to search for specific data that are located in a Microsoft Word document. You do not know the exact spelling of this datA. Using the Index Search Options as displayed in the exhibit, which changes do you make in the Broadening Options and Search Limiting Options containers?
A. check the Fuzzy box;check the File Name Pattern box;type *.doc in the pattern container
B. check the Stemming box;check the File Name Pattern box;type *.doc in the pattern container
C. check the Synonym box;check the File Name Pattern box;type *.doc in the pattern container
D. check the Stemming box;check the File Name Pattern box;type %.doc in the pattern container
Answer: A
Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 2: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.HTML
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.HTML
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html
A30-327 : FTK AccessData Certified Examiner - ACE - Uma ajudinha nas perguntas da certificação em FTK - Parte 7
Sétima parte da coleção de questões para a certificação A30-327 AccessData Certified Examiner ACE, para a ferramenta FTK, FTK Imager, PRTK e Registry Viewer.
Volto a referir que é muito importante a leitura dos manuais:
Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf
Estas perguntas foram retiradas de um antigo dump disponível pela internet fora.
Q.How can you use FTK Imager to obtain registry files from a live system?
A. You use the Export Files option.
B. You use the Advanced Recovery option.
C. Registry files cannot be exported from a live system.
D. You use the Protected Storage System Provider option.
Answer: A
Q.Which statement is true about using FTK Imager to export a folder and its subfolders?
A. Exporting a folder will copy all its subfolders.
B. Each subfolder must be exported individually.
C. Exporting a folder copies only the folder without any files.
D. Exporting a folder will copy all subfolders without the system attribute.
Answer: A
Q.You used FTK Imager to create several hash list files. You view the location where the files were exported. What is the file extension type for these files?
A. .txt = ASCII Text File
B. .dif = Data Interchange Format
C. .prn = Formatted Text Delimited
D. .csv = Comma Separated Values
Answer: D
Q.You create two evidence images from the suspect's drive: suspect.E01 and suspect.001. You want to be able to verify that the image hash values are the same for suspect.E01 and suspect.001 image files. Which file has the hash value for the Raw (dd) image?
A. suspect.001.txt
B. suspect.E01.txt
C. suspect.001.csv
D. suspect.E01.csv
Answer: A
Q.You successfully export and create a file hash list while using FTK Imager. Which three pieces of information are included in this file? (Choose three.)
A. MD5
B. SHA1
C. filename
D. record date
E. date modified
Answer: A,B,C
Q.During the execution of a search warrant, you image a suspect drive using FTK Imager and store the Raw(dd) image files on a portable drive. Later, these files are transferred to a server for storage. How do you verify that the information stored on the server is unaltered?
A. open and view the Summary file
B. load the image into FTK and it automatically performs file verification
C. in FTK Imager, use the Verify Drive/Image function to automatically compare a calculated hash with a stored hash
D. use FTK Imager to create a verification hash and manually compare that value to the value stored in the Summary file
Answer: D
Q.Which three items are contained in an Image Summary File using FTK Imager? (Choose three.)
A. MD5
B. CRC
C. SHA1
D. Sector Count
E. Cluster Count
Answer: A,C,D
Q.Which two image formats contain an embedded hash value for file verification? (Choose two.)
A. E01
B. S01
C. ISO
D. CUE
E. 001 (dd)
Answer: A,B
Q.While analyzing unallocated space, you locate what appears to be a 64-bit Windows date and time. Which FTK Imager feature allows you display the information as a date and time?
A. INFO2 Filter
B. Base Converter
C. Metadata Parser
D. Hex Value Interpreter
Answer: D
Q.In which Overview tab container are HTML files classified?
A. Archive container
B. Java Code container
C. Documents container
D. Internet Files container
Answer: C
Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 2: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.HTML
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.HTML
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.html
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html
Volto a referir que é muito importante a leitura dos manuais:
Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf
Estas perguntas foram retiradas de um antigo dump disponível pela internet fora.
Q.How can you use FTK Imager to obtain registry files from a live system?
A. You use the Export Files option.
B. You use the Advanced Recovery option.
C. Registry files cannot be exported from a live system.
D. You use the Protected Storage System Provider option.
Answer: A
Q.Which statement is true about using FTK Imager to export a folder and its subfolders?
A. Exporting a folder will copy all its subfolders.
B. Each subfolder must be exported individually.
C. Exporting a folder copies only the folder without any files.
D. Exporting a folder will copy all subfolders without the system attribute.
Answer: A
Q.You used FTK Imager to create several hash list files. You view the location where the files were exported. What is the file extension type for these files?
A. .txt = ASCII Text File
B. .dif = Data Interchange Format
C. .prn = Formatted Text Delimited
D. .csv = Comma Separated Values
Answer: D
Q.You create two evidence images from the suspect's drive: suspect.E01 and suspect.001. You want to be able to verify that the image hash values are the same for suspect.E01 and suspect.001 image files. Which file has the hash value for the Raw (dd) image?
A. suspect.001.txt
B. suspect.E01.txt
C. suspect.001.csv
D. suspect.E01.csv
Answer: A
Q.You successfully export and create a file hash list while using FTK Imager. Which three pieces of information are included in this file? (Choose three.)
A. MD5
B. SHA1
C. filename
D. record date
E. date modified
Answer: A,B,C
Q.During the execution of a search warrant, you image a suspect drive using FTK Imager and store the Raw(dd) image files on a portable drive. Later, these files are transferred to a server for storage. How do you verify that the information stored on the server is unaltered?
A. open and view the Summary file
B. load the image into FTK and it automatically performs file verification
C. in FTK Imager, use the Verify Drive/Image function to automatically compare a calculated hash with a stored hash
D. use FTK Imager to create a verification hash and manually compare that value to the value stored in the Summary file
Answer: D
Q.Which three items are contained in an Image Summary File using FTK Imager? (Choose three.)
