Answers to Review Questions - EnCase Computer Forensics (2012)

EnCase Computer Forensics (2012)

Appendix A

Answers to Review Questions

Chapter 1: Computer Hardware

1. C. A CPU is the central processing unit, which means it’s a microprocessor that performs data processing, in other words, interprets and executes instructions.

2. A. BIOS stands for Basic Input Output System and consists of all the low-level software that is the interface between the system hardware and its operating system. It loads, typically, from three sources: the ROM/BIOS on the motherboard; the various BIOS ROMs on video cards, SCSI cards, and so forth; and finally, the device drivers.

3. D. Power On Self-Test is a diagnostic test of the computer’s hardware, such as the motherboard, memory, CD-ROM drive, and so forth. POST does not test the computer’s software.

4. B. Information contained on a ROM chip, read-only memory, is not lost after the computer has been shut down.

5. B. Unlike a ROM chip, information contained on a computer’s RAM chip is not readily accessible after a proper shutdown.

6. A. Although not very common, information stored in the BIOS can change, such as when the BIOS needs to be upgraded to support new hardware.

7. A. Read-only memory (ROM) contains information about the computer, such as hardware configuration. Unlike RAM, the information is not lost once power is disconnected.

8. A. Information contained in RAM memory is considered volatile, which means the data is lost after the computer has been disconnected.

9. C. The answer is 24 drive letters (C-Z), with drive letters A and B reserved for floppy drives.

10. B. Data is written to sectors, and files are written to clusters.

11. E. Multiplying C, H, and S gives the total amount of sectors in older systems if the number of sectors per track is constant. When it’s not, total LBA sectors give total sectors. Multiplying the total number of sectors from the appropriate method by 512 bytes per sector gives the total number of bytes for the physical drive. Adding up the total size of partitions does not include areas outside the partitions, such as unused disk area.

12. C. A CD-RW (rewritable) drive is both an input and output device, as opposed to a CD drive, which only reads and inputs data to the computer system.

13. A. A bus performs two functions: it transports data from one place to another and directs the information where to go.

14. B. The motherboard is the main circuit board used to attach internal hardware devices to its connectors.

15. D. Integrated Drive Electronics (IDE), Small Computer System Interface (SCSI), and Serial Advanced Technology Attachment (SATA) describe different hard drive interfaces.

16. C. Master, Slave, and Cable Select are settings for internal devices such as IDE hard drives and CD drives to identify and differentiate the devices on the same channel.

17. A. SATA and SCSI hard drives do not require jumper setting configurations.

18. A. The master boot record is always located at the first physical sector on a hard drive. This record stores key information about the drive itself, such as the master partition table and master boot code.

19. B. The first sector on a volume is called the volume boot record or volume boot sector. This sector contains the disk parameter block and volume boot code.

20. D. All are true statements, except for a portion of D. The partition table is contained within the MBR and consists of a total of 64 bytes, not 16 bytes, which describes up to four partitions using 16 bytes each to do so, not 4 bytes each.

Chapter 2: File Systems

note.eps

The word “FAT” applies to FAT12, FAT16, and FAT32 file systems, unless exFAT is specifically mentioned.

1. B. The file allocation table is created by the file system during format and contains pointers to clusters located on a drive.

2. D. When the FAT marks a cluster as being bad, the entire cluster is prevented from being written to.

3. D. A partition table is located in the master boot record and is always located in the very first sector of a physical drive. The partition table keeps track of the partitions located on the physical drive.

4. A. The FAT assigns numbers to each cluster entry pointing to the next cluster in the cluster run until the last cluster is reached, which is marked as EOF.

5. D. When the FAT marks a cluster as 0, it is in unallocated blusters, which means it is freely available to store data.

6. D. The volume boot record is always located at the first sector of its logical partition and contains the BIOS parameter block and volume boot code.

7. D. The NTFS file system supports long filenames, compresses files and directories, and supports file sizes in excess of 4 GB.

8. D. A FAT32 file system theoretically allows up to 228 = 268,435,456 clusters. The extra 4 bits are reserved by the file system, however, and there is an MBR-imposed limit of 67,092,481 clusters, which means FAT32 is capable of supporting a partition size of 2 terabytes.

9. C. The FAT tracks the location of the last cluster for a file (EOF), while the directory entry maintains the file’s starting cluster number.

