Renew A30-327 Dump 2021

NEW QUESTION 1
Which Registry Viewer function would allow you to automatically document multiple unknown user names?

• A. Add to Report
• B. Export User List
• C. Add to Report with Children
• D. Summary Report with Wildcard

Answer: D

NEW QUESTION 2
You examine evidence and flag several graphic images found in different folders. You now want to bookmark these items into a single bookmark. Which tab in FTK do you use to view only the flagged thumbnails?

• A. Explore tab
• B. Graphics tab
• C. Overview tab
• D. Bookmark tab

Answer: C

NEW QUESTION 3
Which data in the Registry can the Registry Viewer translate for the user? (Choose three.)

• A. calculate MD5 hashes of individual keys
• B. translate the MRUs in chronological order
• C. present data stored in null terminated keys
• D. present the date and time of each typed URL
• E. View Protected Storage System Provider (PSSP) data

Answer: BCE

NEW QUESTION 4
A. E01 files

• A. raw (dd) image files
• B. SafeBack version 2.2 image files
• C. SafeBack version 3.0 image files
• D. Symantec Ghost compressed image files

Answer: ABC

NEW QUESTION 5
Which pattern does the following regular expression recover?
(d{4}[- ]){3}d{4}

• A. 000-000-0000
• B. ddd-4-3-dddd-4-3
• C. 000-00000-000-ABC
• D. 0000-0000-0000-0000

Answer: D

NEW QUESTION 6
During the execution of a search warrant, you image a suspect drive using FTK Imager and store the Raw(dd) image files on a portable drive. Later, these files are transferred to a server for storage. How do you verify that the information stored on the server is unaltered?

• A. open and view the Summary file
• B. load the image into FTK and it automatically performs file verification
• C. in FTK Imager, use the Verify Drive/Image function to automatically compare a calculatedhash with a stored hash
• D. use FTK Imager to create a verification hash and manually compare that value to the valuestored in the Summary file

Answer: D

NEW QUESTION 7
When adding data to FTK, which statement about DriveFreeSpace is true?

• A. Mastered
• B. Not Mastered

Answer: A

NEW QUESTION 8
Using the FTK Report Wizard, which two options are available in the List by File Path window? (Choose two.)

• A. List File Properties
• B. Export to the Report
• C. Apply a Filter to the List
• D. Include Registry Viewer Reports

Answer: BC

NEW QUESTION 9
When previewing a physical drive on a local machine with FTK Imager, which statement is true?

• A. FTK Imager can block calls to interrupt 13h and prevent writes to suspect media.
• B. FTK Imager can operate from a USB drive, thus preventing writes to suspect media.
• C. FTK Imager can operate via a DOS boot disk, thus preventing writes to suspect media.
• D. FTK Imager should always be used in conjunction with a hardware write protect device toprevent writes to suspect media.

Answer: D

NEW QUESTION 10
Click the Exhibit button.
When decrypting EFS files in a case, you receive the result shown in the exhibit. What is the most plausible explanation for this result?

• A. The encrypted file was corrupt.
• B. A different user encrypted the remaining encrypted file.
• C. The hash value of the remaining encrypted file did not match.
• D. The remaining encrypted file had previously been bookmarked.
• E. An incorrect CRC value for the $EFS certificate was applied by the user.

Answer: B

NEW QUESTION 11
You currently store alternate hash libraries on a remote server. Where do you configure FTK to access these files rather than the default library, ADKFFLibrary.hdb?

• A. Preferences
• B. User Options
• C. Analysis Tools
• D. Import KFF Hashes

Answer: A

NEW QUESTION 12
Using the FTK Report Wizard, which two options are available in the Bookmarks - A window? (Choose two.)

• A. Apply a filter to the list
• B. Group all filenames at end of report
• C. Yes, include all graphics in the case
• D. No, do not include a bookmark section
• E. Export full-size graphics and link them to the thumbnails

Answer: DE

NEW QUESTION 13
You have processed a case in FTK using all the default options. The investigator supplies you with a list of 400 names in an electronic format. What is the quickest way to search
unallocated space for all of these names?

• A. build a dtSearch string with all 400 names
• B. create a Regular Expression with all the names
• C. make an imported text file of the names in Live Search
• D. use an imported text file containing the names in Indexed Search

Answer: D

NEW QUESTION 14
You want to search for two words within five words of each other. Which search request would accomplish this function?

• A. apple by pear w/5
• B. June near July w/5
• C. supernova w/5 cassiopeia
• D. supernova by cassiopeia w/5

Answer: C

NEW QUESTION 15
FTK Imager allows a user to convert a Raw (dd) image into which two formats? (Choose two.)

• A. E01
• B. Ghost
• C. SMART
• D. SafeBack

Answer: AC

NEW QUESTION 16
You are converting one image file format to another using FTK Imager. Why are the hash values of the original image and the resulting new image the same?

• A. because FTK Imager's progress bar tracks the conversion
• B. because FTK Imager verifies the amount of data converted
• C. because FTK Imager compares the elapsed time of conversion
• D. because FTK Imager hashes only the data during the conversion

Answer: D

NEW QUESTION 17
After creating a case, the Encrypted Files container lists EFS files. However, no decrypted
sub- items are present. All other necessary components for EFS decryption are present in the case. Which two files must be used to recover the EFS password for use in FTK? (Choose two.)

• A. SAM
• B. system
• C. SECURITY
• D. Master Key
• E. FEK Certificate

Answer: AB

NEW QUESTION 18
In FTK, when you view the Total File Items container (rather than the Actual Files container), why are there more items than files?

• A. Total File Items includes files that are in archive files, while Actual Files does not.
• B. Total File Items includes all unfiltered files while Actual Files includes only checked files.
• C. Total File Items includes all KFF Ignorables while Actual Files includes only the KFF Alerts.
• D. Total File Items includes files that are in the Graphics and E-Mail tabs, while Actual Files only includes files in the Graphics tab while excluding attachments in the E-mail tab.

Answer: A

NEW QUESTION 19
What is the most effective method to facilitate successful password recovery?

• A. Mastered
• B. Not Mastered

Answer: A

NEW QUESTION 20
To obtain protected files on a live machine with FTK Imager, which evidence item should be added?

• A. image file
• B. currently booted drive
• C. server object settings
• D. profile access control list

Answer: B

NEW QUESTION 21
A. highlight the data and select the Hex Value Interpreter tab

• A. highlight the data, right-click on the highlighted data and select the Show Hex Interpreter Window
• B. select the Hex Value Interpreter tab, highlight the data, right-click on the data to initiate theHex Interpreter
• C. right-click on the data area and select the Show Hex Interpreter Window and highlight thedata you want to interpret

Answer: B

NEW QUESTION 22
When using FTK Imager to preview a physical drive, which number is assigned to the first logical volume of an extended partition?

• A. 2
• B. 3
• C. 4
• D. 5

Answer: D

NEW QUESTION 23
You used FTK Imager to create several hash list files. You view the location where the files were exported. What is the file extension type for these files?

• A. .txt = ASCII Text File
• B. .dif = Data Interchange Format
• C. .prn = Formatted Text Delimited
• D. .csv = Comma Separated Values

Answer: D

NEW QUESTION 24
......