A. MD5
B. CRC
C. SHA1
D. Sector Count
E. Cluster Count
Answer: A,C,D
Q.Which two image formats contain an embedded hash value for file verification? (Choose two.)
A. E01
B. S01
C. ISO
D. CUE
E. 001 (dd)
Answer: A,B
Q.While analyzing unallocated space, you locate what appears to be a 64-bit Windows date and time. Which FTK Imager feature allows you display the information as a date and time?
A. INFO2 Filter
B. Base Converter
C. Metadata Parser
D. Hex Value Interpreter
Answer: D
Q.In which Overview tab container are HTML files classified?
A. Archive container
B. Java Code container
C. Documents container
D. Internet Files container
Answer: C
Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 2: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.HTML
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.HTML
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.html
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html
A30-327 : FTK AccessData Certified Examiner - ACE - Uma ajudinha nas perguntas da certificação em FTK - Parte 6
Sexta parte da coleção de questões para a certificação A30-327 AccessData Certified Examiner ACE, para a ferramenta FTK, FTK Imager, PRTK e Registry Viewer.
Volto a referir que é muito importante a leitura dos manuais:
Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf
Estas perguntas foram retiradas de um antigo dump disponível pela internet fora.
Volto a referir que é muito importante a leitura dos manuais:
Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf
Estas perguntas foram retiradas de um antigo dump disponível pela internet fora.
Q.Which three items are displayed in FTK Imager for an individual file in the Properties window? (Choose three.)
A.flags
B.filename
C.hash set
D.timestamps
E.item number
A.flags
B.filename
C.hash set
D.timestamps
E.item number
Answer: A,B,D
Q.In FTK, which search broadening option allows you to find grammatical variations of the word "kill" such as "killer," "killed," and "killing"?
A. Phonic
B. Synonym
C. Stemming
D. Fuzzy Logic
A. Phonic
B. Synonym
C. Stemming
D. Fuzzy Logic
Answer: C
Q.When using FTK Imager to preview a physical drive, which number is assigned to the first logical volume of an extended partition?
A. 2
B. 3
C. 4
D. 5
A. 2
B. 3
C. 4
D. 5
Answer: D
Q.When previewing a physical drive on a local machine with FTK Imager, which statement is true?
A. FTK Imager can block calls to interrupt 13h and prevent writes to suspect media.
B. FTK Imager can operate from a USB drive, thus preventing writes to suspect media.
C. FTK Imager can operate via a DOS boot disk, thus preventing writes to suspect media.
D. FTK Imager should always be used in conjunction with a hardware write protect device to prevent writes to suspect media.
A. FTK Imager can block calls to interrupt 13h and prevent writes to suspect media.
B. FTK Imager can operate from a USB drive, thus preventing writes to suspect media.
C. FTK Imager can operate via a DOS boot disk, thus preventing writes to suspect media.
D. FTK Imager should always be used in conjunction with a hardware write protect device to prevent writes to suspect media.
Answer: D
Q.Which type of evidence can be added to FTK Imager?
A. individual files
B. all checked items
C. contents of a folder
D. all currently listed items
A. individual files
B. all checked items
C. contents of a folder
D. all currently listed items
Answer: C
Q.To obtain protected files on a live machine with FTK Imager, which evidence item should be added?
A. image file
B. currently booted drive
C. server object settings
D. profile access control list
A. image file
B. currently booted drive
C. server object settings
D. profile access control list
Answer: B
Q.What are three image file formats that can be read by FTK Imager? (Choose three.)
A. E01 files
B. raw (dd) image files
C. SafeBack version 2.2 image files
D. SafeBack version 3.0 image files
E. Symantec Ghost compressed image files
A. E01 files
B. raw (dd) image files
C. SafeBack version 2.2 image files
D. SafeBack version 3.0 image files
E. Symantec Ghost compressed image files
Answer: A,B,C
Q.Which statement is true about using FTK Imager to simultaneously create multiple images of a single source?
A. In the Image Creation Wizard, you should select the Add Additional Drives option.
B. You should use the Create Multiple Images option to create server image objects.
C. You should note the evidence item source signature and add it to the Image View pane.
D. In the Image Creation Wizard, you should add multiple destination jobs from the same source prior To beginning image creation.
A. In the Image Creation Wizard, you should select the Add Additional Drives option.
B. You should use the Create Multiple Images option to create server image objects.
C. You should note the evidence item source signature and add it to the Image View pane.
D. In the Image Creation Wizard, you should add multiple destination jobs from the same source prior To beginning image creation.
Answer: D
Q.FTK Imager allows a user to convert a Raw (dd) image into which two formats? (Choose two.)
A. E01
B. Ghost
C. SMART
D. SafeBack
A. E01
B. Ghost
C. SMART
D. SafeBack
Answer: A,C
Q.You are converting one image file format to another using FTK Imager. Why are the hash values of the original image and the resulting new image the same?
A. because FTK Imager's progress bar tracks the conversion
B. because FTK Imager verifies the amount of data converted
C. because FTK Imager compares the elapsed time of conversion
D. because FTK Imager hashes only the data during the conversion
A. because FTK Imager's progress bar tracks the conversion
B. because FTK Imager verifies the amount of data converted
C. because FTK Imager compares the elapsed time of conversion
D. because FTK Imager hashes only the data during the conversion
Answer: D
Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 2: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.HTML
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.HTML
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.HTML
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html
Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 2: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.HTML
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.HTML
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.HTML
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html
A30-327 : FTK AccessData Certified Examiner - ACE - Uma ajudinha nas perguntas da certificação em FTK - Parte 5
Quinta parte da coleção de questões para a certificação A30-327 AccessData Certified Examiner ACE, para a ferramenta FTK, FTK Imager, PRTK e Registry Viewer.