10. B. Each volume maintains two copies (one for backup): FAT1 and FAT2.

11. D. A, B, and C are all true statements regarding NTFS; however, there is no FAT in an NTFS file system. FAT is an element of the FAT file system.

12. B. A file’s physical size is the number of bytes to the end of the last cluster, and a file’s logical size is the number of bytes that the actual file contains. A file’s physical size can be the same as its logical size.

13. A. A directory entry in a FAT file system has no logical size.

14. D. In a FAT file system, each directory entry is 32 bytes in length.

15. B. Because directory entries are just names with no logical size and because they do not contain any actual data, EnCase displays the information in red.

16. D. The area between a file’s logical size and its physical size is commonly referred to as slack space.

17. A. The directory structure records the file’s information, the FAT tracks the number of clusters allocated to the file, and the file’s data is filled in to the assigned clusters.

18. C. EnCase recovers deleted files by first obtaining the file’s starting cluster number and its size from the directory entry. Then, EnCase determines the number of clusters needed based on the file’s size and then attempts to recover the data from the starting extent through the amount of clusters needed.

19. C. When EnCase determines that the starting cluster listed in the FAT has been reassigned to an existing file, it reports the previously deleted file as being overwritten.

20. A. All are true regarding exFAT except A, since cluster allocation is not tracked by the FAT but rather by an allocation bitmap.

Chapter 3: First Response

1. A. Without consideration for your own personal safety, none of the other considerations can be accomplished.

2. E. When responding to a facility, your most helpful ally is prior knowledge of the location, its hours of activity, and the people who occupy it.

3. E. When responding to a facility, having prior knowledge of the types and functions of the computers and their locations will help reduce any unforeseen complications, thus easing the task.

4. C. Pulling the plug on a workstation, unlike doing so on a server, will not lose any critical information.

5. A. Unlike with a Windows desktop computer, certain information may not be recovered if a server is not properly shut down. It is best to properly shut down a Windows server and document your actions.

6. A. Unix/Linux machines can store critical information that may be lost if the machine is improperly shut down.

7. A. When unplugging a desktop computer, it is best to unplug a power cord from the back of the computer at the power supply. Unplugging a cord from the outlet connected to an uninterrupted power supply (UPS) will not shut down the computer.

8. D. Removing both the power cord (AC) and the battery (DC) will ensure that no electricity is being fed to the computer.

9. C. A Mac should generally be shut down by pulling the power plug from the back of the computer.

10. D. The best way to shut down a Linux/Unix system is to perform a proper shutdown using the operating system.

11. E. When the system is shut down normally or the plug is pulled, all the other live system-state data mentioned is lost.

12. C. A plastic garbage bag has properties that are conducive to static electricity discharge, which could damage sensitive computer components, including media.

13. E. In all circumstances described, the best course of action would be a normal shutdown, and thus pulling the plug is considered best practice for any of these.

14. E. The evidence steps described here are an important component in maintaining the chain of custody and hence the integrity of the evidence.

15. B. In a business setting, anything is possible. A large business database could be hosted on a Windows 7 Enterprise operating system, as could a number of other critical applications, which include access control systems, critical process control software, life-support systems, life-safety alarm monitoring, and so forth.

16. C. Generally, unless configured otherwise, you must be root to shut down a Linux/Unix system in a production environment. This prevents a typical user from stopping the system and halting mission-critical computing processes.

17. E. Certain information may not be retrievable after the system has been shut down. Given that, it is acceptable to access a system to retrieve information of evidentiary value as long as the actions are justified, documented, and explained.

18. D. Microsoft PC operating systems use backslashes (\) for the directory path structure, whereas Linux/Unix uses forward slashes (/) for the same purpose.

19. B. Although most of the time the network administrator knows much more about the computers than the responding examiner and may be of great help, requesting that person’s assistance may be detrimental to the investigation if the network administrator is the target of the investigation. As part of your preplanning, you must determine whether the administrator is part of the problem or part of the solution before you make such an approach.

20. E. Upon leaving the scene of a search, you should leave behind a copy of the signed search warrant and a list of items seized.

Chapter 4: Acquiring Digital Evidence

1. C. When partitions have been removed or the partitions are not recognized by Linux, EnCase still recognizes the physical drive and acquires it as such.

2. B. LinEn does not have a built-in write blocker. Rather, it relies upon Linux’s automount feature having been disabled.

