Summer Sale Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: s2p65

Easiest Solution 2 Pass Your Certification Exams

GD0-100 Guidance Software Certification Exam For ENCE North America Free Practice Exam Questions (2025 Updated)

Prepare effectively for your Guidance Software GD0-100 Certification Exam For ENCE North America certification with our extensive collection of free, high-quality practice questions. Each question is designed to mirror the actual exam format and objectives, complete with comprehensive answers and detailed explanations. Our materials are regularly updated for 2025, ensuring you have the most current resources to build confidence and succeed on your first attempt.

Guidance Software GD0-100 Premium Access     Download Demo    
Page: 1 / 3
Total 176 questions

The following keyword was typed in exactly as shown. Choose the answer(s) that would result. All search criteria have default settings. Tom Jones

A.

tom jones

B.

Tom

C.

Jones

D.

Tom Jones

When a file is deleted in the FAT file system, what happens to the FAT?

A.

The FAT entries for that file are marked as allocated.

B.

Nothing.

C.

It is deleted as well.

D.

The FAT entries for that file are marked as available.

When a drive letter is assigned to a logical volume, that information is temporarily written the volume boot record on the hard drive.

A.

True

B.

False

A hard drive was imaged using EnCase. The original drive was placed into evidence. The restore feature was used to make a copy of the original hard drive. EnCase verifies the restored copy using:

A.

An MD5 hash

B.

A 32 bit CRC

C.

Nothing. Restored volumes are not verified.

D.

A running log

You are assigned to assist with the search and seizure of several computers. The magistrate ordered that the computers cannot be seized unless they are found to contain any one of ten previously identified images. You currently have the ten images in JPG format. Using the EnCase methodology, how would you best handle this situation?

A.

UseFastBloc or a network/parallel port cable to preview the hard drives. Go to the Gallery view and search for the previously identified images.

B.

UseFastBloc or a network/parallel port cable to acquire forensic images of the hard drives, then search the evidence files for the previously identified images.

C.

UseFastBloc or a network/parallel port cable to preview the hard drives. Conduct a hash analysis of the files on the hard drives, using a hash library containing the hash values of the previously identified images.

D.

Use an EnCase DOS boot disk to conduct a text search for child porn. Use an EnCase DOS boot disk to conduct a text search for child porn?

Which is the proper formula for determining the size in bytes of a hard drive that uses cylinders (C), heads (H), and sectors (S) geometry?

A.

C X H + S

B.

C X H X S + 512

C.

C X H X S X 512

D.

C X H X S

EnCase uses the _________________ to conduct a signature analysis.

A.

Both a and b

B.

file signature table

C.

hash library

D.

file Viewers

What does the acronym BIOS stand for?

A.

Basic Integrated Operating System

B.

Basic Input/Output System

C.

Binary Input/Output System

D.

Binary Integrated Operating System

Calls to the C:\ volume of the hard drive are not made by DOS when a computer is booted with a standard DOS 6.22 boot disk.

A.

False

B.

True

In Unicode, one printed character is composed of ____ bytes of data.

A.

8

B.

4

C.

2

D.

1

The term signature and reader as they relate to a signature analysis are

A.

The signature is the file extension. The header is a standard pattern normally found at the beginning of a file.

B.

Synonymous.

C.

Areas compared with each other to verify the correct file type.

D.

None of the above

Which of the following selections is NOT found in the case file

A.

External viewers

B.

Pointers to evidence files

C.

Signature analysis results

D.

Search results

In hexadecimal notation, one byte is represented by _____ character(s).

A.

2

B.

1

C.

8

D.

4

To generate an MD5 hash value for a file, EnCase:

A.

Computes the hash value including the logical file and filename.

B.

Computes the hash value including the physical file and filename.

C.

Computes the hash value based on the logical file.

D.

Computes the hash value based on the physical file.

You are working in a computer forensic lab. A law enforcement investigator brings you a computer and a valid search warrant. You have legal authority to search the computer. The investigator hands you a piece of paper that has three printed checks on it. All three checks have the same check and account number. You image the suspect computer and open the evidence file with EnCase. You checks have the same check and account number. You image the suspect's computer and open the evidence file with EnCase. You perform a text search for the account number and check number. Nothing returns on the search results. You perform a text search for all other information found on the printed checks and there is still nothing returned in the search results. You run a signature analysis and check the gallery. You cannot locate any graphical copies of the printed checks in the gallery. At this point, is it safe to say that the checks are not located on the suspect computer?

A.

No. The images could be located a compressed file.

B.

No. The images could be embedded in a document.

C.

No. The images could be in unallocated clusters.

D.

No. The images could be in an image format not viewable inside EnCase.

E.

All of the above.

Pressing the power button on a computer that is running could have which of the following results?

A.

The computer will instantly shut off.

B.

The computer will go into stand-by mode.

C.

Nothing will happen.

D.

All of the above could happen.

E.

The operating system will shut down normally.

The case number in an evidence file can be changed without causing the verification feature to report an error, if:

A.

The user utilizes a text editor.

B.

The case information cannot be changed in an evidence file, without causing the verification feature to report an error.

C.

The user utilizes the case information editor within EnCase.

D.

The evidence file is reacquired.

Within EnCase, what is purpose of the default export folder?

A.

This is the folder that will be automatically selected when the copy/unerase feature is used.

B.

This is the folder that will automatically store an evidence file when the acquisition is made in DOS.

C.

This is the folder that temporarily stores all bookmark and search results.

D.

This is the folder used to hold copies of files that are sent to external viewers.

You are conducting an investigation and have encountered a computer that is running in the field. The operating system is Windows XP. A software program is currently running and is visible on the screen. You should:

A.

Navigate through the program and see what the program is all about, then pull the plug.

B.

Pull the plug from the back of the computer.

C.

Photograph the screen and pull the plug from the back of the computer.

D.

Pull the plug from the wall.

If cluster #3552 entry in the FAT table contains a value of ?? this would mean:

A.

The cluster is unallocated

B.

The cluster is the end of a file

C.

The cluster is allocated

D.

The cluster is marked bad

Guidance Software GD0-100 Premium Access     Download Demo    
Page: 1 / 3
Total 176 questions
Copyright © 2014-2025 Solution2Pass. All Rights Reserved