Volto a referir que é muito importante a leitura dos manuais:
Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf
Q. Which Registry Viewer function allows automatic documentation of multiple unknown user names?
a.Add to Report with Children
b.Export User List
c.Summary Report with WildCard
d.Add to Report
Q.Which
statement is true concerning the Biographical Dictionary in PRTK?
a.Data can be input in any category without affecting effectiveness
b.The resulting dictionary creates permutations of input terms
c.It helps to create an overall picture of the computer user
d.The Biographical Dictionary contains locally recovered passwords
Q.Using FTK’s Data Carving function, a new item named “carved[2768].jpg” is carved from unallocated space. What does the “[2768]” indicate?
a.2768 is the FTK item number for the newly carved graphic
b.2768 is the FTK item number of the parent item
c.The carved graphic was located at offset 2,768 within the parent item
d.The carved item is the 2,768th carved item in the FTK case
Q.Which statement is true concerning bookmarks in an FTK report?
a.FTK will only allow bookmarks containing graphics to be included in a report
b.Filters cannot be applied to bookmarks in a report
c.An email attachment not part of the original bookmarked email can still be included.
d.Bookmarks to be included in a report must be chosen before the Report function is started
Q.Which
statement concerning TR1 Regular Expressions in FTK is true?
a.A TR1 expression can be run from the Index Search Tab
b.A TR1 expression can be run as a processing option during case creation
c.A TR1 expression must be run from the Live Search Tab
d.A TR1 expression can be shared via the Manage menu
Q.Which statment is true concerning files sent directly from
FTK for decryption in PRTK/DNA?
a.The FTK Wordlist will also be sent with the file to be decrypted.
b.A Biographical Dictionary may be added to the attack profile after the file is sent.
c.PRTK/DNA must be running before the file is sent.
d.The default attack profile will be used for the decryption job.
Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 2: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.HTML
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.HTML
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html
Volto a referir que é muito importante a leitura dos manuais:
Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf
a.Add to Report with Children
b.Export User List
c.Summary Report with WildCard
d.Add to Report
b.The resulting dictionary creates permutations of input terms
c.It helps to create an overall picture of the computer user
d.The Biographical Dictionary contains locally recovered passwords
a.2768 is the FTK item number for the newly carved graphic
b.2768 is the FTK item number of the parent item
c.The carved graphic was located at offset 2,768 within the parent item
d.The carved item is the 2,768th carved item in the FTK case
b.Filters cannot be applied to bookmarks in a report
c.An email attachment not part of the original bookmarked email can still be included.
d.Bookmarks to be included in a report must be chosen before the Report function is started
a.A TR1 expression can be run from the Index Search Tab
b.A TR1 expression can be run as a processing option during case creation
c.A TR1 expression must be run from the Live Search Tab
d.A TR1 expression can be shared via the Manage menu
a.The FTK Wordlist will also be sent with the file to be decrypted.
b.A Biographical Dictionary may be added to the attack profile after the file is sent.
c.PRTK/DNA must be running before the file is sent.
d.The default attack profile will be used for the decryption job.
Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 2: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.HTML
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.HTML
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html
A30-327 : FTK AccessData Certified Examiner - ACE - Uma ajudinha nas perguntas da certificação em FTK - Parte 4
Quarta parte da coleção de questões para a certificação A30-327 AccessData Certified Examiner ACE, para a ferramenta FTK, FTK Imager, PRTK e Registry Viewer.
Volto a referir que é muito importante a leitura dos manuais:
Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf
Q. Which FTK processing option would indicate a simillarity between two graphic files?
a.Entropy Test
b.PhotoDNA
c.Explicit Image Detection (EID)
d.Meta Carve
Q. Which FTK Tab would allow viewing the Process List from a RAM memory dump file?
a.Graphics Tab
b.Volatile Tab
c.Explore Tab
d.Memory Tab
Q. Which statement is true concerning the Video Thumbnail feature of FTK?
a.Videos can be shortened to make viewing faster
b.Thumbnails can be generated at user-designated intervals
c.Thumbnails are only generated at 10 seconds intervals
d.Videos can be converted to QuickTime (MOV) format
Q. Which statement is true concerning bookmarks in an FTK report?
a.FTK will only allow bookmarks containing graphics to be included in a report
b.An email attachment not part of the original bookmarked email can still be included
c.Bookmarks to be included in a report must be chosen before Report function is started
d.Filters cannot be applied to bookmarks in a report
Q. In which FTK Overview Tab container/node are Internet Explorer index.dat files classified?
a.Archive container
b.Documents container
c.Java Code container
d.Internet/Chat Files container
Q. Which of the following is NOT an option available in the FTK Report?
a.Registry Selections
b.Volatile Data
c.Create a PDF version of the report
d.Videos
Q. The last 3 pages of a 12 page English document contain Portuguese. Which statement below is true?
a.The document will be identified as Portugues by Language Identification in FTK
b.The document will be identified as English by Language Identification in FTK
c.The document's language will not be identified by Language Identification in FTK
d.The document will be identified as "multi-language" by Language Identification in FTK
Q. Which Registry Viewer operation can be conducted from FTK?
a.view all registry files from within FTK
b.create subitems of individual keys for FTK
c.display all encrypted registry content
d.decrypt passwords from the SAM file
Q. In which file format can a list of hash values be imported into FTK?
a.ISO
b.CSV
c.DD
d.AD1
Q. Which statement is true concerning decryption of filesfrom within FTK?
a.EFS files can't be decrypted from within FTK; they must be exported from the case
b.The newly decrypted file replaces the encrypted file in the FTK database
c.Multiple passwords may be attempted simultaneously via Tools > Decrypt Files
d.Only one password at a time may be attempted via Tools > Decrypt Files
Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 2: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.HTML
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.HTML
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html
Volto a referir que é muito importante a leitura dos manuais:
Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf
Q. Which FTK processing option would indicate a simillarity between two graphic files?
a.Entropy Test
b.PhotoDNA
c.Explicit Image Detection (EID)
d.Meta Carve
Q. Which FTK Tab would allow viewing the Process List from a RAM memory dump file?
a.Graphics Tab
b.Volatile Tab
c.Explore Tab
d.Memory Tab
Q. Which statement is true concerning the Video Thumbnail feature of FTK?
a.Videos can be shortened to make viewing faster
b.Thumbnails can be generated at user-designated intervals
c.Thumbnails are only generated at 10 seconds intervals
d.Videos can be converted to QuickTime (MOV) format
Q. Which statement is true concerning bookmarks in an FTK report?
a.FTK will only allow bookmarks containing graphics to be included in a report
b.An email attachment not part of the original bookmarked email can still be included
c.Bookmarks to be included in a report must be chosen before Report function is started
d.Filters cannot be applied to bookmarks in a report
Q. In which FTK Overview Tab container/node are Internet Explorer index.dat files classified?
a.Archive container
b.Documents container
c.Java Code container
d.Internet/Chat Files container
Q. Which of the following is NOT an option available in the FTK Report?
a.Registry Selections
b.Volatile Data
c.Create a PDF version of the report
d.Videos
Q. The last 3 pages of a 12 page English document contain Portuguese. Which statement below is true?
a.The document will be identified as Portugues by Language Identification in FTK
b.The document will be identified as English by Language Identification in FTK
c.The document's language will not be identified by Language Identification in FTK
d.The document will be identified as "multi-language" by Language Identification in FTK
Q. Which Registry Viewer operation can be conducted from FTK?
a.view all registry files from within FTK
b.create subitems of individual keys for FTK
c.display all encrypted registry content
d.decrypt passwords from the SAM file
Q. In which file format can a list of hash values be imported into FTK?
a.ISO
b.CSV
c.DD
d.AD1
Q. Which statement is true concerning decryption of filesfrom within FTK?
a.EFS files can't be decrypted from within FTK; they must be exported from the case
b.The newly decrypted file replaces the encrypted file in the FTK database
c.Multiple passwords may be attempted simultaneously via Tools > Decrypt Files
d.Only one password at a time may be attempted via Tools > Decrypt Files
Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 2: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.HTML
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.HTML
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html
A30-327 : FTK AccessData Certified Examiner - ACE - Uma ajudinha nas perguntas da certificação em FTK - Parte 3
Terceira parte da coleção de questões para a certificação A30-327 AccessData Certified Examiner ACE, para a ferramenta FTK, FTK Imager, PRTK e Registry Viewer.
Volto a referir que é muito importante a leitura dos manuais:
Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf
Aqui ficam mais 10 questões teóricas:
Q. Which of the following is NOT part of a PRTK attack profile?
a.Concatenation Matrix
b.Dictionaries
c.Character Groups
d.Rules
Q. What type of information is provided via the Help > Recovery Modules menu option in PRTK?
a.Attack Types
b.Estimated Recovery Time
c.Bit Strength
d.Difficulty Level
Q. In PRTK, which type of attack uses words lists?
a.keyspace attack
b.hash table attack
c.dictionary attack
d.brute-force attack
Q. What is the purpose of the PRTK Golden Dictionary?
a.maintains a list of the 100 most likely passwords
b.maintains previously created level information
c.maintains previously created profile information
d.maintains previously recovered passwords
Q. Which statement is true?
a.PRTK must run in conjunctuin with DNA workers to decrypt EFS files
b.PRTK and FTK must be installed on the same machine to decrypt EFS files
c.EFS files must be exported from a case and provided to PRTK for decryption
d.PRTK can recover Windows logon passwords
Q. Which statement is true concerning custom filters in FTK?
a.A custom filter can only be used in the case in which it was created.
b.A custom filter can be used in another case by copying it to the shared area in FTK
c.Only a Case Reviewer can copy a custom filter to the shared area in FTK
d.Only custom Column Settings can be copied to the shared area in FTK
Q. Which statement is true concerning Indexed Searching in FTK?
a.Indexed searches can only be restricted by checked files
b.Indexed searches can be restricted by checked files or a filter
c.Indexed searches cannot be restricted
d.Indexed searches can only be restricted by a filter
Q. Which processing option must be executed to view the child subitems of a *.zip file?
a.dtSearch Indexing
b.Expand Compound Files
c.Visualization
d.Entropy Test
Q. An FTK User assigned Case Reviewer status has what restriction?
a.Cannot bookmark files
b.Cannot log into a database
c.Cannot perform Indexed Searching
d.Cannot view files flagged as Privileged
Q. Which statement is true about Evidence Processing in FTK?
a.All Evidence Processing options available during case creation are also after case creation
b.A Processing Profile can be used when adding evidence to an existing case
c.Processing options can be chosen only when adding evidence
d.Processing options can be chosen during or after adding evidence
Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 2: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.html
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.HTML
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html
Volto a referir que é muito importante a leitura dos manuais:
Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf
Aqui ficam mais 10 questões teóricas:
Q. Which of the following is NOT part of a PRTK attack profile?
a.Concatenation Matrix
b.Dictionaries
c.Character Groups
d.Rules
Q. What type of information is provided via the Help > Recovery Modules menu option in PRTK?
a.Attack Types
b.Estimated Recovery Time
c.Bit Strength
d.Difficulty Level
Q. In PRTK, which type of attack uses words lists?
a.keyspace attack
b.hash table attack
c.dictionary attack
d.brute-force attack
Q. What is the purpose of the PRTK Golden Dictionary?
a.maintains a list of the 100 most likely passwords
b.maintains previously created level information
c.maintains previously created profile information
d.maintains previously recovered passwords
Q. Which statement is true?
a.PRTK must run in conjunctuin with DNA workers to decrypt EFS files
b.PRTK and FTK must be installed on the same machine to decrypt EFS files
c.EFS files must be exported from a case and provided to PRTK for decryption
d.PRTK can recover Windows logon passwords
Q. Which statement is true concerning custom filters in FTK?
a.A custom filter can only be used in the case in which it was created.
