FREE CHFI (312-49) Questions and Answers


The link between the four panes of the EnCase interface reflects the cyclical nature of the process of reviewing obtained evidence. Which of the following panes displays an organized view of all acquired evidence in a folder hierarchy similar to Windows?

Correct! Wrong!

The pane that represents a structured view of all gathered evidence in a Windows-like folder hierarchy in the EnCase interface is the "Tree pane."

The Tree pane provides a hierarchical representation of the acquired evidence, similar to the file system structure found in Windows operating systems. It displays folders, directories, and subdirectories in a tree-like structure, allowing investigators to navigate and explore the acquired data in a familiar and organized manner.

You can access and examine a large portion of the Registry's data during live response, and all of it during post-mortem analysis. Which registry Hive in the system stores configuration data connected to the software that is used to open different file types?

Correct! Wrong!

The " registry hive contains configuration information relating to which application is used to open various files on the system is the "HKEY_CLASSES_ROOT" hive. This hive in the Windows registry contains file extension associations and information about the default programs associated with specific file types.

Under the "HKEY_CLASSES_ROOT" hive, there are subkeys representing file extensions (e.g., ".txt" for text files, ".docx" for Microsoft Word documents). These subkeys contain values that specify the default program or application associated with that particular file extension.

Computer forensic investigator Carlo is. He was given an assignment by a company to look into a forensic case. The computer at the crime site was turned off when Carlo arrived at the company to investigate the location. What do you think Carlo ought to do in this situation?

Correct! Wrong!

In this scenario, when Carlo, the Computer Forensic Investigator, finds the computer at the crime scene switched off, he should follow the appropriate procedures to ensure the preservation of evidence.

The Inspect Pane can be used to view the file content of evidence files. To display file content, the View pane offers a number of tabs. Which of these tabs offers native views of the formats that Oracle supports outside of its own technology?

Correct! Wrong!

The "Doc" tab in the View pane provides native views of file formats that are supported by Oracle Outside In Technology.

Oracle Outside In Technology is a suite of software tools and libraries used for content access, extraction, and transformation. It enables viewing and processing of various file formats, including documents, spreadsheets, presentations, emails, images, and more.

Which of the following is a hard disk's smallest allocation unit? Depending on the formatting system, a hard disk can have anywhere between 2 and 32 tracks and sectors.

Correct! Wrong!

The smallest allocation unit on a hard disk is typically referred to as a "cluster." A cluster is a fixed-size group of sectors that is used by the file system to allocate and manage disk space. It represents the minimum amount of disk space that can be allocated to store a file, regardless of the file's actual size.

The specific size of a cluster can vary depending on factors such as the file system and the formatting options chosen during disk initialization. The cluster size is determined during the formatting process and can range from a few sectors to several kilobytes. The file system allocates clusters consecutively on the disk to store file data.

The gathering, evaluation, and reporting of evidence are standard investigation procedures that are automated and streamlined using Source Processor. Which of these source processor modules can access the target computer's disks and memory?

Correct! Wrong!

The Acquisition Module of a source processor is responsible for obtaining drives and memory from a target machine during an investigation. This module is designed to automate and streamline the process of collecting the necessary data and evidence from the target machine's storage devices and volatile memory (RAM).

The Acquisition Module may employ various techniques and tools to create forensic images or copies of the target machine's hard drives or solid-state drives (SSDs). It ensures that the original data is preserved and can be analyzed without altering or compromising the integrity of the evidence.

Which of these attack methods combines a dictionary attack and a brute-force attack to break a password?

Correct! Wrong!

A hybrid attack is an attack technique that combines elements of both a brute-force attack and a dictionary attack to crack a password. In a brute-force attack, the attacker systematically tries all possible combinations of characters until the correct password is discovered. This method is resource-intensive and time-consuming, especially for longer and more complex passwords

On the other hand, a dictionary attack involves using a pre-generated list of commonly used passwords or words from a dictionary to guess the password. This method is faster than a brute-force attack since it leverages a predefined set of likely passwords.

Related Content