AccessData A30-327
AccessData Certified Examiner Version: 1.0
AccessData A30-327 Exam QUESTION NO: 1
Which three items are displayed in FTK Imager for an individual file in the Properties window? (Choose three.) A. flags B. filename C. hash set D. timestamps E. item number Answer: A,B,D
QUESTION NO: 2
In FTK, which search broadening option allows you to find grammatical variations of the word "kill" such as "killer," "killed," and "killing"? A. Phonic B. Synonym C. Stemming D. Fuzzy Logic Answer: C
QUESTION NO: 3
When using FTK Imager to preview a physical drive, which number is assigned to the first logical volume of an extended partition? A. 2 B. 3 C. 4 D. 5 Answer: D
QUESTION NO: 4
When previewing a physical drive on a local machine with FTK Imager, which statement is true? A. FTK Imager can block calls to interrupt 13h and prevent writes to suspect media. B. FTK Imager can operate from a USB drive, thus preventing writes to suspect media. C. FTK Imager can operate via a DOS boot disk, thus preventing writes to suspect media.
"Pass Any Exam. Any Time." - www.actualtests.com
2
AccessData A30-327 Exam D. FTK Imager should always be used in conjunction with a hardware write protect device to prevent writes to suspect media. Answer: D
QUESTION NO: 5
Which type of evidence can be added to FTK Imager? A. individual files B. all checked items C. contents of a folder D. all currently listed items Answer: C
QUESTION NO: 6
To obtain protected files on a live machine with FTK Imager, which evidence item should be added? A. image file B. currently booted drive C. server object settings D. profile access control list Answer: B
QUESTION NO: 7
What are three image file formats that can be read by FTK Imager? (Choose three.) A. E01 files B. raw (dd) image files C. SafeBack version 2.2 image files D. SafeBack version 3.0 image files E. Symantec Ghost compressed image files Answer: A,B,C
QUESTION NO: 8
"Pass Any Exam. Any Time." - www.actualtests.com
3
AccessData A30-327 Exam Which statement is true about using FTK Imager to simultaneously create multiple images of a single source? A. In the Image Creation Wizard, you should select the Add Additional Drives option. B. You should use the Create Multiple Images option to create server image objects. C. You should note the evidence item source signature and add it to the Image View pane. D. In the Image Creation Wizard, you should add multiple destination jobs from the same source prior To beginning image creation. Answer: D
QUESTION NO: 9
FTK Imager allows a user to convert a Raw (dd) image into which two formats? (Choose two.) A. E01 B. Ghost C. SMART D. SafeBack Answer: A,C
QUESTION NO: 10
You are converting one image file format to another using FTK Imager. Why are the hash values of the original image and the resulting new image the same? A. because FTK Imager's progress bar tracks the conversion B. because FTK Imager verifies the amount of data converted C. because FTK Imager compares the elapsed time of conversion D. because FTK Imager hashes only the data during the conversion Answer: D
QUESTION NO: 11
How can you use FTK Imager to obtain registry files from a live system? A. You use the Export Files option. B. You use the Advanced Recovery option. C. Registry files cannot be exported from a live system. D. You use the Protected Storage System Provider option.
"Pass Any Exam. Any Time." - www.actualtests.com
4
AccessData A30-327 Exam Answer: A
QUESTION NO: 12
Which statement is true about using FTK Imager to export a folder and its subfolders? A. Exporting a folder will copy all its subfolders. B. Each subfolder must be exported individually. C. Exporting a folder copies only the folder without any files. D. Exporting a folder will copy all subfolders without the system attribute. Answer: A
QUESTION NO: 13
You used FTK Imager to create several hash list files. You view the location where the files were exported. What is the file extension type for these files? A. .txt = ASCII Text File B. .dif = Data Interchange Format C. .prn = Formatted Text Delimited D. .csv = Comma Separated Values Answer: D
QUESTION NO: 14
You create two evidence images from the suspect's drive: suspect.E01 and suspect.001. You want to be able to verify that the image hash values are the same for suspect.E01 and suspect.001 image files. Which file has the hash value for the Raw (dd) image? A. suspect.001.txt B. suspect.E01.txt C. suspect.001.csv D. suspect.E01.csv Answer: A
QUESTION NO: 15
You successfully export and create a file hash list while using FTK Imager. Which three "Pass Any Exam. Any Time." - www.actualtests.com
5