b.A custom filter can be used in another case by copying it to the shared area in FTK
c.Only a Case Reviewer can copy a custom filter to the shared area in FTK
d.Only custom Column Settings can be copied to the shared area in FTK
Q. Which statement is true concerning Indexed Searching in FTK?
a.Indexed searches can only be restricted by checked files
b.Indexed searches can be restricted by checked files or a filter
c.Indexed searches cannot be restricted
d.Indexed searches can only be restricted by a filter
Q. Which processing option must be executed to view the child subitems of a *.zip file?
a.dtSearch Indexing
b.Expand Compound Files
c.Visualization
d.Entropy Test
Q. An FTK User assigned Case Reviewer status has what restriction?
a.Cannot bookmark files
b.Cannot log into a database
c.Cannot perform Indexed Searching
d.Cannot view files flagged as Privileged
Q. Which statement is true about Evidence Processing in FTK?
a.All Evidence Processing options available during case creation are also after case creation
b.A Processing Profile can be used when adding evidence to an existing case
c.Processing options can be chosen only when adding evidence
d.Processing options can be chosen during or after adding evidence
Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 2: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.html
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.HTML
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html
A30-327 : FTK AccessData Certified Examiner - ACE - Uma ajudinha nas perguntas da certificação em FTK - Parte 2
Segunda parte da coleção de questões para a certificação A30-327 AccessData Certified Examiner ACE, para a ferramenta FTK, FTK Imager, PRTK e Registry Viewer.
Volto a referir que é muito importante a leitura dos manuais:
Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf
Aqui ficam as primeiras 10 questões teoricas:
Q. After successfully exporting and creating a file hash list using FTK Imager, which piece of information is NOT included in this file?
a.File Name
b.MD5
c.SHA1
d.date modifed
Q. Which evidence file format can be created by FTK Imager?
a.*.VHD (Virtual Hard Disk)
b.*.NCV (NTFS Compressed Volume)
c.*.AFF (Advanced Forensics Format)
d.*.SFF (Standard Forensics Format)
Q. FTK Imager supports encryption of image files with a password. What other type of encryption method may be used by FTK Imager?
a..pfx certificate
b.AES 896 encryption
c.BestCrypt
d.DES
Q. What type of evidence can be added to FTK Imager?
a.individual files
b.contents of a folder
c.all checked items
d.all currently listed items
Q. When capturing RAM from a system using FTK Imager:
a. A Solide State Drive (SSD) must be utilized
b. The computer must be powered off
c. Exporting a folder will copu all its subfolders
d. Changes to the source media may occur
Q. Which statement is true the Image Mounting function?
a.It is only available in FTK Imager, not in FTK
b.It is only available in FTK; not in FTK Imager
c.An image can't be mounted as read-only
d.A mounted Macintosh HFS+ file system can be navigated in Windows
Q. What file extension will result from creating a Custom Content Image in FTK Imager?
a.AFF
b.CC1
c.AD1
d.L01
Q. Registry Viewer has which function also found in FTK and FTK Imager?
a.Image Mounting
b.Hex Value Interpreter
c.Reports in HTML format
d.Indexed Search
Q. When using Registry Viewer to view a key with 20 value, what option can be used to display only 5 of the 20 values in a report?
a.Add to Report With Children
b.Report
c.Special Reports
d.Summary Report
Q. The last 4 digits of a used SID would be displayed in which Registry Viewer pane?
a.Properties pane
b.Hive/Key pane
c.Hex Viewer pane
d.Key Values pane
Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.html
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.html
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.HTML
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html
Volto a referir que é muito importante a leitura dos manuais:
Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf
Aqui ficam as primeiras 10 questões teoricas:
Q. After successfully exporting and creating a file hash list using FTK Imager, which piece of information is NOT included in this file?
a.File Name
b.MD5
c.SHA1
d.date modifed
Q. Which evidence file format can be created by FTK Imager?
a.*.VHD (Virtual Hard Disk)
b.*.NCV (NTFS Compressed Volume)
c.*.AFF (Advanced Forensics Format)
d.*.SFF (Standard Forensics Format)
Q. FTK Imager supports encryption of image files with a password. What other type of encryption method may be used by FTK Imager?
a..pfx certificate
b.AES 896 encryption
c.BestCrypt
d.DES
Q. What type of evidence can be added to FTK Imager?
a.individual files
b.contents of a folder
c.all checked items
d.all currently listed items
Q. When capturing RAM from a system using FTK Imager:
a. A Solide State Drive (SSD) must be utilized
b. The computer must be powered off
c. Exporting a folder will copu all its subfolders
d. Changes to the source media may occur
Q. Which statement is true the Image Mounting function?
a.It is only available in FTK Imager, not in FTK
b.It is only available in FTK; not in FTK Imager
c.An image can't be mounted as read-only
d.A mounted Macintosh HFS+ file system can be navigated in Windows
Q. What file extension will result from creating a Custom Content Image in FTK Imager?
a.AFF
b.CC1
c.AD1
d.L01
Q. Registry Viewer has which function also found in FTK and FTK Imager?
a.Image Mounting
b.Hex Value Interpreter
c.Reports in HTML format
d.Indexed Search
Q. When using Registry Viewer to view a key with 20 value, what option can be used to display only 5 of the 20 values in a report?
a.Add to Report With Children
b.Report
c.Special Reports
d.Summary Report
Q. The last 4 digits of a used SID would be displayed in which Registry Viewer pane?
a.Properties pane
b.Hive/Key pane
c.Hex Viewer pane
d.Key Values pane
Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.html
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.html
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.HTML
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html
A30-327 : FTK AccessData Certified Examiner - ACE - Uma ajudinha nas perguntas da certificação em FTK - Parte 1
Primeiro post deste mês, e o porquê da minha ausência algum/muito estudo para a certificação A30-327, mais conhecida por AccessData Certified Examiner ou ACE.
