A30-327 Exam - AccessData Certified Examiner

NEW QUESTION 1
After creating a case, the Encrypted Files container lists EFS files. However, no decrypted
sub- items are present. All other necessary components for EFS decryption are present in the case. Which two files must be used to recover the EFS password for use in FTK? (Choose two.)

• A. SAM
• B. system
• C. SECURITY
• D. Master Key
• E. FEK Certificate

Answer: AB

NEW QUESTION 2
When using FTK Imager to preview a physical drive, which number is assigned to the first logical volume of an extended partition?

• A. 2
• B. 3
• C. 4
• D. 5

Answer: D

NEW QUESTION 3
How can you use FTK Imager to obtain registry files from a live system?

• A. You use the Export Files option.
• B. You use the Advanced Recovery option.
• C. Registry files cannot be exported from a live system.
• D. You use the Protected Storage System Provider option.

Answer: A

NEW QUESTION 4
When adding data to FTK, which statement about DriveFreeSpace is true?

• A. Mastered
• B. Not Mastered

Answer: A

NEW QUESTION 5
A. highlight the data and select the Hex Value Interpreter tab

• A. highlight the data, right-click on the highlighted data and select the Show Hex Interpreter Window
• B. select the Hex Value Interpreter tab, highlight the data, right-click on the data to initiate theHex Interpreter
• C. right-click on the data area and select the Show Hex Interpreter Window and highlight thedata you want to interpret

Answer: B

NEW QUESTION 6
Which three items are displayed in FTK Imager for an individual file in the Properties
window? (Choose three.)

• A. flags
• B. filename
• C. hash set
• D. timestamps
• E. item number

Answer: ABD

NEW QUESTION 7
When using PRTK to attack encrypted files exported from a case, which statement is true?

• A. PRTK will request the user access control list from FTK.
• B. PRTK will generate temporary copies of decrypted files for printing.
• C. FTK will stop all active jobs to allow PRTK to decrypt the exported files.
• D. File hash values will change when they are saved in their decrypted format.
• E. Additional interoperability between PRTK and NTAccess becomes available when files begin decrypting.

Answer: D

NEW QUESTION 8
Which statement is true about Processes to Perform in FTK?

• A. Processing options can be chosen only when adding evidence.
• B. Processing options can be chosen during or after adding evidence.
• C. Processing options can be chosen only after evidence has been added.
• D. If processing is not performed while adding evidence, the case must be started again.

Answer: B

NEW QUESTION 9
To obtain protected files on a live machine with FTK Imager, which evidence item should be added?

• A. image file
• B. currently booted drive
• C. server object settings
• D. profile access control list

Answer: B

NEW QUESTION 10
You examine evidence and flag several graphic images found in different folders. You now want to bookmark these items into a single bookmark. Which tab in FTK do you use to view only the flagged thumbnails?

• A. Explore tab
• B. Graphics tab
• C. Overview tab
• D. Bookmark tab

Answer: C

NEW QUESTION 11
Which two statements are true? (Choose two.)

• A. PRTK can recover Windows logon passwords.
• B. PRTK must run in conjunction with DNA workers to decrypt EFS files.
• C. PRTK and FTK must be installed on the same machine to decrypt EFS files.
• D. EFS files must be exported from a case and provided to PRTK for decryption.

Answer: AC

NEW QUESTION 12
What is the most effective method to facilitate successful password recovery?

• A. Mastered
• B. Not Mastered

Answer: A

NEW QUESTION 13
Which Registry Viewer function would allow you to automatically document multiple unknown user names?

• A. Add to Report
• B. Export User List
• C. Add to Report with Children
• D. Summary Report with Wildcard

Answer: D

NEW QUESTION 14
What is the purpose of the Golden Dictionary?

• A. maintains previously created level information
• B. maintains previously created profile information
• C. maintains a list of the 100 most likely passwords
• D. maintains previously recovered passwords

Answer: D

NEW QUESTION 15
Which two image formats contain an embedded hash value for file verification? (Choose two.)

• A. E01
• B. S01
• C. ISO
• D. CUE
• E. 001 (dd)

Answer: AB

NEW QUESTION 16
Which statement is true about using FTK Imager to simultaneously create multiple images of a single source?

• A. In the Image Creation Wizard, you should select the Add Additional Drives option.
• B. You should use the Create Multiple Images option to create server image objects.
• C. You should note the evidence item source signature and add it to the Image View pane.
• D. In the Image Creation Wizard, you should add multiple destination jobs from the same source prior To beginning image creation.

Answer: D

NEW QUESTION 17
In FTK, which tab provides specific information on the evidence items, file items, file status and file category?

• A. E-mail tab
• B. Explore tab
• C. Overview tab
• D. Graphics tab

Answer: C

NEW QUESTION 18
Which two Registry Viewer operations can be conducted from FTK? (Choose two.)

• A. list SAM file account names in FTK
• B. view all registry files from within FTK
• C. create subitems of individual keys for FTK
• D. export a registry report to the FTK case report

Answer: BD

NEW QUESTION 19
What are two functions of the Summary Report in Registry Viewer? (Choose two.)

• A. Mastered
• B. Not Mastered

Answer: A

NEW QUESTION 20
What are three types of evidence that can be added to a case in FTK? (Choose three.)

• A. local drive
• B. registry MRU list
• C. contents of a folder
• D. acquired image of a drive
• E. compressed volume files (CVFs)

Answer: ACD

NEW QUESTION 21
While analyzing unallocated space, you locate what appears to be a 64-bit Windows date and
time. Which FTK Imager feature allows you display the information as a date and time?

• A. INFO2 Filter
• B. Base Converter
• C. Metadata Parser
• D. Hex Value Interpreter

Answer: D

NEW QUESTION 22
You create two evidence images from the suspect's drive: suspect.E01 and suspect.001. You want to be able to verify that the image hash values are the same for suspect.E01 and
suspect.001 image files. Which file has the hash value for the Raw (dd) image?

• A. suspect.001.txt
• B. suspect.E01.txt
• C. suspect.001.csv
• D. suspect.E01.csv

Answer: A

NEW QUESTION 23
......