AccessData A30-327 Exam pieces of information are included in this file? (Choose three.) A. MD5 B. SHA1 C. filename D. record date E. date modified Answer: A,B,C
QUESTION NO: 16
During the execution of a search warrant, you image a suspect drive using FTK Imager and store the Raw(dd) image files on a portable drive. Later, these files are transferred to a server for storage. How do you verify that the information stored on the server is unaltered? A. open and view the Summary file B. load the image into FTK and it automatically performs file verification C. in FTK Imager, use the Verify Drive/Image function to automatically compare a calculatedhash with a stored hash D. use FTK Imager to create a verification hash and manually compare that value to the valuestored in the Summary file Answer: D
QUESTION NO: 17
Which three items are contained in an Image Summary File using FTK Imager? (Choose three.) A. MD5 B. CRC C. SHA1 D. Sector Count E. Cluster Count Answer: A,C,D
QUESTION NO: 18
Which two image formats contain an embedded hash value for file verification? (Choose two.) A. E01
"Pass Any Exam. Any Time." - www.actualtests.com
6
AccessData A30-327 Exam B. S01 C. ISO D. CUE E. 001 (dd) Answer: A,B
QUESTION NO: 19
While analyzing unallocated space, you locate what appears to be a 64-bit Windows date and time. Which FTK Imager feature allows you display the information as a date and time? A. INFO2 Filter B. Base Converter C. Metadata Parser D. Hex Value Interpreter Answer: D
QUESTION NO: 20
In which Overview tab container are HTML files classified? A. Archive container B. Java Code container C. Documents container D. Internet Files container Answer: C
QUESTION NO: 21
When adding data to FTK, which statement about DriveFreeSpace is true? A. DriveFreeSpace is merged with deleted files. B. DriveFreeSpace is segmented into 10 megabyte items. C. DriveFreeSpace is truncated, based on the size of the case.dat file. D. DriveFreeSpace is classified with file slack items in the Overview tab. Answer: D
"Pass Any Exam. Any Time." - www.actualtests.com
7
AccessData A30-327 Exam QUESTION NO: 22
You are using FTK to process e-mail files. In which two areas can E-mail attachments be located? (Choose two.) A. the E-mail tab B. the From E-mail container in the Overview tab C. the Evidence Items container in the Overview tab D. the E-mail Messages container in the Overview tab Answer: A,B
QUESTION NO: 23
In FTK, which tab provides specific information on the evidence items, file items, file status and file category? A. E-mail tab B. Explore tab C. Overview tab D. Graphics tab Answer: C
QUESTION NO: 24
In FTK, you navigate to the Graphics tab at the Case level and you do not see any graphics. What should you do to see all graphics in the case? A. list all descendants B. run the graphic files filter C. check all items in the current list D. select the Graphics container button Answer: A
QUESTION NO: 25
In FTK, which two formats can be used to export an E-mail message? (Choose two.) A. raw format B. XML format C. PDF format D. HTML format
"Pass Any Exam. Any Time." - www.actualtests.com
8
AccessData A30-327 Exam E. binary format Answer: A,D
QUESTION NO: 26
In FTK, when you view the Total File Items container (rather than the Actual Files container), why are there more items than files? A. Total File Items includes files that are in archive files, while Actual Files does not. B. Total File Items includes all unfiltered files while Actual Files includes only checked files. C. Total File Items includes all KFF Ignorables while Actual Files includes only the KFF Alerts. D. Total File Items includes files that are in the Graphics and E-Mail tabs, while Actual Files only includes files in the Graphics tab while excluding attachments in the E-mail tab. Answer: A
QUESTION NO: 27
Which statement is true about Processes to Perform in FTK? A. Processing options can be chosen only when adding evidence. B. Processing options can be chosen during or after adding evidence. C. Processing options can be chosen only after evidence has been added. D. If processing is not performed while adding evidence, the case must be started again. Answer: B
QUESTION NO: 28
What are three types of evidence that can be added to a case in FTK? (Choose three.) A. local drive B. registry MRU list C. contents of a folder D. acquired image of a drive E. compressed volume files (CVFs) Answer: A,C,D
QUESTION NO: 29 You want to search for two words within five words of each other. Which search request
"Pass Any Exam. Any Time." - www.actualtests.com
9
AccessData A30-327 Exam would accomplish this function? A. apple by pear w/5 B. June near July w/5 C. supernova w/5 cassiopeia D. supernova by cassiopeia w/5 Answer: C
QUESTION NO: 30
Click the Exhibit button.
