A30-327 Exam Questions

Which type of evidence can be added to FTK Imager?

To obtain protected files on a live machine with FTK Imager, which evidence item should be added?

What are three image file formats that can be read by FTK Imager? (Choose three.)

Which statement is true about using FTK Imager to simultaneously create multiple images of a single source?

FTK Imager allows a user to convert a Raw (dd) image into which two formats? (Choose two.)

You are converting one image file format to another using FTK Imager. Why are the hash values of the original image and the resulting new image the same?

How can you use FTK Imager to obtain registry files from a live system?

Which statement is true about using FTK Imager to export a folder and its subfolders?

You used FTK Imager to create several hash list files. You view the location where the files were exported. What is the file extension type for these files?

You create two evidence images from the suspect's drive: suspect.E01 and suspect.001. You want to be able to verify that the image hash values are the same for suspect.E01 and susp...

You successfully export and create a file hash list while using FTK Imager. Which three pieces of information are included in this file? (Choose three.)

During the execution of a search warrant, you image a suspect drive using FTK Imager and store the Raw (dd) image files on a portable drive. Later, these files are transferred to a...

Which three items are contained in an Image Summary File using FTK Imager? (Choose three.)

Which two image formats contain an embedded hash value for file verification? (Choose two.)

While analyzing unallocated space, you locate what appears to be a 64-bit Windows date and time. Which FTK Imager feature allows you to display the information as a date and time?

In which Overview tab container are HTML files classified?

When adding data to FTK, which statement about DriveFreeSpace is true?

You are using FTK to process e-mail files. In which two areas can E-mail attachments be located? (Choose two.)

In FTK, which tab provides specific information on the evidence items, file items, file status and file category?

In FTK, you navigate to the Graphics tab at the Case level and you do not see any graphics. What should you do to see all graphics in the case?

In FTK, which two formats can be used to export an E-mail message? (Choose two.)

In FTK, when you view the Total File Items container (rather than the Actual Files container), why are there more items than files?

Which statement is true about Processes to Perform in FTK?

What are three types of evidence that can be added to a case in FTK? (Choose three.)

You want to search for two words within five words of each other. Which search request would accomplish this function?

You need to search for specific data that are located in a Microsoft Word document. You do not know the exact spelling of this data. Using the Index Search Options as displayed in...

You have processed a case in FTK using all the default options. The investigator supplies you with a list of 400 names in an electronic format. What is the quickest way to search u...

Which pattern does the following regular expression recover? (\d{4})[\\]\)-](3)(\d{4})

You examine evidence and flag several graphic images found in different folders. You now want to bookmark these items into a single bookmark. Which tab in FTK do you use to view on...

What change do you make to the file filter shown in the exhibit in order to show only graphics with a logical size between 500 kilobytes and 10 megabytes?

FTK uses Data Carving to find which three file types? (Choose three.)

You are asked to process a case using FTK and to produce a report that only includes selected graphics. What allows you to display only flagged graphics?

Which two options are available in the FTK Report Wizard? (Choose two.)

Using the FTK Report Wizard, which two options are available in the List by File Path window? (Choose two.)

Using the FTK Report Wizard, which two options are available in the Bookmarks - A window? (Choose two.)

In Registry Viewer, which steps initiate the Hex Interpreter?

Which data in the Registry can the Registry Viewer translate for the user? (Choose three.)

What are two functions of the Summary Report in Registry Viewer? (Choose two.)

When using Registry Viewer to view a key with 20 values, what option can be used to display only 5 of the 20 values in a report?

You view a registry file in Registry Viewer. You want to create a report, which includes items that you have marked "Add to Report." Which Registry Viewer option accomplishes this...

Which Registry Viewer function would allow you to automatically document multiple unknown user names?

What is the purpose of the Golden Dictionary?

What is the most effective method to facilitate successful password recovery?

You are attempting to access data from the Protected Storage System Provider (PSSP) area of a registry. How do you accomplish this using PRTK?

When using PRTK to attack encrypted files exported from a case, which statement is true?

In FTK, a user may alter the alert or ignore status of individual hash sets within the active KFF. Which utility is used to accomplish this?

After creating a case, the Encrypted Files container lists EFS files. However, no decrypted sub- items are present. All other necessary components for EFS decryption are present in...

Which two statements are true? (Choose two.)

When decrypting EFS files in a case, you receive the result shown in the exhibit. What is the most plausible explanation for this result?

Which two Registry Viewer operations can be conducted from FTK? (Choose two.)