Bom vamos começar pelos manuais que devem ser lidos e servem de ajuda para as questões apresentadas no exame.
Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf
O exame consiste em 40 perguntas, 10 de conhecimento prático e 30 de conhecimento teórico, tendo 90 minutos para o resolver.
Para a resolução das perguntas da parte prática é necessário fazer o download da imagem disponibilizada e analisa-la cuidadosamente.
Segundo o que consegui "apurar" as perguntas da parte prática são sempre as mesmas mas de ordenação diferente.
Q. Practical Question: Which of the following pictures in Manny's Pictures library was taken with a Nikon D3100 camera?
a.Photo2.jpg
b.Photo1.jpg
c.Photo4.jpg
d.Photo3.jpg
Q. Practical Question: Using the Filter Manager, display all email attachments which are not OLE Subitems. How many items are listed?
a.524
b.60
c.101
d.585
Q. Practical Question: Which Windows User encrypted the file "LSMF.txt"?; DO NOT use SID numbers to determine this.
a.Moe
b.Manny
c.Jack
d.PepBoyz
Q. Practical Question: What is the Volume Serial Number of the C: Drive?
a.A8AD-2656
b.20F9-F09A
c.4E3F-6EA2
d.2656-A8AC
Q. Practical Question: What is true File Type of the file "216203-438x.png"?
a.JPEG
b.Bitmap
c.PNG
d.TIFF
Q. Practical Question: Locate the file PSNM.doc. What is the subject of the parent email message?
a.Questar QBA
b.Transwertern - Collateral Demand from PSNM
c.FW:TWP letter to venders
d.Richardson Products
Q. Practical Question: Process the Wildlife.wmv using the "Create Thumbnails for Videos" option with a three second interval. What is depicted in the 2nd thumbail?
a.Polar Bear
b.Koala
c.Seals
d.Horses
Q. Practical Question: What is the SID unique identifier for the Windows User Moe?
a.1002
b.1001
c.1004
d.1003
Q. Practical Question: Using Registry Viewer, search Jack's NTUSER.DAT file for the word "Caspian". How many values are contained in the key where the search term occurs?
a.15
b.20
c.28
d.22
Q. Practical Question: Perform an indexed Search for the word "gubergren", restricting your search to registry files. Which registry key contains the search term?
a.Printers
b.Mouse
c.Account
d.Identities
Em breve algumas perguntas da parte teórica.
Até lá boa sorte :)
UPDATE:
Parte 2 : http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.html
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.HTML
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.HTML
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html
Bom vamos começar pelos manuais que devem ser lidos e servem de ajuda para as questões apresentadas no exame.
Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf
O exame consiste em 40 perguntas, 10 de conhecimento prático e 30 de conhecimento teórico, tendo 90 minutos para o resolver.
Para a resolução das perguntas da parte prática é necessário fazer o download da imagem disponibilizada e analisa-la cuidadosamente.
Segundo o que consegui "apurar" as perguntas da parte prática são sempre as mesmas mas de ordenação diferente.
Q. Practical Question: Which of the following pictures in Manny's Pictures library was taken with a Nikon D3100 camera?
a.Photo2.jpg
b.Photo1.jpg
c.Photo4.jpg
d.Photo3.jpg
Q. Practical Question: Using the Filter Manager, display all email attachments which are not OLE Subitems. How many items are listed?
a.524
b.60
c.101
d.585
Q. Practical Question: Which Windows User encrypted the file "LSMF.txt"?; DO NOT use SID numbers to determine this.
a.Moe
b.Manny
c.Jack
d.PepBoyz
Q. Practical Question: What is the Volume Serial Number of the C: Drive?
a.A8AD-2656
b.20F9-F09A
c.4E3F-6EA2
d.2656-A8AC
Q. Practical Question: What is true File Type of the file "216203-438x.png"?
a.JPEG
b.Bitmap
c.PNG
d.TIFF
Q. Practical Question: Locate the file PSNM.doc. What is the subject of the parent email message?
a.Questar QBA
b.Transwertern - Collateral Demand from PSNM
c.FW:TWP letter to venders
d.Richardson Products
Q. Practical Question: Process the Wildlife.wmv using the "Create Thumbnails for Videos" option with a three second interval. What is depicted in the 2nd thumbail?
a.Polar Bear
b.Koala
c.Seals
d.Horses
Q. Practical Question: What is the SID unique identifier for the Windows User Moe?
a.1002
b.1001
c.1004
d.1003
Q. Practical Question: Using Registry Viewer, search Jack's NTUSER.DAT file for the word "Caspian". How many values are contained in the key where the search term occurs?
a.15
b.20
c.28
d.22
Q. Practical Question: Perform an indexed Search for the word "gubergren", restricting your search to registry files. Which registry key contains the search term?
a.Printers
b.Mouse
c.Account
d.Identities
Em breve algumas perguntas da parte teórica.
Até lá boa sorte :)
UPDATE:
Parte 2 : http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.html
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.HTML
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.HTML
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html
Online DisAssembler - ODA - Disassembler via web
ODA, Online DisAssembler, é um disassembler online que tem como objetivo principal, como o nome indica, desassemblar código máquina de vários tipos de arquiteturas.
