Renovate A30-327 Bible 2021

NEW QUESTION 1
Which file should be selected to open an existing case in FTK?

• A. ftk.exe
• B. case.ini
• C. case.dat
• D. isobuster.dll

Answer: C

NEW QUESTION 2
Which type of evidence can be added to FTK Imager?

• A. individual files
• B. all checked items
• C. contents of a folder
• D. all currently listed items

Answer: C

NEW QUESTION 3
Which pattern does the following regular expression recover?
(d{4}[- ]){3}d{4}

• A. 000-000-0000
• B. ddd-4-3-dddd-4-3
• C. 000-00000-000-ABC
• D. 0000-0000-0000-0000

Answer: D

NEW QUESTION 4
Which statement is true about using FTK Imager to simultaneously create multiple images of a single source?

• A. In the Image Creation Wizard, you should select the Add Additional Drives option.
• B. You should use the Create Multiple Images option to create server image objects.
• C. You should note the evidence item source signature and add it to the Image View pane.
• D. In the Image Creation Wizard, you should add multiple destination jobs from the same source prior To beginning image creation.

Answer: D

NEW QUESTION 5
You successfully export and create a file hash list while using FTK Imager. Which three pieces of information are included in this file? (Choose three.)

• A. MD5
• B. SHA1
• C. filename
• D. record date
• E. date modified

Answer: ABC

NEW QUESTION 6
In FTK, which two formats can be used to export an E-mail message? (Choose two.)

• A. raw format
• B. XML format
• C. PDF format
• D. HTML format
• E. binary format

Answer: AD

NEW QUESTION 7
What are three types of evidence that can be added to a case in FTK? (Choose three.)

• A. local drive
• B. registry MRU list
• C. contents of a folder
• D. acquired image of a drive
• E. compressed volume files (CVFs)

Answer: ACD

NEW QUESTION 8
Which three items are contained in an Image Summary File using FTK Imager? (Choose three.)

• A. MD5
• B. CRC
• C. SHA1
• D. Sector Count
• E. Cluster Count

Answer: ACD

NEW QUESTION 9
Which two statements are true? (Choose two.)

• A. PRTK can recover Windows logon passwords.
• B. PRTK must run in conjunction with DNA workers to decrypt EFS files.
• C. PRTK and FTK must be installed on the same machine to decrypt EFS files.
• D. EFS files must be exported from a case and provided to PRTK for decryption.

Answer: AC

NEW QUESTION 10
Which statement is true about using FTK Imager to export a folder and its subfolders?

• A. Exporting a folder will copy all its subfolders.
• B. Each subfolder must be exported individually.
• C. Exporting a folder copies only the folder without any files.
• D. Exporting a folder will copy all subfolders without the system attribute.

Answer: A

NEW QUESTION 11
When using PRTK to attack encrypted files exported from a case, which statement is true?

• A. PRTK will request the user access control list from FTK.
• B. PRTK will generate temporary copies of decrypted files for printing.
• C. FTK will stop all active jobs to allow PRTK to decrypt the exported files.
• D. File hash values will change when they are saved in their decrypted format.
• E. Additional interoperability between PRTK and NTAccess becomes available when files begin decrypting.

Answer: D

NEW QUESTION 12
Click the Exhibit button.
You need to search for specific data that are located in a Microsoft Word document. You do not know the exact spelling of this datA. Using the Index Search Options as displayed in the exhibit, which changes do you make in the Broadening Options and Search Limiting Options containers?

• A. check the Fuzzy box;check the File Name Pattern box; type *.doc in the pattern container
• B. check the Stemming box; check the File Name Pattern box; type *.doc in the pattern container
• C. check the Synonym box; check the File Name Pattern box; type *.doc in the pattern container
• D. check the Stemming box; check the File Name Pattern box;type %.doc in the pattern container

Answer: A

NEW QUESTION 13
When previewing a physical drive on a local machine with FTK Imager, which statement is true?

• A. FTK Imager can block calls to interrupt 13h and prevent writes to suspect media.
• B. FTK Imager can operate from a USB drive, thus preventing writes to suspect media.
• C. FTK Imager can operate via a DOS boot disk, thus preventing writes to suspect media.
• D. FTK Imager should always be used in conjunction with a hardware write protect device toprevent writes to suspect media.

Answer: D

NEW QUESTION 14
You create two evidence images from the suspect's drive: suspect.E01 and suspect.001. You want to be able to verify that the image hash values are the same for suspect.E01 and
suspect.001 image files. Which file has the hash value for the Raw (dd) image?

• A. suspect.001.txt
• B. suspect.E01.txt
• C. suspect.001.csv
• D. suspect.E01.csv

Answer: A

NEW QUESTION 15
Using the FTK Report Wizard, which two options are available in the List by File Path window? (Choose two.)

• A. List File Properties
• B. Export to the Report
• C. Apply a Filter to the List
• D. Include Registry Viewer Reports

Answer: BC

NEW QUESTION 16
Which two Registry Viewer operations can be conducted from FTK? (Choose two.)

• A. list SAM file account names in FTK
• B. view all registry files from within FTK
• C. create subitems of individual keys for FTK
• D. export a registry report to the FTK case report

Answer: BD

NEW QUESTION 17
You are using FTK to process e-mail files. In which two areas can E-mail attachments be located? (Choose two.)

• A. the E-mail tab
• B. the From E-mail container in the Overview tab
• C. the Evidence Items container in the Overview tab
• D. the E-mail Messages container in the Overview tab

Answer: AB

NEW QUESTION 18
When adding data to FTK, which statement about DriveFreeSpace is true?

• A. Mastered
• B. Not Mastered

Answer: A

NEW QUESTION 19
What is the most effective method to facilitate successful password recovery?

• A. Mastered
• B. Not Mastered

Answer: A

NEW QUESTION 20
During the execution of a search warrant, you image a suspect drive using FTK Imager and store the Raw(dd) image files on a portable drive. Later, these files are transferred to a server for storage. How do you verify that the information stored on the server is unaltered?

• A. open and view the Summary file
• B. load the image into FTK and it automatically performs file verification
• C. in FTK Imager, use the Verify Drive/Image function to automatically compare a calculatedhash with a stored hash
• D. use FTK Imager to create a verification hash and manually compare that value to the valuestored in the Summary file

Answer: D

NEW QUESTION 21
Which statement is true about Processes to Perform in FTK?

• A. Processing options can be chosen only when adding evidence.
• B. Processing options can be chosen during or after adding evidence.
• C. Processing options can be chosen only after evidence has been added.
• D. If processing is not performed while adding evidence, the case must be started again.

Answer: B

NEW QUESTION 22
When using FTK Imager to preview a physical drive, which number is assigned to the first logical volume of an extended partition?

• A. 2
• B. 3
• C. 4
• D. 5

Answer: D

NEW QUESTION 23
......