3. B. Although EnCase only examines the contents within the evidence files, it is still good forensic practice to wipe/sterilize each hard drive prior to reusing it to eliminate the argument of possible cross-contamination.

4. E. You should suspect an HPA or a DCO. Booting with LinEn or using Tableau or FastBloc SE should enable you to see all sectors.

5. C. Digital evidence must be treated like any other evidence, whereas a chain of custody must be established to account for everyone who has access to the property.

6. A and B. HPA stands for Host Protected Area and is not normally seen by the BIOS. It was introduced in the ATA-4 specification, not ATA-6, and is seen when directly accessed via the Direct ATA mode.

7. E. All are correct statements with regard to DCO.

8. C. LinEn runs on the Linux OS, and the user must be the root user to successfully work with LinEn.

9. B. When reacquiring an image, the MD5 of the original data stream remains the same despite the compression applied.

10. B. When reacquiring, you can change the compression, you can add or remove a password, you can change the file segment size, you can change the block and error granularity sizes, or you can change the start and stop sectors. Other properties can’t be changed.

11. F. All of the above are correct answers. Linux can read or write to both FAT and NTFS file systems.

12. B and D. Here, hdb2 refers to the second partition on the primary slave.

13. B, C, and D. Linux will name an IDE device, normally, with hda, hdb, hdc, or hdd, to denote their position on the ATA controller (primary master, primary slave, secondary master, secondary slave, respectively). sdb is the second SCSI device, and since Linux calls USB or FireWire devices SCSI devices, any of the three (B, C, or D) could be represented by sdb.

14. F. All are methods of write-protecting USB devices, some arguably better than others, but methods nevertheless.

15. A, B, C, and D. All of these statements are true regarding EnCase Portable.

16. B. LinEn can’t be run under DOS and can’t be run under Windows. Rather, LinEn must be run under the Linux OS.

17. C. The level of support for USB, FireWire, SCSI, and other devices is totally dependent on the Linux distribution being used to run LinEn. For the most support, try to use the latest Linux distribution available.

18. B. CDs can be safely acquired in the Windows environment.

19. A, B, C, and D. A FIM can be licensed only to law enforcement or military customers. All other statements are correct.

20. A. Only A is correct. LinEn has no onboard drivers for write blocking, relying on the host OS to have its automount feature disabled. LinEn can’t format to any format because formatting is not included within the tool. EnCase for DOS contained an unlock feature by which the target drive was unlocked for writing. LinEn contains no such feature.

Chapter 5: EnCase Concepts

1. D. An EnCase evidence file is a bitstream image of a source device such as a hard drive, CD-ROM, or floppy disk written to a file (.Ex01) or several file segments (.Ex02, .Ex03, and so on).

2. D. EnCase writes a CRC value for every 64 sectors copied, by default. If the block size has been increased, the CRC frequency will be adjusted accordingly.

3. D. The smallest file size that an EnCase evidence file can be saved as is 30 MB.

4. D. The largest file size that an EnCase evidence file can be saved as is now 8,589,934,588 GB with EnCase 7. Naturally the file system storing the file must support this file size.

5. A. EnCase compares the MD5 hash value (alternatively SHA-1 or both) of the source device to the MD5 hash value (alternatively SHA-1 or both) of just the data stored in the evidence file, not the entire contents of the evidence file, such as case information and CRC values of each data block.

6. C. EnCase calculates a CRC value for the case information, which is verified when the evidence file is added to a case.

7. B. When an evidence file is added to a case, EnCase verifies both the CRC and MD5 hash values (alternatively SHA-1 or both). All acquisition values (CRCs and hashes) must match the recalculated verification values.

8. C. The MD5 hash algorithm produces a 128-bit value.

9. E. Starting with EnCase 7.04, the backup process has been greatly enhanced and .cbak files are no longer used, making A no longer correct. Options B and C are true statements regarding the backup process.

10. B. EnCase will no longer (as of version 5) detect corrupted data on the fly. Therefore, EnCase will show and allow corrupted data to be searched, bookmarked, and so on. Post-verification corruption, although rare, can occur, and therefore every case should be subjected to verification at the end of the case to assure no corruption has occurred.

11. D. The evidence file size can be changed during a reacquire.

12. B. EnCase can verify independent evidence file segments by comparing the CRC values of the data blocks. This function is accessed from the Tools menu and is called Verify Evidence Files.

