Weekend Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

 
Home > AccessData > AccessData Certification > A30-327

A30-327 AccessData Certified Examiner Question and Answers

Question # 4

When previewing a physical drive on a local machine with FTK Imager, which statement is true?

A.

FTK Imager can block calls to interrupt 13h and prevent writes to suspect media.

B.

FTK Imager can operate from a USB drive, thus preventing writes to suspect media.

C.

FTK Imager can operate via a DOS boot disk, thus preventing writes to suspect media.

D.

FTK Imager should always be used in conjunction with a hardware write protect device to

prevent writes to suspect media.

Full Access
Question # 5

You are using FTK to process e-mail files. In which two areas can E-mail attachments be

located? (Choose two.)

A.

the E-mail tab

B.

the From E-mail container in the Overview tab

C.

the Evidence Items container in the Overview tab

D.

the E-mail Messages container in the Overview tab

Full Access
Question # 6

During the execution of a search warrant, you image a suspect drive using FTK Imager and store the Raw(dd) image files on a portable drive. Later, these files are transferred to a server for storage. How do you verify that the information stored on the server is unaltered?

A.

open and view the Summary file

B.

load the image into FTK and it automatically performs file verification

C.

in FTK Imager, use the Verify Drive/Image function to automatically compare a calculated hash with a stored hash

D.

use FTK Imager to create a verification hash and manually compare that value to the value stored in the Summary file

Full Access
Question # 7

You are converting one image file format to another using FTK Imager. Why are the hash

values of the original image and the resulting new image the same?

A.

because FTK Imager's progress bar tracks the conversion

B.

because FTK Imager verifies the amount of data converted

C.

because FTK Imager compares the elapsed time of conversion

D.

because FTK Imager hashes only the data during the conversion

Full Access
Question # 8

To obtain protected files on a live machine with FTK Imager, which evidence item should be added?

A.

image file

B.

currently booted drive

C.

server object settings

D.

profile access control list

Full Access
Question # 9

You are attempting to access data from the Protected Storage System Provider (PSSP) area of a registry. How do you accomplish this using PRTK?

A.

You drop the SAM file onto the PRTK interface.

B.

You drop the NTUSER.dat file onto the PRTK interface.

C.

You use the PSSP Attack Marshal from Registry Viewer.

D.

This area can not be accessed with PRTK as it is a registry file.

Full Access
Copyright myexamcollection.com. All Right Reserved.