You need to search for specific data that are located in a Microsoft Word document. You do not know the exact spelling of this datA. Using the Index Search Options as displayed in the exhibit, which changes do you make in the Broadening Options and Search Limiting Options containers? A. check the Fuzzy box; check the File Name Pattern box; type *.doc in the pattern container B. check the Stemming box; check the File Name Pattern box; type *.doc in the pattern container C. check the Synonym box; check the File Name Pattern box; type *.doc in the pattern container D. check the Stemming box; check the File Name Pattern box; type %.doc in the pattern container Answer: A
QUESTION NO: 31
You have processed a case in FTK using all the default options. The investigator supplies you with a list of 400 names in an electronic format. What is the quickest way to search unallocated space for all of these names? A. build a dtSearch string with all 400 names B. create a Regular Expression with all the names C. make an imported text file of the names in Live Search D. use an imported text file containing the names in Indexed Search
"Pass Any Exam. Any Time." - www.actualtests.com
10
AccessData A30-327 Exam Answer: D
QUESTION NO: 32
Which pattern does the following regular expression recover? (\d{4}[\- ]){3}\d{4} A. 000-000-0000 B. ddd-4-3-dddd-4-3 C. 000-00000-000-ABC D. 0000-0000-0000-0000 Answer: D
QUESTION NO: 33
You examine evidence and flag several graphic images found in different folders. You now want to bookmark these items into a single bookmark. Which tab in FTK do you use to view only the flagged thumbnails? A. Explore tab B. Graphics tab C. Overview tab D. Bookmark tab Answer: C
QUESTION NO: 34
Click the Exhibit button.
What change do you make to the file filter shown in the exhibit in order to show only graphics with a logical size between 500 kilobytes and 10 megabytes? A. You change all file status items to a red circle. B. You change all file status items to a yellow triangle. C. You make no change. The filter is correct as shown. D. You change Graphics in the File Type column to a yellow triangle. Answer: D
"Pass Any Exam. Any Time." - www.actualtests.com
11
AccessData A30-327 Exam QUESTION NO: 35
FTK uses Data Carving to find which three file types? (Choose three.) A. JPEG files B. Yahoo! Chat Archives C. WPD (Word Perfect Documents) D. Enhanced Windows Meta Files (EMF) E. OLE Archive Files (Office Documents) Answer: A,D,E
QUESTION NO: 36
You are asked to process a case using FTK and to produce a report that only includes selected graphics. What allows you to display only flagged graphics? A. List by File Path B. List File Properties C. Graphic Thumbnails D. Supplementary Files Answer: C
QUESTION NO: 37
Which two options are available in the FTK Report Wizard? (Choose two.) A. List by File Path B. List File Properties C. Include HTML File Listing D. Include PRTK Output List Answer: A,B
QUESTION NO: 38
Using the FTK Report Wizard, which two options are available in the List by File Path window? (Choose two.) A. List File Properties B. Export to the Report C. Apply a Filter to the List
"Pass Any Exam. Any Time." - www.actualtests.com
12
AccessData A30-327 Exam D. Include Registry Viewer Reports Answer: B,C
QUESTION NO: 39
Using the FTK Report Wizard, which two options are available in the Bookmarks - A window? (Choose two.) A. Apply a filter to the list B. Group all filenames at end of report C. Yes, include all graphics in the case D. No, do not include a bookmark section E. Export full-size graphics and link them to the thumbnails Answer: D,E
QUESTION NO: 40
In Registry Viewer, which steps initiate the Hex Interpreter? A. highlight the data and select the Hex Value Interpreter tab B. highlight the data, right-click on the highlighted data and select the Show Hex Interpreter Window C. select the Hex Value Interpreter tab, highlight the data, right-click on the data to initiate the Hex Interpreter D. right-click on the data area and select the Show Hex Interpreter Window and highlight the data you want to interpret Answer: B
QUESTION NO: 41
Which data in the Registry can the Registry Viewer translate for the user? (Choose three.) A. calculate MD5 hashes of individual keys B. translate the MRUs in chronological order C. present data stored in null terminated keys D. present the date and time of each typed URL E. View Protected Storage System Provider (PSSP) data Answer: B,C,E
"Pass Any Exam. Any Time." - www.actualtests.com
13
AccessData A30-327 Exam
QUESTION NO: 42
What are two functions of the Summary Report in Registry Viewer? (Choose two.) A. adds individual key values B. is a template for other registry files C. displays investigator keyword search results D. permits searching of registry values based on key headers Answer: A,B
QUESTION NO: 43
When using Registry Viewer to view a key with 20 values, what option can be used to display only 5 of the 20 values in a report? A. Report B. Special Reports C. Summary Report D. Add to Report With Children Answer: C
QUESTION NO: 44