13. D. EnCase does not write to the evidence file after the acquisition is complete.

14. D. As with any forensic tool, the investigator should test the tools to better understand how the tool performs and to verify that it is functioning properly.

15. A. Compressing an evidence file does not change its MD5 and/or SHA-1 hash value(s).

16. B. The three parts are the Ev2 Header, Data, and Link Record. There is no such part called CRC record.

17. A. An EnCase evidence file’s logical filename can be renamed without affecting the verification of the acquired evidence.

18. A. EnCase evidence files can be moved without affecting the file verification.

19. C. When an evidence file has moved from the previous path, EnCase will prompt for the new location of the evidence file.

20. A, B, D, and E. All may be changed during reacquisition with the exception of the investigator’s name.

Chapter 6: EnCase Environment

1. A. You must first create a new case before the Add Device option is available.

2. C. EnCase 7 creates Email, Export, Tags, and Temp. The Evidence folder would have to be created manually by the user if the user opted to place it in this location.

3. E. A, B, C, and D can all be carried out from the Home screen.

4. E. The Case Options dialog box asks for all the options listed when a new case is created.

5. B. The data in the File Types database (stored in the FILETYPES.INI file) determines which file types will be opened by which viewers upon double-clicking or opening the file.

6. C. External viewers are programs that EnCase uses to open specific file types and are configured by the user

7. D. The VIEWERS.INI file stores information on external programs that EnCase uses to open specific file types.

8. C. When EnCase sends a file to an external viewer, the file is placed in the temp folder.

9. B. It is launched as an option from the Device menu.

10. D. All are true regarding the Gallery view.

11. A. The right-side menu is a collection of the menus and tools found on the toolbar to its left. It is akin to the content formerly found on the right-click mouse button.

12. B. When a filter or condition is run, the results are shown in the Results view or tab.

13. C. To adjust the amount of minutes the backup file is saved, select Tools in the menu bar, select Options, and then change the time in the Auto Save Minutes box on the Global tab of the resulting dialog box.

14. C. EnCase allows the user to sort up to six columns in the Table view tab.

15. C. The user can use either method to reverse-sort on a column.

16. E. All four methods will hide selected columns from the Table view.

17. B. The Gallery view displays images based on the File Category - Picture setting, which is determined by file extensions until such time that a file signature analysis is run.

18. C. When a signature analysis is performed, EnCase will update or correct the file category to Picture, in this particular case, based on the information contained in the file header.

19. D. A user can change the way colors and fonts appear by selecting the Tools tab and then clicking Options to change colors and fonts.

20. A. Navigation Data (also called the GPS bar in the field) displays the selected data’s exact location, including the full path, physical sector, logical sector number, cluster number, sector offset, and file offset.

Chapter 7: Understanding, Searching For, and Bookmarking Data

1. C. Binary is a numbering system consisting of 0 and 1 used by computers to process information.

2. A. Bi refers to two; therefore, a bit can have only two values, 0 or 1.

3. C. A byte consists of 8 bits or two 4-bit nibbles, commonly referred to as the left nibble and right nibble.

4. D. 28 is 2 × 2 eight times, or 2 × 2 × 2 × 2 × 2 × 2 × 2 × 2 = 256.

5. A. Values expressed with the letter h as a suffix are hexadecimal characters. EnCase can display the letter A in text or hexadecimal formats

6. B. Starting from the right, the bits are “on” for bit positions 1 and 8, which totals 9.

7. C and D. A Dword is a 32-bit value. A is incorrect because it depicts 8 binary bits or one byte. B is incorrect because it depicts 4 binary bits or one nibble. C is correct because it represents four hexadecimal values with each being 8 bits (4 × 8 = 32 bits). D is correct because it represents 32 binary bits.

8. D. 27 is 2 × 2 seven times or 2 × 2 × 2 × 2 × 2 × 2 × 2 = 128, while 216 is 2 × 2 sixteen times = 65,536.

9. C. A device must be an image or be acquired first by the EnCase Evidence Processor. Live devices can be subjected to direct processing by the EnCase Evidence Processor. Red flags denote items that must be run during the first run of the processor. If you don’t run them then, you can’t run them later. It’s now or never, so to speak.

10. C. EnCase performs a search not only of logical files but of the entire disk to include unallocated clusters and unused disk areas outside the logical partition.

11. B. By default, the Case Sensitive option is not selected; therefore, search terms are not case sensitive unless you select that option.