Construído sobre libbfd e libopcodes (parte do binutils), ODA permite explorar executáveis dissecando as secções, strings, símbolos, hex e instruções ao nível da máquina.
Pode ser utilizado com vários propósitos, sendo as utilizações mais comuns:
aarch64
alpha
alpha:ev4
alpha:ev5
alpha:ev6
arc
arc5
base
arc6
arc7
arc8
arm
armv2
armv2a
armv3
armv3m
armv4
armv4t
armv5
armv5t
armv5te
xscale
ep9312
iwmmxt
iwmmxt2
avr
avr:1
avr:2
avr:25
avr:3
avr:31
avr:35
avr:4
avr:5
avr:51
avr:6
avr:101
avr:102
avr:103
avr:104
avr:105
avr:106
avr:107
bfin
cr16
cr16c
cris
crisv32
cris:common_v10_v32
crx
d10v
d10v:ts2
d10v:ts3
d30v
dlx
epiphany32
epiphany16
fr30
frv
tomcat
simple
fr550
fr500
fr450
fr400
fr300
h8300
h8300h
h8300s
h8300hn
h8300sn
h8300sx
h8300sxn
h8500
hppa1.1
hppa2.0w
hppa2.0
hppa1.0
i370:common
i370:360
i370:370
i386
i386:x86-64
i386:x64-32
i8086
i386:intel
i386:x86-64:intel
i386:x64-32:intel
i860
i960:core
i960:mc
i960:xa
i960:ca
i960:jx
i960:hx
ia64-elf64
ia64-elf32
ip2022ext
ip2022
iq2000
iq10
k1om
k1om:intel
l1om
l1om:intel
lm32
m16c
m32c
m32r
m32rx
m32r2
m68hc11
m68hc12
m68hc12
m9s12x
m9s12xg
m68k
m68k:68000
m68k:68008
m68k:68010
m68k:68020
m68k:68030
m68k:68040
m68k:68060
m68k:cpu32
m68k:fido
m68k:isa-a:nodiv
m68k:isa-a
m68k:isa-a:mac
m68k:isa-a:emac
m68k:isa-aplus
m68k:isa-aplus:mac
m68k:isa-aplus:emac
m68k:isa-b:nousp
m68k:isa-b:nousp:mac
m68k:isa-b:nousp:emac
m68k:isa-b
m68k:isa-b:mac
m68k:isa-b:emac
m68k:isa-b:float
m68k:isa-b:float:mac
m68k:isa-b:float:emac
m68k:isa-c
m68k:isa-c:mac
m68k:isa-c:emac
m68k:isa-c:nodiv
m68k:isa-c:nodiv:mac
m68k:isa-c:nodiv:emac
m68k:5200
m68k:5206e
m68k:5307
m68k:5407
m68k:528x
m68k:521x
m68k:5249
m68k:547x
m68k:548x
m68k:cfv4e
m88k:88100
MCore
mep
h1
c5
mips
mips:3000
mips:3900
mips:4000
mips:4010
mips:4100
mips:4111
mips:4120
mips:4300
mips:4400
mips:4600
mips:4650
mips:5000
mips:5400
mips:5500
mips:6000
mips:7000
mips:8000
mips:9000
mips:10000
mips:12000
mips:14000
mips:16000
mips:16
mips:mips5
mips:isa32
mips:isa32r2
mips:isa64
mips:isa64r2
mips:sb1
mips:loongson_2e
mips:loongson_2f
mips:loongson_3a
mips:octeon
mips:octeon+
mips:octeon2
mips:xlr
mips:micromips
mmix
mn10200
mn10300
am33
am33-2
msp:14
msp:11
msp:110
msp:12
msp:13
msp:14
msp:15
msp:16
msp:21
msp:31
msp:32
msp:33
msp:41
msp:42
msp:43
msp:44
ms1
ms1-003
ms2
ns32k:32032
ns32k:32532
openrisc
or32
pdp11
powerpc:common64
powerpc:common
powerpc:603
powerpc:EC603e
powerpc:604
powerpc:403
powerpc:601
powerpc:620
powerpc:630
powerpc:a35
powerpc:rs64ii
powerpc:rs64iii
powerpc:7400
powerpc:e500
powerpc:e500mc
powerpc:e500mc64
powerpc:MPC8XX
powerpc:750
powerpc:titan
powerpc:vle
powerpc:e5500
powerpc:e6500
rs6000:6000
rs6000:rs1
rs6000:rsc
rs6000:rs2
rl78
rx
rx
s390:31-bit
s390:64-bit
score7
score3
sh
sh2
sh2e
sh-dsp
sh3
sh3-nommu
sh3-dsp
sh3e
sh4
sh4a
sh4al-dsp
sh4-nofpu
sh4-nommu-nofpu
sh4a-nofpu
sh2a
sh2a-nofpu
sh2a-nofpu-or-sh4-nommu-nofpu
sh2a-nofpu-or-sh3-nommu
sh2a-or-sh4
sh2a-or-sh3e
sh5
sparc
sparc:sparclet
sparc:sparclite
sparc:v8plus
sparc:v8plusa
sparc:sparclite_le
sparc:v9
sparc:v9a
sparc:v8plusb
sparc:v9b
spu:256K
tms320c30
tms320c4x
tms320c3x
tms320c54x
tic6x
tic80
tilegx
tilegx32
tilepro
v850
v850e2v3
v850e2
v850e1
v850e
vax
w65
we32k:32000
xstormy16
xtensa
xc16x
xc16xl
xc16xs
xgate
z80-any
z80-strict
z80
z80-full
z8001
z8002
Link para ODA: http://www.onlinedisassembler.com/odaweb/
Construído sobre libbfd e libopcodes (parte do binutils), ODA permite explorar executáveis dissecando as secções, strings, símbolos, hex e instruções ao nível da máquina.
