e-forense - Análise Forense Computacional, Hacking, Segurança & Código

Segunda parte da coleção de questões para a certificação A30-327 AccessData Certified Examiner ACE, para a ferramenta FTK, FTK Imager, PRTK e Registry Viewer.

Volto a referir que é muito importante a leitura dos manuais:

Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf

Aqui ficam as primeiras 10 questões teoricas:

Q. After successfully exporting and creating a file hash list using FTK Imager, which piece of information is NOT included in this file?
a.File Name
b.MD5
c.SHA1
d.date modifed

Q. Which evidence file format can be created by FTK Imager?
a.*.VHD (Virtual Hard Disk)
b.*.NCV (NTFS Compressed Volume)
c.*.AFF (Advanced Forensics Format)
d.*.SFF (Standard Forensics Format)

Q. FTK Imager supports encryption of image files with a password. What other type of encryption method may be used by FTK Imager?
a..pfx certificate
b.AES 896 encryption
c.BestCrypt
d.DES

Q. What type of evidence can be added to FTK Imager?
a.individual files
b.contents of a folder
c.all checked items
d.all currently listed items

Q. When capturing RAM from a system using FTK Imager:
a. A Solide State Drive (SSD) must be utilized
b. The computer must be powered off
c. Exporting a folder will copu all its subfolders
d. Changes to the source media may occur

Q. Which statement is true the Image Mounting function?
a.It is only available in FTK Imager, not in FTK
b.It is only available in FTK; not in FTK Imager
c.An image can't be mounted as read-only
d.A mounted Macintosh HFS+ file system can be navigated in Windows

Q. What file extension will result from creating a Custom Content Image in FTK Imager?
a.AFF
b.CC1
c.AD1
d.L01

Q. Registry Viewer has which function also found in FTK and FTK Imager?
a.Image Mounting
b.Hex Value Interpreter
c.Reports in HTML format
d.Indexed Search

Q. When using Registry Viewer to view a key with 20 value, what option can be used to display only 5 of the 20 values in a report?
a.Add to Report With Children
b.Report
c.Special Reports
d.Summary Report

Q. The last 4 digits of a used SID would be displayed in which Registry Viewer pane?
a.Properties pane
b.Hive/Key pane
c.Hex Viewer pane
d.Key Values pane

Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.html
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.html
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.HTML
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html