12. A. By selecting the Unicode box, EnCase will search for both ASCII and Unicode formats.

13. D. EnCase can perform both physical searches as well as logical searches for keyword(s) that span noncontiguous clusters.

14. E. Since the entry allows for characters to precede and follow the keyword and the default setting does not have the Case Sensitive option enabled, all the selections apply.

15. C. The GREP symbol ^ means to exclude the following characters. So, the GREP expression in the question excludes the alpha characters (a through z) before and after the keyword but will find nonalpha characters such as numbers.

16. B. The GREP expression in the question permits a hexadecimal range from 00 through 07 followed by hexadecimal values 00 00 00 and any other characters.

17. A. This index search expression calls first for a case-sensitive search, because of the <c>. The npre/3 means at least three words apart and Saddam must precede Hussein. Only A meets this query.

18. A. The GREP expression [^#] means that it cannot be a number, meaning the first character and last character following the 9 can’t be numbers. Therefore, A will not return as a search hit because the number 0 follows the number 9.

19. C. The highlighted data bookmark is a sweep or highlight of a specific text fragment.

20. A and C. An index is required first before searching but is created by the EnCase Evidence Processor and not by an EnScript named Create Index. Queries are case insensitive, by default, but do have the ability to be case sensitive if preceded by <c>.

Chapter 8: File Signature Analysis and Hash Analysis

1. D. A signature analysis will compare a file’s header or signature to its file extension.

2. A. A file header identifies the type of file and is located at the beginning of the file’s data area.

3. C. The Windows operating system uses a file’s extension to associate the file with the proper application.

4. B. Unix (including Linux) operating systems use a file’s header information to associate file types to specific applications.

5. D. When determining which application to use to open a file, Mac OS X gives first precedence to “user defined” settings, second precedence to creator code metadata, and third precedence to filename extensions. If none of these are present, other rules come into play.

6. A. Information about a file’s header and extension is saved in the FileTypes.ini file.

7. B. When a file’s signature is unknown and a valid extension is present, EnCase will display the status as being Bad Signature.

8. A. When a file’s signature is known and an inaccurate file extension is present, EnCase reports Alias in the Signature Analysis column, displays the true signature in the Signature column, and may update the Category column.

9. D. When a file’s signature is known and an accurate file extension is present, EnCase will display the result as a Match.

10. C. When a file’s signature and extension are not recognized, EnCase will display the result as Unknown.

11. A. A unique file header can share multiple file extensions. An example of such as case is a .jpeg or .jpg file, which shares the same file header \xFF\xD8\xFF[\xFE\xE0\xE1].

12. C. A user can manually add new file headers and extensions by accessing the File Types view and creating a new entry, with new header and extension.

13. D. An MD5 hash is a 128-bit hash value, and the odds of two different files having the same value is one in 2128. A file’s MD5 hash value is based on the file’s data area, not its filename, which resides outside the data area.

14. D. EnCase can calculate hash values for any of the options listed.

15. B. EnCase 7 allows two hash libraries to be applied to a case at any given time.

16. B. Merely changing a file’s name will not affect its MD5 or SHA1 hash value because the hash value is based on the file’s data, not its filename.

17. A. These hash sets have been produced from known safe sources and are categorized as Known. In most cases, they are nonevidentiary and can be ignored when conducting searches and other analyses.

18. B. Evidentiary files or files of interest are usually categorized as Notable.

19. A. Regardless of the MD5 or SHA1 hashing utility, the hash value generated will have the same result, because the MD5 or SHA1 hash is an industry-standard algorithm.

20. C. A hash library is comprised of hash sets, which are comprised of hash values.

Chapter 9: Windows Operating System Artifacts

1. E. Operating system artifacts serve as information used by the computer to fulfill certain user- and system-specific requirements and needs.

2. C. A FAT file system stores date and time stamps in local time while the NTFS file system stores date and time stamps in GMT.

3. B. Windows stores the time zone offset in the registry.

4. D. If it is a Windows Vista (or beyond) Recycle Bin, the date and time when the file was deleted is saved in the $I index file that corresponds with the deleted file. If it is a pre-Vista operating system, when a file is sent to the Recycle Bin, the date and time of when the file was deleted is saved in the INFO2 file.

5. D. When a file is sent to the Recycle Bin, Windows changes the short filename to D for Deleted, followed by the drive letter and the index number. The file extension for the deleted file remains the same.