Pode ser utilizado com vários propósitos, sendo as utilizações mais comuns:
- Análise de Malware
- Pesquisa de Vulnerabilidades
- Visualizar o fluxo de instruções
- Reverter os primeiros bytes de um MBR (Master Boot Record) corrompido
- Debug de um sistema embebido
- Ou simplesmente para satisfazer curiosidade
aarch64
alpha
alpha:ev4
alpha:ev5
alpha:ev6
arc
arc5
base
arc6
arc7
arc8
arm
armv2
armv2a
armv3
armv3m
armv4
armv4t
armv5
armv5t
armv5te
xscale
ep9312
iwmmxt
iwmmxt2
avr
avr:1
avr:2
avr:25
avr:3
avr:31
avr:35
avr:4
avr:5
avr:51
avr:6
avr:101
avr:102
avr:103
avr:104
avr:105
avr:106
avr:107
bfin
cr16
cr16c
cris
crisv32
cris:common_v10_v32
crx
d10v
d10v:ts2
d10v:ts3
d30v
dlx
epiphany32
epiphany16
fr30
frv
tomcat
simple
fr550
fr500
fr450
fr400
fr300
h8300
h8300h
h8300s
h8300hn
h8300sn
h8300sx
h8300sxn
h8500
hppa1.1
hppa2.0w
hppa2.0
hppa1.0
i370:common
i370:360
i370:370
i386
i386:x86-64
i386:x64-32
i8086
i386:intel
i386:x86-64:intel
i386:x64-32:intel
i860
i960:core
i960:mc
i960:xa
i960:ca
i960:jx
i960:hx
ia64-elf64
ia64-elf32
ip2022ext
ip2022
iq2000
iq10
k1om
k1om:intel
l1om
l1om:intel
lm32
m16c
m32c
m32r
m32rx
m32r2
m68hc11
m68hc12
m68hc12
m9s12x
m9s12xg
m68k
m68k:68000
m68k:68008
m68k:68010
m68k:68020
m68k:68030
m68k:68040
m68k:68060
m68k:cpu32
m68k:fido
m68k:isa-a:nodiv
m68k:isa-a
m68k:isa-a:mac
m68k:isa-a:emac
m68k:isa-aplus
m68k:isa-aplus:mac
m68k:isa-aplus:emac
m68k:isa-b:nousp
m68k:isa-b:nousp:mac
m68k:isa-b:nousp:emac
m68k:isa-b
m68k:isa-b:mac
m68k:isa-b:emac
m68k:isa-b:float
m68k:isa-b:float:mac
m68k:isa-b:float:emac
m68k:isa-c
m68k:isa-c:mac
m68k:isa-c:emac
m68k:isa-c:nodiv
m68k:isa-c:nodiv:mac
m68k:isa-c:nodiv:emac
m68k:5200
m68k:5206e
m68k:5307
m68k:5407
m68k:528x
m68k:521x
m68k:5249
m68k:547x
m68k:548x
m68k:cfv4e
m88k:88100
MCore
mep
h1
c5
mips
mips:3000
mips:3900
mips:4000
mips:4010
mips:4100
mips:4111
mips:4120
mips:4300
mips:4400
mips:4600
mips:4650
mips:5000
mips:5400
mips:5500
mips:6000
mips:7000
mips:8000
mips:9000
mips:10000
mips:12000
mips:14000
mips:16000
mips:16
mips:mips5
mips:isa32
mips:isa32r2
mips:isa64
mips:isa64r2
mips:sb1
mips:loongson_2e
mips:loongson_2f
mips:loongson_3a
mips:octeon
mips:octeon+
mips:octeon2
mips:xlr
mips:micromips
mmix
mn10200
mn10300
am33
am33-2
msp:14
msp:11
msp:110
msp:12
msp:13
msp:14
msp:15
msp:16
msp:21
msp:31
msp:32
msp:33
msp:41
msp:42
msp:43
msp:44
ms1
ms1-003
ms2
ns32k:32032
ns32k:32532
openrisc
or32
pdp11
powerpc:common64
powerpc:common
powerpc:603
powerpc:EC603e
powerpc:604
powerpc:403
powerpc:601
powerpc:620
powerpc:630
powerpc:a35
powerpc:rs64ii
powerpc:rs64iii
powerpc:7400
powerpc:e500
powerpc:e500mc
powerpc:e500mc64
powerpc:MPC8XX
powerpc:750
powerpc:titan
powerpc:vle
powerpc:e5500
powerpc:e6500
rs6000:6000
rs6000:rs1
rs6000:rsc
rs6000:rs2
rl78
rx
rx
s390:31-bit
s390:64-bit
score7
score3
sh
sh2
sh2e
sh-dsp
sh3
sh3-nommu
sh3-dsp
sh3e
sh4
sh4a
sh4al-dsp
sh4-nofpu
sh4-nommu-nofpu
sh4a-nofpu
sh2a
sh2a-nofpu
sh2a-nofpu-or-sh4-nommu-nofpu
sh2a-nofpu-or-sh3-nommu
sh2a-or-sh4
sh2a-or-sh3e
sh5
sparc
sparc:sparclet
sparc:sparclite
sparc:v8plus
sparc:v8plusa
sparc:sparclite_le
sparc:v9
sparc:v9a
sparc:v8plusb
sparc:v9b
spu:256K
tms320c30
tms320c4x
tms320c3x
tms320c54x
tic6x
tic80
tilegx
tilegx32
tilepro
v850
v850e2v3
v850e2
v850e1
v850e
vax
w65
we32k:32000
xstormy16
xtensa
xc16x
xc16xl
xc16xs
xgate
z80-any
z80-strict
z80
z80-full
z8001
z8002
Link para ODA: http://www.onlinedisassembler.com/odaweb/
