A30-327 Online Practice Questions and Answers

When previewing a physical drive on a local machine with FTK Imager, which statement is true?

A. FTK Imager can block calls to interrupt 13h and prevent writes to suspect media.

B. FTK Imager can operate from a USB drive, thus preventing writes to suspect media.

C. FTK Imager can operate via a DOS boot disk, thus preventing writes to suspect media.

D. FTK Imager should always be used in conjunction with a hardware write protect device to prevent writes to suspect media.

You are converting one image file format to another using FTK Imager. Why are the hash values of the original image and the resulting new image the same?

A. because FTK Imager's progress bar tracks the conversion

B. because FTK Imager verifies the amount of data converted

C. because FTK Imager compares the elapsed time of conversion

D. because FTK Imager hashes only the data during the conversion

Which two image formats contain an embedded hash value for file verification? (Choose two.)

A. E01

B. S01

C. ISO

D. CUE

E. 001 (dd)

Which pattern does the following regular expression recover? (\d{4}[\- ]){3}\d{4}

A. 000-000-0000

B. ddd-4-3-dddd-4-3

C. 000-00000-000-ABC

D. 0000-0000-0000-0000

What are two functions of the Summary Report in Registry Viewer? (Choose two.)

A. adds individual key values

B. is a template for other registry files

C. displays investigator keyword search results

D. permits searching of registry values based on key headers

When using Registry Viewer to view a key with 20 values, what option can be used to display only 5 of the 20 values in a report?

A. Report

B. Special Reports

C. Summary Report

D. Add to ReportWith Children

You are attempting to access data from the Protected Storage System Provider (PSSP) area of a registry.

How do you accomplish this using PRTK?

A. You drop the SAM file onto the PRTK interface.

B. You drop the NTUSER.dat file onto the PRTK interface.

C. You use the PSSP Attack Marshal from Registry Viewer.

D. This area can not be accessed with PRTK as it is a registry file.

Which two Registry Viewer operations can be conducted from FTK? (Choose two.)

A. list SAM file account names in FTK

B. view all registry files from within FTK

C. createsubitems of individual keys for FTK

D. export a registry report to the FTK case report

What happens when a duplicate hash value is imported into a KFF database?

A. It will not be accepted.

B. It will be marked as a duplicate.

C. The database will be corrupted.

D. The database will hide the duplicate.

You currently store alternate hash libraries on a remote server.

Where do you configure FTK to access these files rather than the default library, ADKFFLibrary.hdb?

A. Preferences

B. User Options

C. Analysis Tools

D. Import KFF Hashes