You view a registry file in Registry Viewer. You want to create a report, which includes items that you have marked "Add to Report." Which Registry Viewer option accomplishes this task? A. Common Areas B. Generate Report C. Define Summary Report D. Manage Summary Reports Answer: B
QUESTION NO: 45
Which Registry Viewer function would allow you to automatically document multiple unknown user names? A. Add to Report
"Pass Any Exam. Any Time." - www.actualtests.com
14
AccessData A30-327 Exam B. Export User List C. Add to Report with Children D. Summary Report with Wildcard Answer: D
QUESTION NO: 46
In PRTK, which type of attack uses word lists? A. dictionary attack B. key space attack C. brute-force attack D. rainbow table attack Answer: A
QUESTION NO: 47
What is the purpose of the Golden Dictionary? A. maintains previously created level information B. maintains previously created profile information C. maintains a list of the 100 most likely passwords D. maintains previously recovered passwords Answer: D
QUESTION NO: 48
What is the most effective method to facilitate successful password recovery? A. Art of War B. Entropy Test C. Advanced EFS Attack D. Primary Dictionary Attack Answer: A
QUESTION NO: 49
You are attempting to access data from the Protected Storage System Provider (PSSP) area of a "Pass Any Exam. Any Time." - www.actualtests.com
15
AccessData A30-327 Exam registry. How do you accomplish this using PRTK? A. You drop the SAM file onto the PRTK interface. B. You drop the NTUSER.dat file onto the PRTK interface. C. You use the PSSP Attack Marshal from Registry Viewer. D. This area can not be accessed with PRTK as it is a registry file. Answer: B
QUESTION NO: 50
When using PRTK to attack encrypted files exported from a case, which statement is true? A. PRTK will request the user access control list from FTK. B. PRTK will generate temporary copies of decrypted files for printing. C. FTK will stop all active jobs to allow PRTK to decrypt the exported files. D. File hash values will change when they are saved in their decrypted format. E. Additional interoperability between PRTK and NTAccess becomes available when files begin decrypting. Answer: D
QUESTION NO: 51
In FTK, a user may alter the alert or ignore status of individual hash sets within the active KFF. Which utility is used to accomplish this? A. KFF Alert Editor B. ADKFF Library Selector C. Hash Database File Selector D. Hash Database Recovery Engine Answer: A
QUESTION NO: 52
After creating a case, the Encrypted Files container lists EFS files. However, no decrypted sub- items are present. All other necessary components for EFS decryption are present in the case. Which two files must be used to recover the EFS password for use in FTK? (Choose two.) A. SAM B. system
"Pass Any Exam. Any Time." - www.actualtests.com
16
AccessData A30-327 Exam C. SECURITY D. Master Key E. FEK Certificate Answer: A,B
QUESTION NO: 53
Which two statements are true? (Choose two.) A. PRTK can recover Windows logon passwords. B. PRTK must run in conjunction with DNA workers to decrypt EFS files. C. PRTK and FTK must be installed on the same machine to decrypt EFS files. D. EFS files must be exported from a case and provided to PRTK for decryption. Answer: A,C
QUESTION NO: 54
Click the Exhibit button.
When decrypting EFS files in a case, you receive the result shown in the exhibit. What is the most plausible explanation for this result? A. The encrypted file was corrupt. B. A different user encrypted the remaining encrypted file. C. The hash value of the remaining encrypted file did not match. D. The remaining encrypted file had previously been bookmarked. E. An incorrect CRC value for the $EFS certificate was applied by the user. Answer: B
QUESTION NO: 55
Which two Registry Viewer operations can be conducted from FTK? (Choose two.) A. list SAM file account names in FTK B. view all registry files from within FTK C. create subitems of individual keys for FTK D. export a registry report to the FTK case report Answer: B,D
"Pass Any Exam. Any Time." - www.actualtests.com
17
AccessData A30-327 Exam
QUESTION NO: 56
FTK Imager can be invoked from within which program? A. FTK B. DNA C. PRTK D. Registry Viewer Answer: A
QUESTION NO: 57
Into which two categories can an imported hash set be assigned? (Choose two.) A. alert B. ignore C. contraband D. system files Answer: A,B
QUESTION NO: 58
What happens when a duplicate hash value is imported into a KFF database? A. It will not be accepted. B. It will be marked as a duplicate. C. The database will be corrupted. D. The database will hide the duplicate. Answer: A
QUESTION NO: 59
You currently store alternate hash libraries on a remote server. Where do you configure FTK to access these files rather than the default library, ADKFFLibrary.hdb? A. Preferences B. User Options C. Analysis Tools D. Import KFF Hashes
"Pass Any Exam. Any Time." - www.actualtests.com
18
AccessData A30-327 Exam Answer: A
QUESTION NO: 60
Which file should be selected to open an existing case in FTK? A. ftk.exe B. case.ini C. case.dat D. isobuster.dll Answer: C Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com
19