6. B. When a user opens a document, a link file bearing the document’s filename is created in the Recent folder.

7. E. Link files are shortcuts to a variety of items such as programs, documents, folders, and devices such as removable media.

8. B. In NTFS, information unique to a specific user is stored in the NTUSER.DAT file.

9. C. By default, the My Recent Documents folder displays 15 recently opened documents; however, the actual folder may contain hundreds more.

10. D. A specific user’s desktop items are located in the path C:\Users\%User%\Desktop in a Windows 7 operating system.

11. A. When the system goes into hibernation, the contents of RAM are written to the file hiberfil.sys, which is the exact size of RAM and located in the root of the system drive.

12. E. Evidence of web-based email is commonly viewed but not saved. Therefore, its contents may be found in the Temporary Internet Files folder, Unallocated Clusters, or the pagefile.sys and hiberfil.sys folders.

13. A. The Favorites folder contains link files that direct the browser to certain websites. These link files usually have a name that describes the website followed with the .url extension.

14. B. Information about an Internet cookie such as the URL name, date and time stamps, and pointers to the actual cookie are stored in the index.dat file.

15. A. The swap file is saved as WIN386.SWP in a Windows 98 machine and as pagefile.sys in Windows XP and newer.

16. C. The .spl, or spool, file contains an image of what is sent to the printer to be printed.

17. D. The two printing modes in Windows are RAW and EMF.

18. A. Even though Windows deletes the EMF file after a print job has been completed, EnCase may still be able to recover the file by doing a search of its unique header information.

19. C. The Recycle Bin does not contain an index.dat file; in Windows 2000/XP, it contains the INFO2 file.

20. D. The Temporary Internet Files directory contains all the previously mentioned items.

Chapter 10: Advanced EnCase

1. E. The first 63 sectors of a hard drive are reserved for the MBR even though its contents are contained in the very first sector.

2. D. The first sector of a formatted hard drive with an operating system is referred to as a boot sector, which contains the MBR and is located at absolute sector 0.

3. C. The partition table allows for four logical partitions. It consists of 64 bytes, and each of the four partitions is described by 16-byte string.

4. D. The first sector of a partition contains the volume boot record.

5. B. EnCase can still recover deleted partitions if you point to the first sector of the partition, which is the volume boot record, and select the Add Partition command from the Partition menu.

6. C. When a hard drive is formatted with an NTFS partition, a backup of the VBR is stored in the last sector of the partition.

7. E. These file types are all examples of compound files that EnCase is able to display their contents in a hierarchical format.

8. A. The other master key is HKEY_USERS. The other choices are derived keys that are linked to keys within the two master keys.

9. C. Each time a profile or username is created, the NTUSER.DAT file is also created for the specific profile. This compound file is stored locally in the root of C:\Users\%USERNAME%.

10. B. In an NTFS file system, the date and time stamps recorded in the registry are recorded in GMT, which is then displayed in local time based on the system’s time zone settings.

11. A. Since EnScript is a proprietary programming language, it is designed to function properly only in the EnCase environment.

12. B. Although EnScript was developed by Guidance Software, anyone with computer programming skills and knowledge of the programming language can develop their own EnScripts.

13. A. Since filters are in essence EnScripts, any user can modify an existing filter or create their own.

14. E. EnCase 7 can recognize and parse all these types of emails.

15. C. EnCase 7 allows the user to view the contents of compound files containing emails either by selecting View File Structure or by running Find Email from within the EnCase Evidence Processor. While both will allow viewing the compound file, per se, only the latter method will send the output to the Records view.

16. B. Contents of web-based emails may reside in areas such as Temporary Internet History, cache (pagefile.sys), hiberfil.sys, and unallocated clusters. Using the web mail finder option from the File Carver, EnCase can locate web mail fragments.

17. D. Microsoft Windows 7 Home Edition does not include the EFS feature nor does it support BitLocker.

18. E. The VFS module can also mount data at the case, disk or device, volume, and folder levels.

19. E. The Physical Disk Emulator can mount volumes and physical disks in the Windows environment; however, it does not mount cases or folders.

20. A. When a user selects the VFS module, EnCase will prompt the user with a Mount As Network Share dialog box. When a user selects the PDE module, EnCase will prompt the user with a Mount As Emulated Disk dialog box.