Guaranteed A30-327 Interactive Bootcamp 2021

NEW QUESTION 1
In FTK, which search broadening option allows you to find grammatical variations of the word "kill" such as "killer," "killed," and "killing"?

• A. Phonic
• B. Synonym
• C. Stemming
• D. Fuzzy Logic

Answer: C

NEW QUESTION 2
You are attempting to access data from the Protected Storage System Provider (PSSP) area of a registry. How do you accomplish this using PRTK?

• A. You drop the SAM file onto the PRTK interface.
• B. You drop the NTUSER.dat file onto the PRTK interface.
• C. You use the PSSP Attack Marshal from Registry Viewer.
• D. This area can not be accessed with PRTK as it is a registry file.

Answer: B

NEW QUESTION 3
You have processed a case in FTK using all the default options. The investigator supplies you with a list of 400 names in an electronic format. What is the quickest way to search
unallocated space for all of these names?

• A. build a dtSearch string with all 400 names
• B. create a Regular Expression with all the names
• C. make an imported text file of the names in Live Search
• D. use an imported text file containing the names in Indexed Search

Answer: D

NEW QUESTION 4
You examine evidence and flag several graphic images found in different folders. You now want to bookmark these items into a single bookmark. Which tab in FTK do you use to view only the flagged thumbnails?

• A. Explore tab
• B. Graphics tab
• C. Overview tab
• D. Bookmark tab

Answer: C

NEW QUESTION 5
Which two statements are true? (Choose two.)

• A. PRTK can recover Windows logon passwords.
• B. PRTK must run in conjunction with DNA workers to decrypt EFS files.
• C. PRTK and FTK must be installed on the same machine to decrypt EFS files.
• D. EFS files must be exported from a case and provided to PRTK for decryption.

Answer: AC

NEW QUESTION 6
Which statement is true about using FTK Imager to export a folder and its subfolders?

• A. Exporting a folder will copy all its subfolders.
• B. Each subfolder must be exported individually.
• C. Exporting a folder copies only the folder without any files.
• D. Exporting a folder will copy all subfolders without the system attribute.

Answer: A

NEW QUESTION 7
Click the Exhibit button.
When decrypting EFS files in a case, you receive the result shown in the exhibit. What is the most plausible explanation for this result?

• A. The encrypted file was corrupt.
• B. A different user encrypted the remaining encrypted file.
• C. The hash value of the remaining encrypted file did not match.
• D. The remaining encrypted file had previously been bookmarked.
• E. An incorrect CRC value for the $EFS certificate was applied by the user.

Answer: B

NEW QUESTION 8
When adding data to FTK, which statement about DriveFreeSpace is true?

• A. Mastered
• B. Not Mastered

Answer: A

NEW QUESTION 9
Which type of evidence can be added to FTK Imager?

• A. individual files
• B. all checked items
• C. contents of a folder
• D. all currently listed items

Answer: C

NEW QUESTION 10
You create two evidence images from the suspect's drive: suspect.E01 and suspect.001. You want to be able to verify that the image hash values are the same for suspect.E01 and
suspect.001 image files. Which file has the hash value for the Raw (dd) image?

• A. suspect.001.txt
• B. suspect.E01.txt
• C. suspect.001.csv
• D. suspect.E01.csv

Answer: A

NEW QUESTION 11
How can you use FTK Imager to obtain registry files from a live system?

• A. You use the Export Files option.
• B. You use the Advanced Recovery option.
• C. Registry files cannot be exported from a live system.
• D. You use the Protected Storage System Provider option.

Answer: A

NEW QUESTION 12
Which data in the Registry can the Registry Viewer translate for the user? (Choose three.)

• A. calculate MD5 hashes of individual keys
• B. translate the MRUs in chronological order
• C. present data stored in null terminated keys
• D. present the date and time of each typed URL
• E. View Protected Storage System Provider (PSSP) data

Answer: BCE

NEW QUESTION 13
You are converting one image file format to another using FTK Imager. Why are the hash values of the original image and the resulting new image the same?

• A. because FTK Imager's progress bar tracks the conversion
• B. because FTK Imager verifies the amount of data converted
• C. because FTK Imager compares the elapsed time of conversion
• D. because FTK Imager hashes only the data during the conversion

Answer: D

NEW QUESTION 14
Using the FTK Report Wizard, which two options are available in the List by File Path window? (Choose two.)

• A. List File Properties
• B. Export to the Report
• C. Apply a Filter to the List
• D. Include Registry Viewer Reports

Answer: BC

NEW QUESTION 15
In FTK, you navigate to the Graphics tab at the Case level and you do not see any graphics. What should you do to see all graphics in the case?

• A. list all descendants
• B. run the graphic files filter
• C. check all items in the current list
• D. select the Graphics container button

Answer: A

NEW QUESTION 16
Which pattern does the following regular expression recover?
(d{4}[- ]){3}d{4}

• A. 000-000-0000
• B. ddd-4-3-dddd-4-3
• C. 000-00000-000-ABC
• D. 0000-0000-0000-0000

Answer: D

NEW QUESTION 17
What are two functions of the Summary Report in Registry Viewer? (Choose two.)

• A. Mastered
• B. Not Mastered

Answer: A

NEW QUESTION 18
Click the Exhibit button.
You need to search for specific data that are located in a Microsoft Word document. You do not know the exact spelling of this datA. Using the Index Search Options as displayed in the exhibit, which changes do you make in the Broadening Options and Search Limiting Options containers?

• A. check the Fuzzy box;check the File Name Pattern box; type *.doc in the pattern container
• B. check the Stemming box; check the File Name Pattern box; type *.doc in the pattern container
• C. check the Synonym box; check the File Name Pattern box; type *.doc in the pattern container
• D. check the Stemming box; check the File Name Pattern box;type %.doc in the pattern container

Answer: A

NEW QUESTION 19
To obtain protected files on a live machine with FTK Imager, which evidence item should be added?

• A. image file
• B. currently booted drive
• C. server object settings
• D. profile access control list

Answer: B

NEW QUESTION 20
Which Registry Viewer function would allow you to automatically document multiple unknown user names?

• A. Add to Report
• B. Export User List
• C. Add to Report with Children
• D. Summary Report with Wildcard

Answer: D

NEW QUESTION 21
You want to search for two words within five words of each other. Which search request would accomplish this function?

• A. apple by pear w/5
• B. June near July w/5
• C. supernova w/5 cassiopeia
• D. supernova by cassiopeia w/5

Answer: C

NEW QUESTION 22
......