nerdexam
Guidance_Software

GD0-110 · Question #103

GD0-110 Question #103: Real Exam Question with Answer & Explanation

The correct answer is A. Yes, because the chk1.dll file was moved and renamed.. See the full explanation below for the reasoning.

Question

You are investigating a case involving fraud. You seized a computer from a suspect who stated that the computer is not used by anyone other than himself. The computer has Windows 98 installed on the hard drive. You find the filename C:\downloads\check01.jpg?that EnCase shows as being moved. The starting extent is 0C4057. You find another filename C:\downloads\chk1.dll with the starting extent 0C4057, which EnCase also shows as being moved. In the C:\windows\System folder you find an allocated file named chk1.dll with the starting extent 0C4057. The chk1.dll file is a JPEG image of a counterfeit check. Could this information be used to refute the suspect claim that he never knew it was on the computer?

Options

  • AYes, because the chk1.dll file was moved and renamed.
  • BNo, because the Windows operating system likely moved and renamed the chk1.dll file during
  • CNo, because the chk1.dll file has no evidentiary value.
  • DYes, because the ch1.dll is all the evidence required to prove the case.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GD0-110 Practice